Apple Mac OS X Server
Administrator’s Guide Mac_OS_X_Server_v10.2.pdf
Apple sur FNAC.COM
- Pour voir la liste complète des manuels APPLE, cliquez ici
TELECHARGER LE PDF :
http://images.apple.com/jp/server/pdfs/Mac_OS_X_Server_v10.2.pdf
Voir également d'autres Guides APPLE :
Apple-DVD_Studio_Pro_4_Installation_de_votre_logiciel
Apple-Windows_Services
Apple-Motion_3_New_Features_F
Apple-g4mdd-fw800-lowerfan
Apple-MacOSX10.3_Welcome
Apple-Print_Service
Apple-Xserve_Setup_Guide_F
Apple-PowerBookG4_17inch1.67GHzUG
Apple-iMac_Intel-based_Late2006
Apple-Installation_de_votre_logiciel
Apple-guide_des_fonctions_de_l_iPod_nano
Apple-Administration_de_serveur_v10.5
Apple-Mac-OS-X-Server-Premiers-contacts-Pour-la-version-10.3-ou-ulterieure
Apple-boot_camp_install-setup
Apple-iBookG3_14inchUserGuideMultilingual
Apple-mac_pro_server_mid2010_ug_f
Apple-Motion_Supplemental_Documentation
Apple-imac_mid2011_ug_f
Apple-iphone_guide_de_l_utilisateur
Apple-macbook_air_11inch_mid2011_ug_fr
Apple-NouvellesfonctionnalitesdeLogicExpress7.2
Apple-QT_Streaming_Server
Apple-Web_Technologies_Admin
Apple-Mac_Pro_Early2009_4707_UG
Apple-guide_de_l_utilisateur_de_Numbers08
Apple-Decouverte_d_Aperture_2
Apple-Guide_de_configuration_et_d'administration
Apple-mac_integration_basics_fr_106.
Apple-iPod_shuffle_4thgen_Guide_de_l_utilisateur
Apple-ARA_Japan
Apple-081811_APP_iPhone_Japanese_v5.4.pdf-Japan
Apple-Recycle_Contract120919.pdf-Japan
Apple-World_Travel_Adapter_Kit_UG
Apple-iPod_nano_6thgen_User_Guide
Apple-RemoteSupportJP
Apple-Mac_mini_Early2009_UG_F.pdf-Manuel-de-l-utilisateur
Apple-Compressor_3_Batch_Monitor_User_Manual_F.pdf-Manuel-de-l-utilisateur
Apple-Premiers__contacts_avec_iDVD_08
Apple-Mac_mini_Intel_User_Guide.pdf
Apple-Prise_en_charge_des_surfaces_de_controle_Logic_Express_8
Apple-mac_integration_basics_fr_107.pdf
Apple-Final-Cut-Pro-7-Niveau-1-Guide-de-preparation-a-l-examen
Apple-Logic9-examen-prep-fr.pdf-Logic-Pro-9-Niveau-1-Guide-de-preparation-a-l-examen
Apple-aperture_photography_fundamentals.pdf-Manuel-de-l-utilisateu
Apple-emac-memory.pdf-Manuel-de-l-utilisateur
Apple-Apple-Installation-et-configuration-de-votre-Power-Mac-G4
Apple-Guide_de_l_administrateur_d_Xsan_2.pdf
Apple-premiers_contacts_avec_imovie6.pdf
Apple-Tiger_Guide_Installation_et_de_configuration.pdf
Apple-Final-Cut-Pro-7-Level-One-Exam-Preparation-Guide-and-Practice-Exam
Apple-Open_Directory.pdf
Apple-Nike_+_iPod_User_guide
Apple-ard_admin_guide_2.2_fr.pdf
Apple-systemoverviewj.pdf-Japon
Apple-Xserve_TO_J070411.pdf-Japon
Apple-Mac_Pro_User_Guide.pdf
Apple-iMacG5_iSight_UG.pdf
Apple-premiers_contacts_avec_iwork_08.pdf
Apple-services_de_collaboration_2e_ed_10.4.pdf
Apple-iPhone_Bluetooth_Headset_Benutzerhandbuch.pdf
Apple-Guide_de_l_utilisateur_de_Keynote08.pdf
APPLE/Apple-Logic-Pro-9-Effectsrfr.pdf
Apple-Logic-Pro-9-Effectsrfr.pdf
Apple-iPod_shuffle_3rdGen_UG_F.pdf
Apple-iPod_classic_160Go_Guide_de_l_utilisateur.pdf
Apple-iBookG4GettingStarted.pdf
Apple-Administration_de_technologies_web_10.5.pdf
Apple-Compressor-4-User-Manual-fr
Apple-MainStage-User-Manual-fr.pdf
Apple-Logic_Pro_8.0_lbn_j.pdf
Apple-PowerBookG4_15inch1.67-1.5GHzUserGuide.pdf
Apple-MacBook_Pro_15inch_Mid2010_CH.pdf
Apple-LED_Cinema_Display_27-inch_UG.pdf
Apple-MacBook_Pro_15inch_Mid2009_RS.pdf
Apple-macbook_pro_13inch_early2011_f.pdf
Apple-iMac_Mid2010_UG_BR.pdf
Apple-iMac_Late2009_UG_J.pdf
Apple-iphone_user_guide-For-iOS-6-Software
Apple-iDVD5_Getting_Started.pdf
Apple-guide_des_fonctionnalites_de_l_ipod_touch.pdf
Apple_iPod_touch_User_Guide
Apple_macbook_pro_13inch_early2011_f
Apple_Guide_de_l_utilisateur_d_Utilitaire_RAID
Apple_Time_Capsule_Early2009_Setup_F
Apple_iphone_4s_finger_tips_guide_rs
Apple_iphone_upute_za_uporabu
Apple_ipad_user_guide_ta
Apple_iPod_touch_User_Guide
apple_earpods_user_guide
apple_iphone_gebruikershandleiding
apple_iphone_5_info
apple_iphone_brukerhandbok
apple_apple_tv_3rd_gen_setup_tw
apple_macbook_pro-retina-mid-2012-important_product_info_ch
apple_Macintosh-User-s-Guide-for-Macintosh-PowerBook-145
Apple_ipod_touch_user_guide_ta
Apple_TV_2nd_gen_Setup_Guide_h
Apple_ipod_touch_manual_del_usuario
Apple_iphone_4s_finger_tips_guide_tu
Apple_macbook_pro_retina_qs_th
Apple-Manuel_de_l'utilisateur_de_Final_Cut_Server
Apple-iMac_G5_de_lutilisateur
Apple-Cinema_Tools_4.0_User_Manual_F
Apple-Personal-LaserWriter300-User-s-Guide
Apple-QuickTake-100-User-s-Guide-for-Macintosh
Apple-User-s-Guide-Macintosh-LC-630-DOS-Compatible
Apple-iPhone_iOS3.1_User_Guide
Apple-iphone_4s_important_product_information_guide
Apple-iPod_shuffle_Features_Guide_F
Liste-documentation-apple
Apple-Premiers_contacts_avec_iMovie_08
Apple-macbook_pro-retina-mid-2012-important_product_info_br
Apple-macbook_pro-13-inch-mid-2012-important_product_info
Apple-macbook_air-11-inch_mid-2012-qs_br
Apple-Manuel_de_l_utilisateur_de_MainStage
Apple-Compressor_3_User_Manual_F
Apple-Color_1.0_User_Manual_F
Apple-guide_de_configuration_airport_express_4.2
Apple-TimeCapsule_SetupGuide
Apple-Instruments_et_effets_Logic_Express_8
Apple-Manuel_de_l_utilisateur_de_WaveBurner
Apple-Macmini_Guide_de_l'utilisateur
Apple-PowerMacG5_UserGuide
Disque dur, ATA parallèle Instructions de remplacement
Apple-final_cut_pro_x_logic_effects_ref_f
Apple-Leopard_Installationshandbok
Manuale Utente PowerBookG4
Apple-thunderbolt_display_getting_started_1e
Apple-Compressor-4-Benutzerhandbuch
Apple-macbook_air_11inch_mid2011_ug
Apple-macbook_air-mid-2012-important_product_info_j
Apple-iPod-nano-Guide-des-fonctionnalites
Apple-iPod-nano-Guide-des-fonctionnalites
Apple-iPod-nano-Guide-de-l-utilisateur-4eme-generation
Apple-iPod-nano-Guide-de-l-utilisateur-4eme-generation
Apple-Manuel_de_l_utilisateur_d_Utilitaire_de_reponse_d_impulsion
Apple-Aperture_2_Raccourcis_clavier
AppleTV_Setup-Guide
Apple-livetype_2_user_manual_f
Apple-imacG5_17inch_harddrive
Apple-macbook_air_guide_de_l_utilisateur
Apple-MacBook_Early_2008_Guide_de_l_utilisateur
Apple-Keynote-2-Guide-de-l-utilisateur
Apple-PowerBook-User-s-Guide-for-PowerBook-computers
Apple-Macintosh-Performa-User-s-Guide-5200CD-and-5300CD
Apple-Macintosh-Performa-User-s-Guide
Apple-Workgroup-Server-Guide
Apple-iPod-nano-Guide-des-fonctionnalites
Apple-iPad-User-Guide-For-iOS-5-1-Software
Apple-Boot-Camp-Guide-d-installation-et-de-configuration
Apple-iPod-nano-Guide-de-l-utilisateur-4eme-generation
Power Mac G5 Guide de l’utilisateur APPLE
Guide de l'utilisateur PAGE '08 APPLE
Guide de l'utilisateur KEYNOTE '09 APPLE
Guide de l'Utilisateur KEYNOTE '3 APPLE
Guide de l'Utilisateur UTILITAIRE RAID
Guide de l'Utilisateur Logic Studio
Power Mac G5 Guide de l’utilisateur APPLE
Guide de l'utilisateur PAGE '08 APPLE
Guide de l'utilisateur KEYNOTE '09 APPLE
Guide de l'Utilisateur KEYNOTE '3 APPLE
Guide de l'Utilisateur UTILITAIRE RAID
Guide de l'Utilisateur Logic Studio
Guide de l’utilisateur ipad Pour le logiciel iOS 5.1
PowerBook G4 Premiers Contacts APPLE
Guide de l'Utilisateur iphone pour le logiciel ios 5.1 APPLE
Guide de l’utilisateur ipad Pour le logiciel iOS 4,3
Guide de l’utilisateur iPod nano 5ème génération
Guide de l'utilisateur iPod Touch 2.2 APPLE
Guide de l’utilisateur QuickTime 7 Mac OS X 10.3.9 et ultérieur Windows XP et Windows 2000
Guide de l'utilisateur MacBook 13 pouces Mi 2010
Guide de l’utilisateur iPhone (Pour les logiciels iOS 4.2 et 4.3)
Guide-de-l-utilisateur-iPod-touch-pour-le-logiciel-ios-4-3-APPLE
Guide-de-l-utilisateur-iPad-2-pour-le-logiciel-ios-4-3-APPLE
Guide de déploiement en entreprise iPhone OS
Guide-de-l-administrateur-Apple-Remote-Desktop-3-1
Guide-de-l-utilisateur-Apple-Xserve-Diagnostics-Version-3X103
Guide-de-configuration-AirPort-Extreme-802.11n-5e-Generation
Guide-de-configuration-AirPort-Extreme-802-11n-5e-Generation
Guide-de-l-utilisateur-Capteur-Nike-iPod
Guide-de-l-utilisateur-iMac-21-5-pouces-et-27-pouces-mi-2011-APPLE
Guide-de-l-utilisateur-Apple-Qadministrator-4
Guide-d-installation-Apple-TV-3-eme-generation
User-Guide-iPad-For-ios-5-1-Software
Mac OS X Server
Administrator’s Guide
034-9285.S4AdminPDF 6/27/02 2:07 PM Page 1K Apple Computer, Inc.
© 2002 Apple Computer, Inc. All rights reserved.
Under the copyright laws, this publication may not be copied, in whole or in part, without the written
consent of Apple.
The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the
“keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may
constitute trademark infringement and unfair competition in violation of federal and state laws.
Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh,
Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered
in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of
Apple Computer, Inc.
Adobe and PostScript are trademarks of Adobe Systems Incorporated.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in
the U.S. and other countries.
Netscape Navigator is a trademark of Netscape Communications Corporation.
RealAudio is a trademark of Progressive Networks, Inc.
© 1995–2001 The Apache Group. All rights reserved.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through
X/Open Company, Ltd.
062-9285/7-26-023
Contents
Preface
How to Use This Guide 39
What’s Included in This Guide 39
Using This Guide 40
Setting Up Mac OS X Server for the First Time 41
Getting Help for Everyday Management Tasks 41
Getting Additional Information 41
1 Administering Your Server 43
Highlighting Key Features 43
Ease of Setup and Administration 43
Networking and Security 44
File and Printer Sharing 44
Open Directory Services 45
Comprehensive Management of Macintosh Workgroups 45
High Availability 46
Extensive Internet and Web Services 46
Highlighting Individual Services 46
Directory Services 47
Open Directory 47
Password Validation 47
Search Policies 48
File Services 48
Sharing 48
Apple File Service 49
Windows Services 49
LL9285.Book Page 3 Tuesday, June 25, 2002 3:59 PM4 Contents
Network File System (NFS) Service 49
File Transfer Protocol (FTP) 50
Print Service 50
Web Service 51
Mail Service 51
Macintosh Workgroup Management 52
Client Management 52
NetBoot 52
Network Install 53
Network Services 53
DHCP 54
DNS 54
IP Firewall 54
SLP DA 54
QuickTime Streaming Service 55
Highlighting Server Applications 56
Administering a Server From Different Computers 58
Server Assistant 58
Open Directory Assistant 58
Directory Access 59
Workgroup Manager 59
Opening and Authenticating in Workgroup Manager 59
Major Workgroup Manager Tasks 60
Server Settings 60
Server Status 61
Macintosh Manager 62
NetBoot Administration Tools 62
Network Install Administration Application 62
Server Monitor 62
Streaming Server Admin 63
Where to Find More Information 64
If You’re New to Server and Network Management 64
If You’re an Experienced Server Administrator 64
LL9285.Book Page 4 Tuesday, June 25, 2002 3:59 PMContents 5
2Directory Services 65
Storage for Data Needed by Mac OS X 66
A Historical Perspective 67
Data Consolidation 68
Data Distribution 69
Uses of Directory Data 70
Inside a Directory Domain 71
Discovery of Network Services 72
Directory Domain Protocols 73
Local and Shared Directory Domains 74
Local Data 74
Shared Data 75
Shared Data in Existing Directory Domains 78
Directory Domain Hierarchies 78
Two-Level Hierarchies 79
More Complex Hierarchies 81
Search Policies for Directory Domain Hierarchies 82
The Automatic Search Policy 83
Custom Search Policies 84
Directory Domain Planning 85
General Planning Guidelines 85
Controlling Data Accessibility 86
Simplifying Changes to Data in Directory Domains 86
Identifying Computers for Hosting Shared Domains 87
Open Directory Password Server 87
Authentication With a Password Server 88
Network Authentication Protocols 88
Password Server Database 88
Password Server Security 89
Overview of Directory Services Tools 89
Setup Overview 90
Before You Begin 91
Setting Up an Open Directory Domain and Password Server 92
Deleting a Shared Open Directory Domain 93
LL9285.Book Page 5 Tuesday, June 25, 2002 3:59 PM6 Contents
Configuring Open Directory Service Protocols 93
Setting Up Search Policies 94
Using the Automatic Search Policy 95
Defining a Custom Search Policy 95
Using a Local Directory Search Policy 96
Changing Basic LDAPv3 Settings 97
Enabling or Disabling Use of DHCP-Supplied LDAPv3 Servers 97
Showing or Hiding Available LDAPv3 Configurations 97
Configuring Access to Existing LDAPv3 Servers 98
Creating an LDAPv3 Configuration 98
Editing an LDAPv3 Configuration 99
Duplicating an LDAPv3 Configuration 99
Deleting an LDAPv3 Configuration 100
Changing an LDAPv3 Configuration’s Connection Settings 100
Configuring LDAPv3 Search Bases and Mappings 101
Populating LDAPv3 Domains With Data for Mac OS X 103
Using an Active Directory Server 104
Creating an Active Directory Server Configuration 104
Setting Up an Active Directory Server 105
Populating Active Directory Domains With Data for Mac OS X 105
Accessing an Existing LDAPv2 Directory 106
Setting Up an LDAPv2 Server 106
Creating an LDAPv2 Server Configuration 106
Changing LDAPv2 Server Access Settings 107
Editing LDAPv2 Search Bases and Data Mappings 108
Using NetInfo Domains 110
Creating a Shared NetInfo Domain 110
Configuring NetInfo Binding 111
Adding a Machine Record to a Parent NetInfo Domain 113
Configuring Static Ports for Shared NetInfo Domains 113
Viewing and Changing NetInfo Data 114
Using UNIX Utilities for NetInfo 114
Using Berkeley Software Distribution (BSD) Configuration Files 115
Mapping BSD Configuration Files 115
LL9285.Book Page 6 Tuesday, June 25, 2002 3:59 PMContents 7
Setting Up Data in BSD Configuration Files 118
Configuring Directory Access on a Remote Computer 118
Monitoring Directory Services 119
Backing Up and Restoring Directory Services Files 119
3 Users and Groups 121
How User Accounts Are Used 122
Authentication 122
Password Validation 123
Information Access Control 124
Directory and File Owner Access 125
Directory and File Access by Other Users 125
Administration Privileges 125
Server Administration 125
Local Mac OS X Computer Administration 126
Directory Domain Administration 126
Home Directories 126
Mail Settings 127
Resource Usage 127
User Preferences 127
How Group Accounts Are Used 127
Information Access Control 127
Group Directories 128
Workgroups 128
Computer Access 128
Kinds of Users and Groups 128
Users and Managed Users 128
Groups, Primary Groups, and Workgroups 129
Administrators 129
Guest Users 129
Predefined Accounts 130
Setup Overview 132
Before You Begin 135
Administering User Accounts 137
Where User Accounts Are Stored 137
LL9285.Book Page 7 Tuesday, June 25, 2002 3:59 PM8 Contents
Creating User Accounts in Directory Domains on Mac OS X Server 137
Creating Read-Write LDAPv3 User Accounts 138
Changing User Accounts 138
Working With Read-Only User Accounts 139
Working With Basic Settings for Users 139
Defining User Names 139
Defining Short Names 140
Choosing Stable Short Names 141
Avoiding Duplicate Names 141
Avoiding Duplicate Short Names 143
Defining User IDs 144
Defining Passwords 145
Assigning Administrator Rights for a Server 145
Assigning Administrator Rights for a Directory Domain 145
Working With Advanced Settings for Users 146
Defining Login Settings 146
Defining a Password Validation Strategy 147
Editing Comments 147
Working With Group Settings for Users 147
Defining a User’s Primary Group 148
Adding a User to Groups 148
Removing a User From a Group 149
Reviewing a User’s Group Memberships 149
Working With Home Settings for Users 149
Working With Mail Settings for Users 150
Disabling a User’s Mail Service 150
Enabling Mail Service Account Options 150
Forwarding a User’s Mail 151
Working With Print Settings for Users 151
Disabling a User’s Access to Print Queues Enforcing Quotas 152
Enabling a User’s Access to Print Queues Enforcing Quotas 152
Deleting a User’s Print Quota for a Specific Queue 153
Restarting a User’s Print Quota 153
Working With Managed Users 154
LL9285.Book Page 8 Tuesday, June 25, 2002 3:59 PMContents 9
Defining a Guest User 154
Deleting a User Account 154
Disabling a User Account 155
Administering Home Directories 155
Distributing Home Directories Across Multiple Servers 156
Setting Up Home Directories for Users Defined in Existing Directory Servers 157
Choosing a Protocol for Home Directories 160
Setting Up AFP Home Directory Share Points 160
Setting Up NFS Home Directory Share Points 160
Creating Home Directory Folders 161
Defining a User’s Home Directory 161
Defining No Home Directory 162
Defining a Home Directory for Local Users 162
Defining a Network Home Directory 163
Defining an Advanced Home Directory 163
Setting Disk Quotas 164
Defining Default Home Directories for New Users 165
Using Import Files to Create AFP Home Directories 165
Moving Home Directories 165
Deleting Home Directories 165
Administering Group Accounts 165
Where Group Accounts Are Stored 165
Creating Group Accounts in a Directory Domain on Mac OS X Server 165
Creating Read-Write LDAPv3 Group Accounts 166
Changing Group Accounts 167
Working With Read-Only Group Accounts 167
Working With Member Settings for Groups 167
Adding Users to a Group 168
Removing Users From a Group 168
Naming a Group 169
Defining a Group ID 170
Working With Volume Settings for Groups 170
Creating Group Directories 171
Automatically Creating Group Directories 171
LL9285.Book Page 9 Tuesday, June 25, 2002 3:59 PM10 Contents
Customizing Group Directory Settings 172
Working With Group and Computer Preferences 173
Deleting a Group Account 173
Finding User and Group Accounts 173
Listing Users and Groups in the Local Directory Domain 174
Listing Users and Groups in Search Path Directory Domains 174
Listing Users and Groups in Available Directory Domains 174
Refreshing User and Group Lists 175
Finding Specific Users and Groups in a List 175
Sorting User and Group Lists 175
Shortcuts for Working With Users and Groups 176
Editing Multiple Users Simultaneously 176
Using Presets 176
Creating a Preset for User Accounts 176
Creating a Preset for Group Accounts 177
Using Presets to Create New Accounts 177
Renaming Presets 178
Deleting a Preset 178
Changing Presets 178
Importing and Exporting User and Group Information 178
Understanding What You Can Import 179
Using Workgroup Manager to Import Users and Groups 179
Using Workgroup Manager to Export Users and Groups 181
Using dsimportexport to Import Users and Groups 181
Using dsimportexport to Export Users and Groups 184
Using XML Files Created With Mac OS X Server 10.1 or Earlier 186
Using XML Files Created With AppleShare IP 6.3 186
Using Character-Delimited Files 187
Writing a Record Description 188
Using the StandardUserRecord Shorthand 189
Using the StandardGroupRecord Shorthand 189
Understanding Password Validation 189
Contrasting Password Validation Options 191
The Authentication Authority Attribute 192
LL9285.Book Page 10 Tuesday, June 25, 2002 3:59 PMContents 11
Choosing a Password 192
Migrating Passwords 193
Setting Up Password Validation Options 193
Storing Passwords in User Accounts 193
Enabling Basic Password Validation for a User 193
The Problem With Readable Passwords 194
Using a Password Server 195
Setting Up a Password Server 196
Enabling the Use of a Password Server for a User 196
Exporting Users With Password Server Passwords 197
Making a Password Server More Secure 197
Monitoring a Password Server 197
Using Kerberos 197
Understanding Kerberos 198
Integrating Mac OS X With a Kerberos Server 199
Enabling Kerberos Authentication for Mail 200
Enabling Kerberos Authentication for AFP 200
Enabling Kerberos Authentication for FTP 200
Enabling Kerberos Authentication for Login Window 200
Enabling Kerberos Authentication for Telnet 201
Solving Problems With Kerberos 201
Using LDAP Bind Authentication 201
Backing Up and Restoring Files 201
Backing Up a Password Server 201
Backing Up Root and Administrator User Accounts 202
Supporting Client Computers 202
Validating Windows User Passwords 202
Setting Up Search Policies on Mac OS X Client Computers 202
Solving Problems 202
You Can’t Modify an Account Using Workgroup Manager 202
A Password Server User’s Password Can’t Be Modified 203
Users Can’t Log In or Authenticate 203
You Can’t Assign Server Administrator Privileges 204
Users Can’t Access Their Home Directories 204
LL9285.Book Page 11 Tuesday, June 25, 2002 3:59 PM12 Contents
Mac OS X User in Shared NetInfo Domain Can’t Log In 204
Kerberos Users Can’t Authenticate 204
4 Sharing 205
Privileges 205
Explicit Privileges 206
User Categories 206
Privileges Hierarchy 207
Client Users and Privileges 207
Privileges in the Mac OS X Environment 207
Network Globe Contents 207
Share Points in the Network Globe 208
Static Versus Dynamic Linking 208
Adding System Resources to the Network Library Folder 208
Setup Overview 208
Before You Begin 209
Organize Your Shared Information 210
Windows Users 210
Security Issues 210
Restricting Access by Unregistered Users (Guests) 210
Setting Up Sharing 211
Creating Share Points and Setting Privileges 211
Configuring Apple File Protocol (AFP) Share Points 212
Configuring Server Message Block (SMB) Share Points 212
Configuring File Transfer Protocol (FTP) Share Points 213
Sharing (Exporting) Items Using Network File System (NFS) 213
Automounting Share Points 214
Resharing NFS Mounts as AFP Share Points 215
Managing Sharing 215
Turning Sharing Off 216
Removing a Share Point 216
Browsing Server Disks 216
Viewing Share Points 216
Copying Privileges to Enclosed Items 217
Viewing Share Point Settings 217
LL9285.Book Page 12 Tuesday, June 25, 2002 3:59 PMContents 13
Changing Share Point Owner and Privilege Settings 217
Changing the Protocols for a Share Point 218
Deleting an NFS Client from a Share Point 218
Creating a Drop Box 218
Supporting Client Computers 219
Solving Problems 219
Users Can’t Access a CD-ROM Disc 219
Users Can’t Find a Shared Item 219
Users Can’t See the Contents of a Share Point 219
5 File Services 221
Before You Begin 221
Security Issues 222
Allowing Access to Registered Users Only 222
Client Computer Requirements 223
Setup Overview 223
Apple File Service 224
Automatic Reconnect 224
Find By Content 224
Kerberos Authentication 224
Apple File Service Specifications 224
Before You Set Up Apple File Service 225
Setting Up Apple File Service 225
Configuring Apple File Service General Settings 225
Configuring Apple File Service Access Settings 226
Configuring Apple File Service Logging Settings 227
Configuring Apple File Service Idle Users Settings 228
Starting Apple File Service 229
Managing Apple File Service 229
Viewing Apple File Service Status 229
Viewing Apple File Service Logs 230
Stopping Apple File Service 230
Starting Up Apple File Service Automatically 231
Changing the Apple File Server Name 231
Registering With Network Service Locator 231
LL9285.Book Page 13 Tuesday, June 25, 2002 3:59 PM14 Contents
Enabling AppleTalk Browsing for Apple File Service 232
Setting Maximum Connections for Apple File Service 232
Turning On Access Logs for Apple File Service 232
Archiving Apple File Service Logs 233
Disconnecting a User From the Apple File Server 233
Disconnecting Idle Users From the Apple File Server 234
Allowing Guest Access to the Apple File Server 234
Creating a Login Greeting for Apple File Service 234
Sending a Message to an Apple File Service User 235
Windows Services 235
Windows Services Specifications 236
Before You Set Up Windows Services 236
Ensuring the Best Cross-Platform Experience 236
Windows User Password Validation 236
Setting Up Windows Services 237
Configuring Windows Services General Settings 237
Configuring Windows Services Access Settings 238
Configuring Windows Services Logging Settings 239
Configuring Windows Services Neighborhood Settings 239
Starting Windows Services 240
Managing Windows Services 240
Stopping Windows Services 240
Setting Automatic Startup for Windows Services 240
Changing the Windows Server Name 241
Finding the Server’s Workgroup Name 241
Checking Windows Services Status 241
Registering with a WINS Server 242
Enabling Domain Browsing for Windows Services 242
Setting Maximum Connections for Windows Services 242
Setting Up the Windows Services Log 243
Disconnecting a User From the Windows Server 243
Allowing Guest Access in Windows Services 243
Assigning the Windows Server to a Workgroup 244
File Transfer Protocol (FTP) Service 244
LL9285.Book Page 14 Tuesday, June 25, 2002 3:59 PMContents 15
Secure FTP Environment 244
User Environments 245
On-the-Fly File Conversion 247
Custom FTP Root 248
Kerberos Authentication 248
Before You Set Up FTP Service 248
Restrictions on Anonymous FTP Users (Guests) 249
Setup Overview 249
Setting Up File Transfer Protocol (FTP) Service 250
Configuring FTP General Settings 250
Configuring FTP Access Settings 251
Configuring FTP Logging Settings 251
Configuring FTP Advanced Settings 252
Starting FTP Service 252
Managing File Transfer Protocol (FTP) Service 252
Stopping FTP Service 252
Setting Up Anonymous FTP Service 253
Creating an Uploads Folder for Anonymous Users 253
Specifying a Custom FTP Root 253
Specifying the FTP Authentication Method 254
Configuring the FTP User Environment 254
Viewing FTP Logs 254
Displaying Banner and Welcome Messages to Users 255
Displaying Messages Using message.txt files 255
Using README Message 255
Network File System (NFS) Service 256
Before You Set Up NFS Service 256
Security Implications 256
Setup Overview 256
Setting Up NFS Service 257
Configuring NFS Settings 257
Managing NFS Service 258
Stopping NFS Service 258
Viewing NFS Service Status 258
LL9285.Book Page 15 Tuesday, June 25, 2002 3:59 PM16 Contents
Viewing Current NFS Exports 258
Supporting Client Computers 259
Supporting Mac OS X Clients 259
Connecting to the Apple File Server in Mac OS X 259
Setting Up a Mac OS X Client to Mount a Share Point Automatically 260
Changing the Priority of Network Connections 260
Supporting Mac OS 8 and Mac OS 9 Clients 260
Connecting to the Apple File Server in Mac OS 8 or Mac OS 9 261
Setting up a Mac OS 8 or Mac OS 9 Client to Mount a Share Point Automatically 261
Supporting Windows Clients 261
TCP/IP 262
Using the Network Neighborhood to Connect to the Windows Server 262
Connecting to the Windows Server Without the Network Neighborhood 262
Supporting NFS Clients 262
Solving Problems With File Services 263
Solving Problems With Apple File Service 263
User Can’t Find the Apple File Server 263
User Can’t Connect to the Apple File Server 263
User Doesn’t See Login Greeting 263
Solving Problems With Windows Services 263
User Can’t See the Windows Server in the Network Neighborhood 263
User Can’t Log in to the Windows Server 264
Solving Problems With File Transfer Protocol (FTP) 264
FTP Connections Are Refused 264
Clients Can’t Connect to the FTP Server 265
Anonymous FTP Users Can’t Connect 265
Where to Find More Information About File Services 265
6 Client Management: Mac OS X 267
The User Experience 268
Logging In 268
Locating the Home Directory 268
Before You Begin 269
Designating Administrators 270
Setting Up User Accounts 270
LL9285.Book Page 16 Tuesday, June 25, 2002 3:59 PMContents 17
Setting Up Group Accounts 271
Setting Up Computer Accounts 271
Creating a Computer Account 272
Creating a Preset for Computer Accounts 273
Using a Computer Accounts Preset 273
Adding Computers to an Existing Computer Account 274
Editing Information About a Computer 274
Moving a Computer to a Different Computer Account 275
Deleting Computers From a Computer List 275
Deleting a Computer Account 276
Searching for Computer Accounts 276
Managing Guest Computers 277
Working With Access Settings 278
Restricting Access to Computers 278
Making Computers Available to All Users 279
Using Local User Accounts 279
Managing Portable Computers 280
Unknown Portable Computers 280
Portable Computers With Multiple Local Users 280
Portable Computers With One Primary Local User 280
Using Wireless Services 281
How Workgroup Manager Works With System Preferences 281
Managing Preferences 282
About the Preferences Cache 283
Updating the Managed Preferences Cache 283
Updating Cached Preferences Manually 283
How Preference Management Works 284
Preference Management Options 284
Managing a Preference Once 285
Always Managing a Preference 285
Never Managing a Preference 285
Managing User Preferences 285
Managing Group Preferences 286
Managing Computer Preferences 286
LL9285.Book Page 17 Tuesday, June 25, 2002 3:59 PM18 Contents
Editing Preferences for Multiple Records 287
Disabling Management for Specific Preferences 287
Managing Applications Preferences 288
Applications Items Preferences 288
Creating a List of Approved Applications 288
Preventing Users From Opening Applications on Local Volumes 289
Managing Application Access to Helper Applications 289
Applications System Preferences 290
Managing Access to System Preferences 290
Managing Classic Preferences 291
Classic Startup Preferences 291
Making Classic Start Up After a User Logs In 291
Choosing a Classic System Folder 291
Classic Advanced Preferences 292
Allowing Special Actions During Restart 292
Keeping Control Panels Secure 292
Preventing Access to the Chooser and Network Browser 293
Making Apple Menu Items Available in Classic 293
Adjusting Classic Sleep Settings 294
Managing Dock Preferences 294
Dock Display Preferences 294
Controlling the User’s Dock 294
Dock Items Preferences 295
Adding Items to a User’s Dock 295
Preventing Users From Adding Additional Dock Items 296
Managing Finder Preferences 296
Finder Preferences 296
Keeping Disks and Servers From Appearing on the User’s Desktop 296
Controlling the Behavior of Finder Windows 297
Making File Extensions Visible 298
Selecting the User Environment 298
Hiding the Alert Message When a User Empties the Trash 298
Finder Commands Preferences 299
Controlling User Access to an iDisk 299
LL9285.Book Page 18 Tuesday, June 25, 2002 3:59 PMContents 19
Controlling User Access to Remote Servers 299
Controlling User Access to Folders 300
Preventing Users From Ejecting Disks 300
Hiding the Burn Disc Command in the Finder 301
Removing Restart and Shut Down Commands From the Apple Menu 301
Finder Views Preferences 302
Adjusting the Appearance and Arrangement of Desktop Items 302
Adjusting the Appearance of Finder Window Contents 303
Managing Internet Preferences 304
Setting Email Preferences 304
Setting Web Browser Preferences 304
Managing Login Preferences 305
Login Window Preferences 305
Deciding How a User Logs In 305
Helping Users Remember Passwords 306
Preventing Restarting or Shutting Down the Computer at Login 306
Login Items Preferences 307
Opening Applications Automatically After a User Logs In 307
Managing Media Access Preferences 308
Media Access Disc Media Preferences 308
Controlling Access to CDs and DVDs 308
Controlling the Use of Recordable Discs 309
Media Access Other Media Preferences 309
Controlling Access to Hard Drives and Disks 309
Ejecting Items Automatically When a User Logs Out 310
Managing Printing Preferences 311
Printer List Preferences 311
Making Printers Available to Users 311
Preventing Users From Modifying the Printer List 312
Restricting Access to Printers Connected to a Computer 312
Printer Access Preferences 313
Setting a Default Printer 313
Restricting Access to Printers 313
LL9285.Book Page 19 Tuesday, June 25, 2002 3:59 PM20 Contents
7 Print Service 315
What Printers Can Be Shared? 316
Who Can Use Shared Printers? 317
Setup Overview 317
Before You Begin 319
Security Issues 319
Setting Up Print Service 319
Starting Up and Configuring Print Service 319
Adding Printers 320
Configuring Print Queues 320
Adding Print Queues to Shared Open Directory Domains 321
Setting Up Print Quotas 322
Enforcing Quotas for a Print Queue 322
Setting Up Printing on Client Computers 323
Mac OS X Clients 323
Adding a Print Queue in Mac OS X Using AppleTalk 323
Adding a Print Queue in Mac OS X Using LPR 323
Adding a Print Queue From an Open Directory Domain 323
Mac OS 8 and Mac OS 9 Clients 324
Setting Up Printing on Mac OS 8 or 9 Client for an AppleTalk Printer 324
Setting Up Printing on Mac OS 8 or 9 Clients for an LPR Printer 324
Windows Clients 325
UNIX Clients 325
Managing Print Service 325
Monitoring Print Service 325
Stopping Print Service 326
Setting Print Service to Start Automatically 326
Managing Print Queues 326
Monitoring a Print Queue 326
Putting a Print Queue on Hold (Stopping a Print Queue) 327
Restarting a Print Queue 327
Changing a Print Queue’s Configuration 327
Renaming a Print Queue 328
Selecting a Default Print Queue 329
LL9285.Book Page 20 Tuesday, June 25, 2002 3:59 PMContents 21
Deleting a Print Queue 329
Managing Print Jobs 329
Monitoring a Print Job 329
Stopping a Print Job 330
Putting a Print Job on Hold 330
Restarting a Print Job 330
Holding All New Print Jobs 331
Setting the Default Priority for New Print Jobs 331
Changing a Print Job’s Priority 331
Deleting a Print Job 332
Managing Print Quotas 332
Suspending Quotas for a Print Queue 332
Managing Print Logs 332
Viewing Print Logs 333
Archiving Print Logs 333
Deleting Print Log Archives 334
Solving Problems 334
Print Service Doesn’t Start 334
Users Can’t Print 334
Print Jobs Don’t Print 334
Print Queue Becomes Unavailable 335
8 Web Service 337
Before You Begin 338
Configuring Web Service 338
Providing Secure Transactions 338
Setting Up Web Sites 338
Hosting More Than One Web Site 339
Understanding WebDAV 339
Defining Realms 339
Setting WebDAV Privileges 339
Understanding WebDAV Security 339
Understanding Multipurpose Internet Mail Extension (MIME) 340
Setting Up Web Service for the First Time 341
Managing Web Service 342
LL9285.Book Page 21 Tuesday, June 25, 2002 3:59 PM22 Contents
Starting or Stopping Web Service 343
Starting Web Service Automatically 343
Modifying MIME Mappings 343
Setting Up Persistent Connections for Web Service 344
Limiting Simultaneous Connections for Web Service 344
Setting Up Proxy Caching for Web Service 345
Blocking Web Sites From Your Web Server Cache 345
Enabling SSL for Web Service 346
Setting Up the SSL Log for a Web Server 346
Setting Up WebDAV for a Web Server 346
Starting Tomcat 347
Checking Web Service Status 348
Viewing Logs of Web Service Activity 348
Setting Up Multiple IP Addresses for a Port 348
Managing Web Sites 349
Setting Up the Documents Folder for Your Web Site 349
Changing the Default Web Folder for a Site 349
Enabling a Web Site on a Server 350
Setting the Default Page for a Web Site 351
Changing the Access Port for a Web Site 351
Improving Performance of Static Web Sites 351
Enabling Access and Error Logs for a Web Site 352
Setting Up Directory Listing for a Web Site 352
Connecting to Your Web Site 353
Enabling WebDAV 353
Setting Access for WebDAV-Enabled Sites 354
Enabling a Common Gateway Interface (CGI) script 354
Enabling Server Side Includes (SSI) 355
Monitoring Web Sites 356
Setting Server Responses to MIME Types 356
Enabling SSL 357
Enabling PHP 357
WebMail 358
WebMail Users 358
LL9285.Book Page 22 Tuesday, June 25, 2002 3:59 PMContents 23
WebMail and Your Mail Server 359
WebMail Protocols 359
Enabling WebMail 359
Configuring WebMail 360
Setting Up Secure Sockets Layer (SSL) Service 361
Generating a Certificate Signing Request (CSR) for Your Server 361
Obtaining a Web Site Certificate 362
Installing the Certificate on Your Server 363
Enabling SSL for the Site 363
Solving Problems 364
Users Can’t Connect to a Web Site on Your Server 364
A Web Module Is Not Working as Expected 364
A CGI Will Not Run 364
Installing and Viewing Web Modules 365
Macintosh-Specific Modules 365
mod_macbinary_apple 365
mod_sherlock_apple 365
mod_auth_apple 365
mod_redirectacgi_apple 366
mod_hfs_apple 366
Open-Source Modules 366
Tomcat 366
PHP: Hypertext Preprocessor 366
mod_perl 366
MySQL 367
Where to Find More Information 367
9 Mail Service 369
Mail Service Protocols 370
Post Office Protocol (POP) 370
Internet Message Access Protocol (IMAP) 371
Simple Mail Transfer Protocol (SMTP) 371
SMTP Alternatives: Sendmail and Postfix 371
How Mail Service Uses SSL 372
How Mail Service Uses DNS 372
LL9285.Book Page 23 Tuesday, June 25, 2002 3:59 PM24 Contents
Where Mail Is Stored 373
How User Account Settings Affect Mail Service 373
What Mail Service Can Do About Junk Mail 373
SMTP Authentication 374
Restricted SMTP Relay 374
SMTP Authentication and Restricted SMTP Relay Combinations 375
Rejected SMTP Servers 375
Mismatched DNS Name and IP Address 375
Blacklisted Servers 375
What Mail Service Doesn’t Do 376
Mail Service Configuration in the Local Directory 376
Overview of Mail Service Tools 376
Setup Overview 377
Overview of Ongoing Mail Service Management 379
Before You Begin 379
Working With General Settings for Mail Service 380
Starting and Stopping Mail Service 380
Starting Mail Service Automatically 380
Requiring or Allowing Kerberos Authentication 381
Adding or Removing Local Names for the Mail Server 381
Changing Protocol Settings for Mail Service 382
Monitoring and Archiving Mail 382
Working With Settings for Incoming Mail 382
Limiting Incoming Message Size 383
Deleting Email Automatically 383
Notifying Users Who Have New Mail 383
Working With Settings for Incoming POP Mail 384
Requiring Authenticated POP (APOP) 384
Changing the POP Response Name 384
Changing the POP Port Number 385
Working With Settings for Incoming IMAP Mail 385
Requiring Secure IMAP Authentication 385
Changing the IMAP Response Name 386
Using Case-Sensitive IMAP Folder Names 386
LL9285.Book Page 24 Tuesday, June 25, 2002 3:59 PMContents 25
Controlling IMAP Connections Per User 386
Terminating Idle IMAP Connections 387
Changing the IMAP Port Number 387
Working With Settings for Outgoing Mail 387
Sending Nonlocal Mail 388
Sending Only Local Mail 388
Suspending Outgoing Mail Service 388
Working With Settings for SMTP Mail 389
Requiring SMTP Authentication 389
Sending SMTP Mail via Another Server 389
Changing the SMTP Response Names 390
Changing the Incoming SMTP Port Number 391
Changing the Outgoing SMTP Port Number 391
Enabling an Alternate Mail Transfer Agent 391
Starting Sendmail 392
Working With the Mail Database 393
Converting the Mail Database From an Earlier Version 393
Changing Where Mail Is Stored 394
Configuring Automatic Mail Deletion 394
Allowing Administrator Access to the Mail Database and Files 394
Cleaning Up the Mail Files 395
Working With Network Settings for Mail Service 396
Specifying DNS Lookup for Mail Service 396
Updating the DNS Cache in Mail Service 397
Changing Mail Service Timeouts 397
Limiting Junk Mail 398
Restricting SMTP Relay 398
Rejecting SMTP Connections From Specific Servers 399
Checking for Mismatched SMTP Server Name and IP Address 399
Rejecting Mail From Blacklisted Senders 401
Allowing SMTP Relay for a Backup Mail Server 401
Filtering SMTP Connections 401
Working With Undeliverable Mail 402
Forwarding Undeliverable Incoming Mail 402
LL9285.Book Page 25 Tuesday, June 25, 2002 3:59 PM26 Contents
Limiting Delivery Attempts in Mail Service 402
Sending Nondelivery Reports to Postmaster 403
Monitoring Mail Status 403
Viewing Overall Mail Service Activity 404
Viewing Connected Mail Users 404
Viewing Mail Accounts 404
Reviewing Mail Service Logs 404
Reclaiming Disk Space Used by Mail Service Logs 405
Supporting Mail Users 405
Configuring Mail Settings for User Accounts 405
Configuring Email Client Software 406
Creating Additional Email Addresses for a User 407
Performance Tuning 407
Backing Up and Restoring Mail Files 408
Where to Find More Information 408
Books 408
Internet 409
10 Client Management: Mac OS 9 and OS 8 411
The User Experience 412
Logging In 412
Logging In Using the All Other Users Account 413
Logging In Using the Guest Account 413
Locating the Home Directory 413
Finding Applications 414
Finding Shared Documents 414
Before You Begin 414
Client Computer Requirements 414
Administrator Computer Requirements 415
Using Update Packages 417
Choosing a Language for Macintosh Manager Servers and Clients 417
Changing the Apple File Service Language Script 418
Inside Macintosh Manager 418
Macintosh Manager Security 418
About the Macintosh Manager Share Point 419
LL9285.Book Page 26 Tuesday, June 25, 2002 3:59 PMContents 27
The Multi-User Items Folder 419
How the Multi-User Items Folder Is Updated 420
How Macintosh Manager Works With Directory Services 420
Where User Information Is Stored 421
How Macintosh Manager Works With Home Directories 422
How Macintosh Manager Works With Preferences 422
Where Macintosh Manager Preferences Are Stored 422
Using the MMLocalPrefs Extension 423
Using NetBoot With Macintosh Manager 423
Preparation for Using NetBoot 423
Setting Up Mac OS 9 or Mac OS 8 Managed Clients 424
Logging In to Macintosh Manager as an Administrator 425
Working With Macintosh Manager Preferences 426
Importing User Accounts 426
Applying User Settings With a Template 426
Importing All Users 427
Importing One or More Users 427
Collecting User Information in a Text File 428
Importing a List of Users From a Text File 428
Finding Specific Imported Users 429
Providing Quick Access to Unimported Users 429
Using Guest Accounts 429
Providing Access to Unimported Mac OS X Server Users 430
Setting Up a Guest User Account 431
Designating Administrators 431
About Macintosh Manager Administrators 431
Allowing Mac OS X Server Administrators to Use Macintosh Manager Accounts 432
About Workgroup Administrators 432
Creating a Macintosh Manager Administrator 432
Creating a Workgroup Administrator 432
Changing Your Macintosh Manager Administrator Password 433
Working With User Settings 433
Changing Basic User Settings 433
Allowing Multiple Logins for Users 434
LL9285.Book Page 27 Tuesday, June 25, 2002 3:59 PM28 Contents
Granting a User System Access 434
Changing Advanced Settings 434
Limiting a User’s Disk Storage Space 435
Updating User Information From Mac OS X Server 435
Setting Up Workgroups 436
Types of Workgroup Environments 436
Creating a Workgroup 436
Using a Template to Apply Workgroup Settings 437
Creating Workgroups From an Existing Workgroup 437
Modifying an Existing Workgroup 438
Using Items Settings 438
Setting Up Shortcuts to Items for Finder Workgroups 438
Making Items Available to Panels or Restricted Finder Workgroups 439
Making Items Available to Individual Users 440
Using Privileges Settings 440
Protecting the System Folder and Applications Folder 440
Protecting the User’s Desktop 440
Preventing Applications From Altering Files 441
Preventing Access to FireWire Disks 441
Allowing Users to Play Audio CDs 441
Allowing Users to Take Screen Shots 442
Allowing Users to Open Applications From a Disk 442
Setting Access Privileges for Removable Media 442
Setting Access Privileges for Menu Items 443
Sharing Information in Macintosh Manager 443
Selecting Privileges for Workgroup Folders 444
Setting Up a Shared Workgroup Folder 444
Setting Up a Hand-In Folder 445
Using Volumes Settings 445
Connecting to AFP Servers 445
Providing Access to Server Volumes 446
Using Printers Settings 447
Making Printers Available to Workgroups 447
Setting a Default Printer 447
LL9285.Book Page 28 Tuesday, June 25, 2002 3:59 PMContents 29
Restricting Access to Printers 448
Setting Print Quotas 448
Allowing Users to Exceed Print Quotas 448
Setting Up a System Access Printer 449
Using Options Settings 449
Choosing a Location for Storing Group Documents 450
Making Items Open at Startup 450
Checking for Email When Users Log In 451
Creating Login Messages for Workgroups 451
Setting Up Computer Lists 451
Creating Computer Lists 451
Setting Up the All Other Computers Account 452
Duplicating a Computer List 452
Creating a Computer List Template 453
Disabling Login for Computers 453
Using Workgroup Settings for Computers 454
Controlling Access to Computers 454
Using Control Settings 454
Disconnecting Computers Automatically to Minimize Network Traffic 454
Setting the Computer Clock Using the Server Clock 455
Using a Specific Hard Disk Name 455
Creating Email Addresses for Managed Users 455
Using Security Settings for Computers 456
Keeping Computers Secure If a User Forgets to Log Out 456
Allowing Access to All CDs and DVDs 457
Allowing Access to Specific CDs or DVDs 457
Choosing Computer Security Settings for Applications 457
Allowing Specific Applications to Be Opened by Other Applications 458
Allowing Users to Work Offline 458
Allowing Users to Switch Servers After Logging In 459
Allowing Users to Force-Quit Applications 459
Allowing Users to Disable Extensions 459
Using Computer Login Settings 460
Choosing How Users Log In 460
LL9285.Book Page 29 Tuesday, June 25, 2002 3:59 PM30 Contents
Creating Login Messages for Computers 460
Customizing Panel Names 460
Managing Portable Computers 461
Portable Computers With Network Users 461
Portable Computers With Local Users 461
Letting Users Check Out Computers 462
Using Wireless Services 462
Using Global Security Settings 462
Using Macintosh Manager Reports 463
Setting the Number of Items in a Report 463
Keeping the Administration Program Secure 463
Verifying Login Information Using Kerberos 464
Preventing Users From Changing Their Passwords 464
Allowing Administrators to Access User Accounts 464
Copying Preferences for Mac OS 8 Computers 464
Using Global CD-ROM Settings 465
Managing Preferences 466
Using Initial Preferences 466
Using Forced Preferences 467
Preserved Preferences 468
Solving Problems 470
I’ve Forgotten My Administrator Password 470
Administrators Can’t Get to the Finder After Logging In 470
Generic Icons Appear in the Items Pane 470
Selecting “Local User” in the Multiple Users Control Panel Doesn’t Work 471
Some Printers Don’t Appear in the Available Printers List 471
Users Can’t Log In to the Macintosh Manager Server 471
Users Can’t Log In as “Guest” on Japanese-Language Computers 471
A Client Computer Can’t Connect to the Server 471
The Server Doesn’t Appear in the AppleTalk List 472
The User’s Computer Freezes 472
Users Can’t Access Their Home Directories 472
Users Can’t Access Shared Files 472
Shared Workgroup Documents Don’t Appear in a Panels Environment 472
LL9285.Book Page 30 Tuesday, June 25, 2002 3:59 PMContents 31
Applications Don’t Work Properly or Don’t Open 472
Users Can’t Drag and Drop Between Applications 473
Users Can’t Open Files From a Web Page 473
Sometimes the Right Application Doesn’t Open for Users 473
Where to Find More Information 473
11 DHCP Service 475
Before You Set Up DHCP Service 475
Creating Subnets 476
Assigning IP Addresses Dynamically 476
Using Static IP Addresses 476
Locating the DHCP Server 476
Interacting With Other DHCP Servers 477
Assigning Reserved IP Addresses 477
Setting Up DHCP Service for the First Time 477
Managing DHCP Service 478
Starting and Stopping DHCP Service 478
Setting the Default DNS Server for DHCP Clients 479
Setting the LDAP Server for DHCP Clients 479
Setting Up Logs for DHCP Service 480
Deleting Subnets From DHCP Service 480
Changing Lease Times for Subnet Address Ranges 480
Monitoring DHCP Client Computers 481
Creating Subnets in DHCP Service 481
Changing Subnet Settings in DHCP Service 481
Setting DNS Options for a Subnet 482
Setting NetInfo Options for a Subnet 482
Disabling Subnets Temporarily 483
Viewing DHCP and NetBoot Client Lists 483
Viewing DHCP Log Entries 483
Solving Problems 484
Where to Find More Information 484
12NetBoot 485
Prerequisites 486
LL9285.Book Page 31 Tuesday, June 25, 2002 3:59 PM32 Contents
Administrator Requirements 486
Server Requirements 486
Client Computer Requirements 487
Network Requirements 488
Capacity Planning 488
NetBoot Implementation 489
NetBoot Image Folder 489
Property List File 490
Boot Server Discovery Protocol (BSDP) 491
TFTP and the Boot ROM File 492
NetBoot Files and Directory Structure 493
Security 493
NetBoot and AirPort 493
Setup Overview 493
Setting Up NetBoot on a Mac OS X Server 496
Creating a Mac OS X Disk Image 496
Installing Classic (Mac OS 9) on a Mac OS X Disk Image 497
Installing the Mac OS 9 Disk Image 497
Modifying the Mac OS 9 Disk Image 498
Specifying the Default NetBoot Disk Image 500
Setting Up Multiple Disk Images 500
Configuring NetBoot on Your Server 501
Starting NetBoot on Your Server 501
Enabling NetBoot Disk Images 502
Managing NetBoot 502
Turning Off NetBoot 502
Disabling Disk Images 502
Updating Mac OS X Disk Images 503
Monitoring the Status of Mac OS X NetBoot Clients 503
Monitoring the Status of Mac OS 9 NetBoot Clients 503
Filtering NetBoot Client Connections 503
Load Balancing 504
Enabling Server Selection 504
Using Share Points to Spread the Load 505
LL9285.Book Page 32 Tuesday, June 25, 2002 3:59 PMContents 33
Supporting Client Computers 505
Updating the Startup Disk Control Panel 505
Setting Up “System-Less” Clients 506
Selecting a NetBoot Startup Image (from Mac OS X) 506
Selecting a NetBoot Startup Image (from Mac OS 9) 506
Starting Up Using the N Key 507
Solving Problems 507
A NetBoot Client Computer Won’t Start Up 507
You Are Using Macintosh Manager and a User Can’t Log In to a NetBoot Client 508
13 Network Install 509
Understanding Packages 509
Setup Overview 510
Setting Up Network Install 511
Creating a Network Install Disk Image 511
Creating Custom Packages for Network Install 512
Including Packages in an Installer Disk Image 512
Enabling Installer Disk Images 513
14 DNS Service 515
Before You Set Up DNS Service 516
DNS and BIND 516
Setting Up Multiple Name Servers 516
Using DNS With Mail Service 516
Setting Up DNS Service for the First Time 517
Managing DNS Service 518
Starting and Stopping DNS Service 518
Viewing DNS Log Entries 519
Viewing DNS Service Status 519
Viewing DNS Usage Statistics 519
Inside DNS Service (Configuring BIND) 520
What Is BIND? 520
BIND on Mac OS X Server 520
BIND Configuration File 520
Zone Data Files 521
LL9285.Book Page 33 Tuesday, June 25, 2002 3:59 PM34 Contents
Practical Example 521
Setting Up Sample Configuration Files 521
Configuring Clients 522
Check Your Configuration 523
Load Distribution With Round Robin 523
Setting Up a Private TCP/IP Network 523
Where to Find More Information 524
15 Firewall Service 525
Before You Set Up Firewall Service 527
What Is a Filter? 527
IP Address 527
Subnet Mask 527
Using Address Ranges 528
IP Address Precedence 529
Multiple IP Addresses 529
Practical Examples 529
Block Access to Internet Users 529
Block Junk Mail 530
Allow a Customer to Access the Apple File Server 530
Setting Up Firewall Service for the First Time 530
Managing Firewall Service 531
Starting and Stopping Firewall Service 531
Setting Firewall Service to Start Automatically 531
Editing IP Filters 532
Creating an IP Filter 532
Searching for IP Filters 533
Viewing the Firewall Log 533
Configuring Firewall Service 533
Setting Up Logs for Firewall Service 534
Viewing Denied Packets 535
Filtering UDP Ports in Firewall Service 535
Blocking Multicast Services in Firewall Service 536
Allowing NetInfo Access to Certain IP Addresses 536
Changing the Any Port (Default) Filter 537
LL9285.Book Page 34 Tuesday, June 25, 2002 3:59 PMContents 35
Preventing Denial-of-Service Attacks 537
Creating IP Filter Rules Using ipfw 538
Reviewing IP Filter Rules 539
Creating IP Filter Rules 539
Deleting IP Filter Rules 539
Port Reference 540
Solving Problems 543
You Can’t Access the Server Over TCP/IP 543
You Can’t Locate a Specific Filter 543
Where to Find More Information 543
16 SLP DA Service 545
SLP DA Considerations 545
Before You Begin 545
Managing Service Location Protocol (SLP) Directory Agent (DA) Service 547
Starting and Stopping SLP DA Service 547
Viewing Scopes and Registered Services in SLP 547
Creating New Scopes in SLP DA Service 548
Registering a Service With SLP DA 548
Deregistering Services in SLP DA Service 549
Setting Up Logs for SLP DA Service 549
Logging Debugging Messages in SLP DA Service 549
Viewing SLP DA Log Entries 549
Using the Attributes List 550
Where to Find More Information 550
17 Tools for Advanced Users 551
Terminal 552
Using the Terminal Application 552
Understanding UNIX Command-Line Structure 553
Secure Shell (SSH) Command 553
Enabling and Disabling SSH Access 553
Opening an SSH Session 553
Executing Commands in an SSH Session 554
Closing an SSH Session 554
LL9285.Book Page 35 Tuesday, June 25, 2002 3:59 PM36 Contents
Understanding Key Fingerprints 554
dsimportexport 555
Log Rolling Scripts 555
diskspacemonitor 556
diskutil 557
installer 558
Using installer 558
Full Operating System Installation 559
softwareupdate 561
systemsetup 561
Working With Server Identity and Startup 561
Working With Date and Time Preferences 562
Working With Sleep Preferences 562
networksetup 562
Reverting to Previous Network Settings 563
Retrieving Your Server’s Network Configuration 563
Configuring TCP/IP Settings 564
Configuring DNS Servers and Search Domains 564
Managing Network Services 564
Designating Proxy Servers 565
MySQL Manager 565
Simple Network Management Protocol (SNMP) Tools 566
diskKeyFinder 566
Enabling IP Failover 567
Requirements 567
Hardware 567
Software 567
Failover Operation 567
Enabling IP Failover 569
Configuring IP Failover 569
Notification Only 570
Pre And Post Scripts 570
LL9285.Book Page 36 Tuesday, June 25, 2002 3:59 PMContents 37
Appendix A
Open Directory Data Requirements 573
User Data That Mac OS X Server Uses 573
Standard Data Types in User Records 574
Format of the MailAttribute Data Type 577
Standard Data Types in Group Records 580
Glossary 581
Index 591
LL9285.Book Page 37 Tuesday, June 25, 2002 3:59 PMLL9285.Book Page 38 Tuesday, June 25, 2002 3:59 PM39
P R E F A C E
How to Use This Guide
What’s Included in This Guide
This guide consists primarily of chapters that tell you how to administer individual Mac OS X
Server services:
m Chapter 1, “Administering Your Server,” highlights the major characteristics of Mac OS X
Server’s services and takes you on a tour of its administration applications.
m Chapter 2, “Directory Services,” describes the services that Mac OS X computers use to
find information about users, groups, and devices on your network. The Mac OS X
directory services architecture is referred to as Open Directory.
m Chapter 3, “Users and Groups,” covers user and group accounts, describing how to
administer settings for server users and collections of users (groups), including Open
Directory Password Server and other password authentication options.
m Chapter 4, “Sharing,” tells you how to share folders, hard disks, and CDs among network
users, as well as how to make them automatically visible after logging in to Mac OS X
computers.
m Chapter 5, “File Services,” describes the file services included in Mac OS X Server: Apple
file service, Windows services, Network File System (NFS) service, and File Transfer
Protocol (FTP) service.
m Chapter 6, “Client Management: Mac OS X,” addresses client management for Mac OS X
computer users. Client management lets you customize a user’s working environment
and restrict a user’s access to network resources.
m Chapter 7, “Print Service,” tells you how to share printers among users on Macintosh,
Windows, and other computers.
m Chapter 8, “Web Service,” describes how to set up and administer a Web server and host
multiple Web sites on your server.
m Chapter 9, “Mail Service,” describes how to set up and administer a mail server on
your server.40 Preface
m Chapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for
Mac OS 8 and 9 computer users, describing how to use Macintosh Manager to manage
their day-to-day working environments.
m Chapter 11, “DHCP Service,” describes Dynamic Host Configuration Protocol (DHCP)
service, which lets you dynamically allocate IP addresses to the computers used by
server users.
m Chapter 12, “NetBoot,” describes the application that lets Macintosh Mac OS 9 and X
computers boot from a network-based system image.
m Chapter 13, “Network Install,” tells you how to use the centralized network software
installation service that automates installing, restoring, and upgrading Macintosh
computers on your network.
m Chapter 14, “DNS Service,” describes Dynamic Name Service (DNS), a distributed
database that maps IP addresses to domain names.
m Chapter 15, “Firewall Service,” addresses how to protect your server by scanning
incoming IP packets and rejecting or accepting these packets based on filters you create.
m Chapter 16, “SLP DA Service,” describes Service Location Protocol Directory Assistant (SLP
DA), which you can use to make devices on your network visible to your server users.
m Chapter 17, “Tools for Advanced Users,” describes server applications, tools, and
techniques intended for use by experienced server administrators.
m Appendix A, “Open Directory Data Requirements,” provides information you’ll need
when you must map directory services information needed by Mac OS X to information
your server will retrieve from another vendor’s server.
m The Glossary defines terms you’ll encounter as you read this guide.
Using This Guide
Review the first chapter to acquaint yourself with the services and applications that Mac OS X
Server provides.
Then read any chapter that’s about a service you plan to provide to your users. Each service’s
chapter includes an overview of how the service works, what it can do for you, strategies for
using it, how to set it up for the first time, and how to administer it over time.
Also take a look at any chapter that describes a service with which you’re unfamiliar. You may
find that some of the services you haven’t used before can help you run your network more
efficiently and improve performance for your users.
Most chapters end with a section called “Where to Find More Information.” This section
points you to Web sites and other reference material containing more information about
the service.How to Use This Guide 41
Setting Up Mac OS X Server for the First Time
If you haven’t installed and set up Mac OS X Server, do so now.
m Refer to Getting Started With Mac OS X Server, the document that came with your
software, for instructions on server installation and setup. For many environments, this
document provides all the information you need to get your server up, running, and
available for initial use.
m Review Chapter 1, “Administering Your Server,” in this guide to determine which services
you’d like to refine and expand, to identify new services you’d like to set up, and to learn
about the server applications you’ll use during these activities.
m Read specific chapters to learn how to continue setting up individual services. Pay
particular attention to the information in these sections: “Setup Overview,” “Before You
Begin,” and “Setting Up for the First Time.”
Getting Help for Everyday Management Tasks
If you want to change settings, monitor services, view service logs, or do any other day-to-day
administration task, you can find step-by-step procedures by using the online help available
with server administration programs. While all the administration tasks are also documented
in this guide, sometimes it’s more convenient to retrieve information in online help form
while using your server.
Getting Additional Information
In addition to this document, you’ll find information about Mac OS X Server
m in Getting Started With Mac OS X Server, which tells you how to install and set up your
server initially
m in Upgrading to Mac OS X Server, which provides instructions for migrating data to
Mac OS X Server from existing Macintosh computers
m at www.apple.com/macosx/server
m in online help on your server
m in Read Me files on your server CD43
C H A P T E R
1
1 Administering Your Server
Mac OS X Server is a powerful server platform that delivers a complete range of services to
users on the Internet and local network:
m You can connect users to each other, using services such as mail and file sharing.
m You can share system resources, such as printers and computers—maximizing their
availability as users move about and making sure that disk space and printer usage remain
equitably shared.
m You can host Internet services, such as Web sites and streaming video.
m You can customize working environments—such as desktop resources and personal
files—of networked users.
This chapter is a tour of Mac OS X Server capabilities and administration. The chapter begins
by pointing out some of Mac OS X Server’s key features. Then it summarizes the services you
can set up to support the clients you want your server to host. Finally, it introduces the
applications you use to set up and administer your server.
Highlighting Key Features
Mac OS X Server has a wide range of features that characterize it as easy to use, yet robust
and high performing.
Ease of Setup and Administration
From the time you first unpack your server throughout its initial setup and deployment, its
ease of use is prominent.
Setup assistants quickly walk you through the process of making basic services initially
available. While your network users take advantage of the initial file sharing, mail, Web and
other services, you can add on additional client support and manage day-to-day server
operations using graphical administrative applications. From one administrator computer,
you can set up and manage all the Mac OS X Servers on your network.44 Chapter 1
Networking and Security
You can choose from several user authentication options, ranging from Kerberos or
Lightweight Directory Access Protocol (LDAP) to Mac OS X Server’s Open Directory
Password Server.
Password Server lets you implement password policies and supports a wide variety of client
protocols. The Password Server is based on a standard known as SASL (Simple
Authentication and Security Layer), so it can support a wide range of network user
authentication protocols that are used by clients of Mac OS X Server services, such as mail
and file servers, that need to authenticate users.
Kerberos authentication is available for file services—Apple Filing Protocol (AFP) and File
Transfer Protocol (FTP)—as well as for mail services (POP, IMAP, and SMTP).
External network communication requests can be controlled with built-in Internet Protocol
(IP) firewall management. And data communications can be encrypted and authenticated
with protocol-level data security provided with Secure Sockets Layer (SSL), Transport Layer
Security (TLS), and Secure Shell (SSH).
File and Printer Sharing
File sharing offers flexible support for various native protocols as well as security and high
availability:
m It’s easy to share files with Macintosh, Windows, UNIX, Linux, and anonymous Internet
clients.
m You can control how much file space individual users consume by setting up mail and file
quotas. Quotas limit the number of megabytes a user can use for mail or files.
m Kerberos authentication is available for AFP and FTP file servers.
m You can improve the security of NFS volumes by setting up share points on them that let
users access them using the more secure AFP protocol. This feature is referred to as
resharing NFS mounts.
m AFP autoreconnect lets client computers keep Apple file servers mounted after long
periods of inactivity or after sleep/wake cycles.
Mac OS X Server printer sharing includes
m the ability to set up print quotas. Print quotas can be set up for each user and each print
queue, letting you limit the number of pages that can be printed during a particular
period.
m support for sharing printers among Mac OS 9 users (AppleTalk and LaserWriter 8
support), Mac OS X, Windows, and UNIX usersAdministering Your Server 45
Open Directory Services
User and group information is used by your server to authenticate users and authorize their
access to services and files. Information about other network resources is used by your
server to make printers and other devices available to particular users. To access this
information, the server retrieves it from centralized data repositories known as directory
domains. The term for the services that locate and retrieve this data is directory services.
The Mac OS X directory services architecture is referred to as Open Directory. It lets you
store data in a way that best suits your environment. Mac OS X Server can host directory
domains using Apple’s NetInfo and LDAP directory domains. Open Directory also lets you
take advantage of information you have already set up in non-Apple directory domains—for
example, LDAP or Active Directory servers or Berkeley Software Distribution (BSD)
configuration files.
Comprehensive Management of Macintosh Workgroups
Workgroup management services let you simplify and control the environment that
Macintosh client users experience.
Mac OS X Server client management support helps you personalize the computing
environment of Macintosh clients. You can set up Mac OS 8, 9, and X computers to have
particular desktop environments and access to particular applications and network
resources. You can design your Macintosh users’ experience as circumstances warrant.
You can also use NetBoot and Network Install to automate the setup of software used by
Macintosh client computers:
m NetBoot lets Macintosh Mac OS 9 and X computers boot from a network-based system
image, offering quick and easy configuration of department, classroom, and individual
systems as well as Web and application servers throughout a network. When you update
NetBoot images, all NetBooted computers have instant access to the new configuration.
m Network Install is a centralized network software installation service. It lets you selectively
and automatically install, restore, or upgrade network-based Macintosh systems anywhere
in the organization.
Mac OS X Server also lets you automatically configure the directory services you want Mac OS X
clients to have access to. Automatic directory services configuration means that when a user
logs into a Mac OS X computer, the user’s directory service configuration is automatically
downloaded from the network, setting up the user’s network access policies, preferences, and
desktop configuration without the need to configure the client computer directly.46 Chapter 1
High Availability
To maximize server availability, Mac OS X Server includes technology for monitoring server
activity, monitoring and reclaiming disk space, automatically restarting malfunctioning
services, and automatically restarting the server following a power failure.
You can also configure IP failover. IP failover is a way to set up a standby server that will take
over if the primary server fails. The standby server takes over the IP address of the failed
server, which takes the IP address back when it is online again. IP failover is useful for DNS
servers, Web servers hosting Web sites, media broadcast servers, and other servers that
require minimal data replication.
Extensive Internet and Web Services
Powerful Internet and Web services are built into Mac OS X Server:
m Apache, the most popular Web server, provides reliable, high-performance Web content
delivery. Integrated into Apache is Web-Based Distributed Authoring and Versioning
( WebDAV ), which simplifies the Web publishing and content management environment.
m If your Web sites contain static HTML files that are frequently requested, you can enable a
performance cache to improve server performance.
m Web services include a comprehensive assortment of open-source services—Ruby,
Tomcat, MySQL, PHP, and Perl.
m Mac OS X Server includes a high-performance Java virtual machine.
m SSL support enables secure encryption and authentication for ecommerce Web sites and
confidential materials.
m QuickTime Streaming Server (QTSS) lets you stream both live and stored multimedia
content on the Internet using industry-standard protocols.
m Mail service lets you set up a mail server your network users can use to send and receive
email.
m WebMail service bundled with Mac OS X Server enables your users to access mail service
via a Web browser.
Highlighting Individual Services
This section highlights individual Mac OS X Server services and tells you where in this guide
to find more information about them.Administering Your Server 47
Directory Services
Directory services let you use a central data repository for user and network information
your server needs to authenticate users and give them access to services. Information about
users (such as their names, passwords, and preferences) as well as printers and other
resources on the network is consolidated rather than distributed to each computer on the
network, simplifying the administrator’s tasks of directory domain setup and maintenance.
Open Directory
On Mac OS X computers, the directory services are collectively referred to as Open
Directory. Open Directory acts as an intermediary between directory domains that store
information and Mac OS X processes that need the information.
Open Directory supports a wide variety of directory domains, letting you store your directory
information on Mac OS X Server or on a server you already have set up for this purpose:
m You can define and manage information in directory domains that reside on Mac OS X
Server. Open Directory supports both NetInfo and LDAPv3 protocols and gives you
complete control over directory data creation and management.
m Mac OS X Server can also retrieve directory data from LDAP and Active Directory servers
and BSD configuration files you’ve already set up. Your server provides full read/write and
SSL communications support for LDAPv3 directory domains.
Chapter 2, “Directory Services,” provides complete information about all the Open Directory
options, including instructions for how to create Mac OS X–resident directory domains and
how to configure your server and your clients to access directory domains of all kinds.
Chapter 3, “Users and Groups,” describes how to work with user and group accounts stored
in Open Directory domains.
Password Validation
Open Directory gives you several options for validating a user’s password:
m Using a value stored as a readable attribute in the user’s account.
m Using a value stored in the Open Directory Password Server. This strategy lets you set up
user-specific password policies for users. For example, you can require a user to change
his password periodically or use only passwords having more than a minimum number
of characters.
Password Server supports a wide range of client authentication protocols.
m Using a Kerberos server.
m Using LDAP bind authentication with a non-Apple LDAPv3 directory server.
“Understanding Password Validation” on page 189 provides more information about these
options and tells you how to implement them.48 Chapter 1
Search Policies
Before a user can log in to or connect with a Mac OS X client or server, he or she must enter
a name and password associated with a user account that the computer can find. A Mac OS X
computer can find user accounts that reside in a directory domain of the computer’s search
policy. A search policy is a list of directory domains the computer searches when it needs
configuration information.
You can configure the search policy of Mac OS X computers on the computers themselves.
You can automate Mac OS X client directory setup by using your server’s built-in DHCP
Option 95 support.
Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X
computer.
File Services
Mac OS X Server makes it easy to share files using the native protocols of different kinds of
client computers. Mac OS X Server includes four file services:
m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources
with clients who use Macintosh or Macintosh-compatible operating systems.
m Windows services use Server Message Block (SMB) protocol to let you share resources
with clients who use Windows, and to provide name resolution service for Windows
clients.
m File Transfer Protocol (FTP) service lets you share files with anyone using FTP.
m Network File System (NFS) service lets you share files and folders with users who have
NFS client software (UNIX users).
You can deploy network home directories for Mac OS X clients using AFP and for UNIX
clients using NFS. With a network home directory, users can access their applications,
documents, and individual settings regardless of the computer to which they log in. You can
impose disk quotas on network home directories to regulate server disk usage for users with
home directories.
Sharing
You share files among users by designating share points. A share point is a folder, hard disk
(or hard disk partition), or CD that you make accessible over the network. It’s the point of
access at the top level of a group of shared items.
On Mac OS X computers, share points can be found in the /Network directory and by using
the Finder’s Connect To Server command. On Mac OS 8 and 9 computers, users access share
points using the Chooser. On Windows computers, users use Network Neighborhood.
Chapter 4, “Sharing,” tells you how to set up and manage share points.Administering Your Server 49
Static file server listings can also be published in a non-Apple directory domain, making it
easy for computers in your company that are not on your local network to discover and
connect to Mac OS X Server.
Apple File Service
Apple Filing Protocol (AFP) allows Macintosh client users to connect to your server and
access folders and files as if they were located on the user’s own computer.
AFP offers
m file sharing support for Macintosh clients over TCP/IP
m autoreconnect support when a file server connection is interrupted
m encrypted file sharing (AFP through SSH)
m automatic creation of user home directories
m Kerberos v5 authentication for Mac OS X v10.2 and later clients
m fine-grain access controls for managing client connections and guest access
m automatic disconnect of idle clients after a period of inactivity
AFP also lets you reshare NFS mounts using AFP. This feature provides a way for clients not
on the local network to access NFS volumes via a secure, authenticated AFP connection. It
also lets Mac OS 9 clients access NFS file services on traditional UNIX networks.
See “Apple File Service” on page 224 for details about AFP.
Windows Services
Windows services in Mac OS X Server provide four native services to Windows clients:
m file service, which allows Windows clients to connect to Mac OS X Server using Server
Message Block (SMB) protocol over TCP/IP
m print service, which uses SMB to allow Windows clients to print to PostScript printers on
the network
m Windows Internet Naming Service ( WINS), which allows clients across multiple subnets
to perform name/address resolution
m browsing, which allows clients to browse for available servers across subnets
See “Windows Services” on page 235 for more information about Windows services.
Network File System (NFS) Service
NFS is the protocol used for file services on UNIX computers.
The NFS term for sharing is export. You can export a shared item to a set of client computers
or to “World.” Exporting an NFS volume to World means that anyone who can access your
server can also access that volume.50 Chapter 1
NFS does not support name/password authentication. It relies on client IP addresses to
authenticate users and on client enforcement of privileges—not a secure approach in most
networks. Therefore use NFS only if you are on a local area network (LAN) with trusted client
computers or if you are in an environment that can’t use Apple file sharing or Windows file
sharing. If you have Internet access and plan to export to World, your server should be
behind a firewall.
See “Network File System (NFS) Service” on page 256 for more information about NFS.
File Transfer Protocol (FTP)
FTP allows computers to transfer files over the Internet. Clients using any operating system
that supports FTP can connect to your FTP file server and download files, depending on the
permissions you set. Most Internet browsers and a number of freeware applications can be
used to access your FTP server.
FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP
clients, resuming of interrupted FTP file transfers. Mac OS X Server also supports dynamic
file conversion, allowing users to request compressed or decompressed versions of
information on the server.
FTP is considered to be an insecure protocol, since user names and passwords are
distributed across the Internet in clear text. Because of the security issues associated with
FTP authentication, most FTP servers are used as Internet file distribution servers for
anonymous FTP users.
Mac OS X Server supports anonymous FTP and by default prevents anonymous FTP users
from deleting files, renaming files, overwriting files, and changing file permissions. Explicit
action must be taken by the server administrator to allow uploads from anonymous FTP
users, and then only into a specific share point.
See “File Transfer Protocol (FTP) Service” on page 244 for details about FTP.
Print Service
Print service in Mac OS X Server lets you share network and direct-connect printers among
clients on your network. Print service also includes support for managing print queues,
monitoring print jobs, logging, and using print quotas.
Print service lets you
m share printers with Mac OS 9 (PAP, LaserWriter 8), Mac OS X (IPP, LPR/LPD), Windows
(SMB/CIFS), and UNIX (LPR/LPD) clients
m share direct-connect USB printers with Mac OS X version 10.2 and later clients
m connect to network printers using AppleTalk, LPR, and IPP and connect to direct-connect
printers using USB
m make printers visible using Open Directory directory domainsAdministering Your Server 51
m impose print quotas to limit printer usage
See Chapter 7, “Print Service,” for information about print service.
Web Service
Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web
server responds to requests for HTML Web pages stored on your site. Open-source software
allows anyone to view and modify the source code to make changes and improvements.
This has led to Apache’s widespread use, making it the most popular Web server on the
Internet today.
Web service includes a high-performance, front-end cache that improves performance for
Web sites that use static HTML pages. With this cache, static data doesn’t need to be accessed
by the server each time it is requested.
Web service also includes support for Web-based Distributed Authoring and Versioning,
( WebDAV ). With WebDAV capability, your client users can check out Web pages, make
changes, and then check the pages back in while the site is running. In addition, Mac OS X
users can use a WebDAV-enabled Web server as if it were a file server.
Web service’s Secure Sockets Layer (SSL) support enables secure encryption and
authentication for ecommerce Web sites and confidential materials. An easy-to-use digital
certificate provides non-forgeable proof of your Web site identity.
Mac OS X Server offers extensive support for dynamic Web sites:
m Web service supports Java Servlets, JavaServer Pages, MySQL, PHP, Perl, and UNIX and
Mac CGI scripts.
m Mac OS X Server also includes WebObjects deployment software. WebObjects offers a
flexible and scalable way to develop and deploy ecommerce and other Internet
applications. WebObjects applications can connect to multiple databases and dynamically
generate HTML content. You can also purchase the WebObjects development tools if you
want to create WebObjects applications. For more information and documentation on
WebObjects, go to the WebObjects Web page:
www.apple.com/webobjects
See Chapter 8, “Web Service,” for details about Web service.
Mail Service
Mail services support the SMTP, POP, and IMAP protocols, allowing you to select a local or
server-based mail storage solution for your users. 52 Chapter 1
With remote mail administration you can manage the message database from any IMAP
client. Realtime Blackhole List support allows you to block messages from known spam
sources. Support for single or dual IMAP/POP3 mail inboxes gives flexibility in mail retrieval; a
user can have a POP mailbox for office use and an IMAP mailbox for mobile use. Automatic
blind copying (BCC) on incoming mail from specified hosts lets you track email coming from
specific sites. You can limit the amount of disk space a user consumes for mail messages.
To protect email communication from eavesdroppers, mail service features SSL encryption of
IMAP connections between the mail server and clients, SMTP AUTH authentication using
LOGIN and PLAIN, and APOP and Kerberos v5 authentication for POP, IMAP, and SMTP clients.
For complete information about mail services, see Chapter 9, “Mail Service.”
Macintosh Workgroup Management
Mac OS X Server provides work environment personalization for Mac OS 8, 9, and X
computer users, ranging from preference management to operating system and application
installation automation.
Client Management
You can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X
clients. Preferences you define for individual users, groups of users, and computers provide
your Macintosh users with a consistent desktop, application, and network appearance
regardless of the Macintosh computer to which they log in.
To manage Mac OS 8 and 9 clients, you use Macintosh Manager, described in Chapter 10,
“Client Management: Mac OS 9 and OS 8.” To manage Mac OS X clients, you use Workgroup
Manager, as Chapter 6, “Client Management: Mac OS X,” describes.
Mac OS X client management has several advantages:
m You can take advantage of the directory services autoconfiguration capability to
automatically set up the directory services used by Mac OS X client computers.
m When you update user, group, and computer accounts, managed Mac OS X users inherit
changes automatically. You update Mac OS 8 and 9 accounts independently, using
Macintosh Manager.
m You have more direct control over individual system preferences.
m Network home directories and group directories can be mounted automatically at login.
NetBoot
NetBoot lets Macintosh clients boot from a system image located on Mac OS X Server instead
of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so
you can boot clients into Mac OS 9 or X or even set up customized Macintosh environments
for different groups of clients.Administering Your Server 53
NetBoot can simplify the administration and reduce the support normally associated with
large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an
organization with a number of client computers that need to be identically configured. For
example, NetBoot can be a powerful solution for a data center that needs multiple identically
configured Web and application servers.
NetBoot allows administrators to configure and update client computers instantly by simply
updating a boot image stored on the server. Each image contains the operating system and
application folders for all clients on the server. Any changes made on the server are
automatically reflected on the clients when they reboot. Systems that are compromised or
otherwise altered can be instantly restored simply by rebooting.
See Chapter 12, “NetBoot,” for information about setting up and managing NetBoot.
Network Install
Network Install is a centrally managed installation service that allows administrators to
selectively install, restore, or upgrade client computers. Installation images can contain the
latest release of Mac OS X, a software update, site-licensed or custom applications, even
configuration scripts:
m Network Install is an excellent solution for operating system migrations, installing
software updates and custom software packages, restoring computer classrooms and labs,
and reimaging desktop and portable computers.
m You can define custom installation images for various departments in an organization,
such as marketing, engineering, and sales.
With Network Install you don’t need to insert multiple CDs to configure a system. All the
installation files and packages reside on the server and are installed onto the client computer
at one time. Network Install also includes pre- and post-installation scripts you can use to
invoke actions prior to or after the installation of a software package or system image.
See Chapter 13, “Network Install,” for more information about Network Install.
Network Services
Mac OS X Server includes these network services for helping you manage Internet
communications on your TCP/IP network:
m Dynamic Host Configuration Protocol (DHCP)
m Domain Name System (DNS)
m IP firewall
m Service Location Protocol Directory Agent (SLP DA)54 Chapter 1
DHCP
DHCP helps you administer and distribute IP addresses dynamically to client computers from
your server. From a block of IP addresses that you define, your server locates an unused
address and “leases” it to client computers as needed. DHCP is especially useful when an
organization has more clients than IP addresses. IP addresses are assigned on an as-needed
basis, and when they are not needed they are available for use by other clients.
As you learned in “Search Policies” on page 48, you can automate the directory services setup
of Mac OS X clients using your DHCP server’s Option 95 support. This option lets client
computers learn about their directory settings from an LDAP server.
Chapter 11, “DHCP Service,” provides information about your server’s DHCP capabilities.
DNS
DNS service lets users connect to a network resource, such as a Web or file server, by
specifying a host name (such as server.apple.com) rather than an IP address (192.168.11.12).
DNS is a distributed database that maps IP addresses to domain names.
A server that provides DNS service keeps a list of names and the IP addresses associated with
the names. When a computer needs to find the IP address for a name, it sends a message to
the DNS server (also known as a name server). The name server looks up the IP address and
sends it back to the computer. If the name server doesn’t have the IP address locally, it sends
messages to other name servers on the Internet until the IP address is found.
You will use DNS if you use SMTP mail service or if you want to create subdomains within
your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t
have an Internet service provider (ISP) who handles DNS for your network, you can set up a
DNS server on your Mac OS X Server.
You’ll find complete information about DNS in Chapter 14, “DNS Service.”
IP Firewall
IP firewall service protects your server and the content you store on it from intruders. It
provides a software firewall, scanning incoming IP packets and accepting or rejecting them
based on filters you define.
You can set up server-wide restrictions for packets from specific IP addresses. You can also
restrict access to individual services—such as Web, mail, and FTP—by defining filters for the
ports used by the services.
See Chapter 15, “Firewall Service,” for more information about this service.
SLP DA
Service Location Protocol (SLP) provides structure to the services available on a network and
gives users easy access to them. Administering Your Server 55
Anything that can be addressed using a URL can be a network service—for example, file
servers and WebDAV servers. When a service is added to your network, the service uses SLP
to register itself on the network; you don’t need to configure it manually. When a client
computer needs to locate a network service, it uses SLP to look for services of that type. All
registered services that match the client computer’s request are displayed for the user, who
then can choose which one to use.
SLP Directory Agent (DA) is an improvement on basic SLP, providing a centralized repository
for registered network services. You can set up a DA to keep track of services for one or more
scopes (groups of services). When a client computer looks for network services, the DA for
the scope in which the client computer is connected responds with a list of available network
services. Because a client computer only needs to look locally for services, network traffic is
kept to a minimum and users can connect to network services more quickly.
See Chapter 16, “SLP DA Service,” for information about this service.
QuickTime Streaming Service
QuickTime Streaming Server (QTSS) lets you stream multimedia in real time using the
industry-standard RTSP/RTP protocols. QTSS supports MPEG-4, MP3, and QuickTime file
formats.
You can deliver live and prerecorded media over the Internet to both Macintosh and
Windows users, or relay streamed media to other streaming servers. You can provide unicast
streaming, which sends one stream to each individual client, or multicast streaming, which
sends the stream to a group of clients.
For more information about QTSS, refer to the QuickTime Web site:
www.apple.com/quicktime/products/qtss/
You can use QuickTime Broadcaster in conjunction with QTSS when you want to produce a
live event. QuickTime Broadcaster allows you to stream live audio and video over the
Internet. QuickTime Broadcaster meets the needs of both beginners and professionals by
providing preset broadcast settings and the ability to create custom settings. Built on top of
the QuickTime architecture, QuickTime Broadcaster enables you to produce a live event
using most codecs that QuickTime supports.
When teamed with QuickTime Streaming Server or Darwin Streaming Server, QuickTime
Broadcaster can produce a live event for delivery to an audience of any size, from an
individual to a large global audience.
For information about QuickTime Broadcaster, go to this Web site and navigate to the
QuickTime Broadcaster page:
www.apple.com/quicktime/56 Chapter 1
Highlighting Server Applications
This section introduces you to the applications, tools, and techniques you use to set up and
administer your Mac OS X Server. The following table summarizes them and tells you where
to find more information about them.
Application, tool,
or technique Use to
For more
information, see
Server Assistant Initialize services page 58
Open Directory
Assistant
Create or set up access to existing NetInfo and
LDAPv3 directory domains and create and
configure Password Servers
page 58
Directory Access Configure access to data in existing directory
domains and define a search policy
page 59
Workgroup Manager Administer accounts, manage share points, and
administer client management for Mac OS X
users
page 59
Server Settings Configure file, print, mail, Web, NetBoot, and
network services
page 60
Server Status Monitor services page 61
Macintosh Manager Administer client management for Mac OS 8
and 9 users
page 62
NetBoot
administration tools
Manage NetBoot disk images page 62
Package Maker Create Network Install installation packages page 62
Server Monitor Review information about Xserve hardware page 62
Streaming Server
Admin
Set up and manage QuickTime Streaming
Server (QTSS)
page 63
Terminal Run command-line tools page 552
Secure shell (SSH) Use Terminal to run command-line tools for
remote servers securely
page 553
dsimportexport Import and export user and group accounts
using XML or text files
page 555Administering Your Server 57
log rolling scripts Periodically roll, compress, and delete server
log files
page 555
diskspacemonitor Monitor percentage-full disk thresholds and
execute scripts that generate email alerts and
reclaim disk space when thresholds are
reached
page 556
diskutil Manage Mac OS X Server disks and volumes
remotely
page 557
installer Install software packages remotely page 558
softwareupdate Find new versions of software and install them
remotely on a server
page 561
systemsetup Configure system preferences on a remote
server
page 561
networksetup Configure network services for a particular
network hardware port on a remote server
page 562
MySQL Manager Manage the version of MySQL that is installed
with Mac OS X Server
page 565
Simple Network
Management Protocol
(SNMP) administration
tools
Monitor your server using the SNMP interface page 566
diskKeyFinder Verify the physical location of a remote
headless server volume that you want to
manage
page 566
Enabling IP failover Set up a standby server that takes over if the
primary server fails
page 567
Application, tool,
or technique Use to
For more
information, see58 Chapter 1
Administering a Server From Different Computers
You can use the server applications to manage the local server or to manage a remote server,
including headless servers. You can also manage Mac OS X Servers remotely from an
administrator computer. An administrator computer is a Mac OS X computer onto which
you have installed the server applications from the Mac OS X Server Administration Tools CD.
The following sections give you more information about the first 11 applications in the table
above, including instructions for using them to manage a remote server. The remaining
applications and tools are for use by experienced server administrators; see Chapter 17,
“Tools for Advanced Users,” for information about them.
Server Assistant
Server Assistant is the application you use to perform initial service setup of a Mac OS X
Server. You can use Server Assistant the first time you set up a local or remote Mac OS X
Server. See Getting Started With Mac OS X Server for instructions.
Open Directory Assistant
Use Open Directory Assistant to create shared server–resident NetInfo or LDAPv3 directory
domains, set up Password Servers, and configure access to shared domains and Password
Servers.
You can run Open Directory Assistant immediately after running Server Assistant, or you can
run it later, as many times as you like.
Administrator
computer
Mac OS X ServersAdministering Your Server 59
You’ll find Open Directory Assistant in /Applications/Utilities/. For information about how to
use the application, see Chapter 2, “Directory Services.”
Directory Access
Directory Access is the primary application for setting up a Mac OS X computer’s
connections with directory domains as well as defining the computer’s search path.
Unlike Open Directory Assistant, Directory Access does not create directory domains. It
m configures connections with existing domains
m enables or disables service discovery protocols (AppleTalk, Rendezvous, SLP, and SMB)
m enables or disables directory protocols (LDAPv2, LDAPv3, NetInfo, and BSD configuration
files)
In addition, Directory Access is available on both Mac OS X Servers and Mac OS X client
computers, whereas Open Directory Assistant is available only on servers.
You’ll find Directory Access in /Applications/Utilities/. For information about how to use it,
see Chapter 2, “Directory Services.”
Workgroup Manager
You use Workgroup Manager to administer user, group, and computer accounts; manage
share points; and administer client management for Mac OS X users.
For information about using Workgroup Manager to administer user and group accounts, see
Chapter 3, “Users and Groups.” For information about using it to administer computer
accounts and client management settings, see Chapter 6, “Client Management: Mac OS X,”
and Chapter 10, “Client Management: Mac OS 9 and OS 8.” Chapter 4, “Sharing,” describes
how to use Workgroup Manager to manage share points.
Opening and Authenticating in Workgroup Manager
Workgroup Manager is installed in /Applications/Utilities/ when you install your server or set
up an administrator computer. To open Workgroup Manager, click the Workgroup Manager
icon in the Dock of Mac OS X Server or in the toolbar of Server Status:
m To open Workgroup Manager on the server you are using without authenticating, choose
View Directories from the Server menu. You will have read-only access to information
displayed in Workgroup Manager. To make changes, click the lock icon to authenticate as
an administrator. This approach is most useful when you are administering different
servers and working with different directory domains.
m To authenticate as an administrator for a particular server, enter the server’s IP address or
DNS name in the login window, or click Browse to choose from a list of servers. Specify
the user name and password for an administrator of the server, then click Connect. Use
this approach when you will be working most of the time with a particular server.60 Chapter 1
Major Workgroup Manager Tasks
After login, the user account window appears, with lists of user, group, and computer
accounts in the server’s local directory domain. Here is how to get started with the major
tasks you’ll be performing with this application:
m To administer user, group, or computer accounts, click the Accounts icon in the toolbar.
See Chapter 3, “Users and Groups,” for information about user and group accounts and
Chapter 6, “Client Management: Mac OS X,” for information about computer accounts.
m To work with preferences for managed users, groups, or computers, click the Preferences
icon in the toolbar. See Chapter 6, “Client Management: Mac OS X,” for instructions.
m To work with share points, click the Sharing icon in the toolbar. See Chapter 4, “Sharing,”
for instructions.
m To work with accounts in different directory domains at the same time, open multiple
Workgroup Manager windows by choosing New Workgroup Manager Window from the
Server menu.
m To open Server Status so you can monitor the status of a particular server, click the Status
icon in the toolbar. See “Server Status” on page 61 for information about the Server Status
application.
m To open Server Settings so you can work with a server’s file, print, mail, Web, NetBoot,
and network settings, choose Configure Services from the Server menu. See “Server
Settings” on page 60 for information about the Server Settings application.
m To control the way Workgroup Manager lists users and groups, whether it should use SSL
transactions, and other behaviors, choose Preferences from the Workgroup Manager
menu.
m To customize the Workgroup Manager toolbar, choose Customize Toolbar from the View
menu.
m To retrieve online information, use the Help menu. It provides help for server
administrators about Workgroup Manager as well as other Mac OS X Server topics.
Server Settings
You use Server Settings to administer file, print, mail, Web, NetBoot, and network services on
a server.
Server Settings is installed in /Applications/Utilities/ when you install your server or set up an
administrator computer. To open Server Settings, click the Server Settings icon in the Dock of
Mac OS X Server or choose Configure Services from the Server menu in Workgroup Manager.
To select a server to work with, enter its IP address or DNS name in the login window, or
click Browse to choose from a list of servers. Specify the user name and password for an
administrator, then click Connect.Administering Your Server 61
Click the service modules arranged on the Server Settings tabs to choose commands that let
you work with individual services:
m For administering file and print services, select the File & Print tab to access modules.
m For administering mail and Web service, select the Internet tab to access modules.
m For administering IP Firewall, DHCP, NetBoot, DNS, and SLP DA services, select the
Network tab to access modules.
m To retrieve online information, use the Help menu. It provides help for server
administrators about Server Settings as well as other Mac OS X Server topics.
Server Settings is not compatible with versions of Mac OS X Server earlier than version 10.2.
Server Status
You use Server Status to monitor the services running on Mac OS X Servers.
Server Status is installed in /Applications/Utilities/ when you install your server or set up an
administrative computer. To open Server Status, click the Server Status icon in the Dock of
Mac OS X Server or the Status icon in Workgroup Manager.
To select a server to monitor, click the Connect button in the Server Status toolbar. Enter the
IP address or DNS name of the server you want to monitor in the login window, or click
Browse to choose from a list of servers. Specify the user name and password for an
administrator, then click Connect.
Select items in the Devices & Services list to monitor specific servers and services running on
the servers:
m To review general status information for a particular server, select the server name.
m To review status information for a particular service running on a server, click the
disclosure triangle next to the server name to see a list of its services. Then select the
service of interest.
m To add a server to the Devices & Services list, click Connect in the toolbar and log in to
the server. The next time you open Server Status, any server you have added is displayed
in the Devices & Services list and can be monitored again by selecting a server in the list.
If a server in the list appears grey, double-click the server or click the Reconnect button in
the toolbar to log in again. Check the Add to Keychain option while you log in to enable
autoreconnect the next time you open Server Status.
m To remove a server from the Devices & Services list, select the server, click the Disconnect
button in the toolbar, and choose Remove From List from the Server menu.
m To control the way Server Status lists servers and services, how often status data is
refreshed, and other behaviors, choose Preferences from the Server Status menu.
m To customize the Server Status toolbar, choose Customize Toolbar command from the
View menu.62 Chapter 1
m To retrieve online information, use the Help menu. It provides help for server
administrators about Server Status as well as other Mac OS X Server topics.
Macintosh Manager
You use Macintosh Manager to administer client management for Mac OS 8 and 9 client
computers. You can use it locally (at the server) or remotely (from a Mac OS 9 or X computer
on the same network as your Mac OS X Server).
Open Macintosh Manager by clicking its icon in the Dock. Log in using a server, Macintosh
Manager, or workgroup administrator user name and password. As a server administrator,
you automatically have global administrator privileges for Macintosh Manager.
See Chapter 10, “Client Management: Mac OS 9 and OS 8,” for more information.
NetBoot Administration Tools
There are several applications you use to administer NetBoot:
m NetBoot Desktop Admin lets you modify Mac OS 9 images.
m Network Image Utility lets you create and modify Mac OS X images.
m The DHCP/NetBoot module of Server Settings lets you save NetBoot images.
See Chapter 12, “NetBoot,” for information about these tools.
Network Install Administration Application
You use Package Maker to create Network Install packages.
See Chapter 13, “Network Install,” for information about this application.
Server Monitor
You use Server Monitor to monitor Xserve hardware and trigger email notifications when
circumstances warrant attention. Server Monitor shows you information about the installed
operating system, drives, power supply, enclosure and processor temperature, cooling
blowers, security, and network.
Server Monitor is installed in /Applications/Utilities/ when you install your server or set up an
administrator computer. Use the application to monitor local or remote servers:
m To specify the Xserve server to monitor, click Add Server, identify the server of interest,
and enter user name and password information for an administrator of the server.
m Use the “Update every” pop-up menu to specify how often you want to refresh data.
m Use the Export Items and Import Items buttons to manage different lists of Xserve servers
you want to monitor. The Merge Items button lets you consolidate lists into one.Administering Your Server 63
m The system identifier lights on the front and back of an Xserve server light when service is
required. Use Server Monitor to understand why the lights are on. You can also turn the
lights on to identify a particular Xserve server in a rack of servers by selecting the server
and clicking “system identifier light on” on the Info tab.
m You can set Server Monitor to notify you by email when an Xserve server’s status changes.
For each server, you set up the conditions that you want notification about. The email
message can come from Server Monitor or from the server.
m Server Monitor keeps logs of Server Monitor activity for each Xserve server. (The logs do
not include system activity on the server.) The log shows, for example, the times Server
Monitor attempted to contact the server, and whether a connection was successful. The
log also shows server status changes. You can also use Server Monitor to get an Apple
System Profiler report on a remote server.
Streaming Server Admin
To set up and manage QTSS, you use the Web-based Streaming Server Admin program.
Streaming Server Admin lets you easily create and serve playlists, customize general settings,
monitor connected users, view log files, manage user and bandwidth usage, and relay a
stream from one server to another for scalability.
To use Streaming Server Admin:
1 From Mac OS X Server, click the Streaming Server Admin icon in the Dock, then go to step 3.
Alternatively, from a server with QTSS installed, open a Web browser. You can also use a Web
browser from a remote Mac OS X computer.
2 Enter the URL for your Streaming Server Admin.
For example, myserver.com:1220
Replace “myserver.com” with the name of your Streaming Server computer. 1220 is the
port number.
3 The first time you run Streaming Server Admin, the Setup Assistant prompts you for your
user name and password.
To display online help information about using Streaming Server Admin, setting up secure
administration (SSL), and setting up your server to stream hinted media, click the question
mark button in the application. Information about QTSS is also available at the QuickTime
Web site:
www.apple.com/quicktime/products/qtss/64 Chapter 1
Where to Find More Information
Regardless of your server administration experience, you may want to take advantage of the
wide range of Apple customer training courses. To learn more, go to
train.apple.com
If You’re New to Server and Network Management
If you want to learn more about Mac OS X Server, see the Mac OS X Server Web site:
www.apple.com/macosx/server/
Online discussion groups can put you in touch with your peers. Many of the problems you
encounter may already have been solved by other server administrators. To find the lists
available through Apple, see the following site:
www.lists.apple.com
The AppleCare support site’s discussion boards are an additional source of information:
www.info.apple.com/
Consider obtaining some of these reference materials. They contain background information,
explanations of basic concepts, and ideas for getting the most out of your network.
m Teach Yourself Networking Visually, by Paul Whitehead and Ruth Maran (IDG Books
Worldwide, 1998).
m Internet and Intranet Engineering, by Daniel Minoli (McGraw-Hill, 1997).
In addition, NetworkMagazine.com offers a number of online tutorials on its Web site:
www.networkmagazine.com
If You’re an Experienced Server Administrator
If you’re already familiar with network administration and you’ve used Mac OS X Server,
Linux, UNIX, or a similar operating system, you may find these additional references useful.
m A variety of books from O’Reilly & Associates cover topics applicable to Mac OS X Server,
such as Internet Core Protocols: The Definitive Reference, DNS and BIND, and TCP/IP
Network Administration. For more advanced information, see Apache: The Definitive
Guide, Writing Apache Modules with Perl and C, Web Performance Tuning, and Web
Security & Commerce, also published by O’Reilly and Associates. See the O’Reilly &
Associates Web site:
www.ora.com
m See the Apache Web site for detailed information about Apache:
www.apache.org/65
C H A P T E R
2
2 Directory Services
Directory services provide a central repository for information about the systems,
applications, and users in an organization. In education and enterprise environments,
directory services are the ideal way to manage users and computing resources. Organizations
with as few as 10 people can benefit by deploying directory services.
Directory services can be doubly beneficial. They centralize system and network
administration, and they simplify a user’s experience on the network. With directory services,
information about all the users—such as their names, passwords, and preferences—as well as
printers and other resources on a network can be maintained in a single location rather than
on each computer on the network. Using directory services can reduce the system
administrator’s user management burden. In addition, users can log in to any authorized
computer on the network. Anywhere a user logs in, the user’s personal Desktop appears,
customized for the user’s individual preferences. The user always has access to personal files
and can easily locate and use authorized network resources.
Apple has built an open, extensible directory services architecture, called Open Directory,
into Mac OS X and Mac OS X Server. A Mac OS X Server or Mac OS X client computer can use
Open Directory to retrieve authoritative information about users and network resources
from a variety of sources:
m directory domains on the computer itself and on other Mac OS X Servers
m directory domains on other servers, including LDAP directory domains and Active
Directory domains on non-Apple servers
m BSD configuration files located on the computer itself
m network services, such as file servers, that make themselves known with the Rendezvous,
AppleTalk, SLP, or SMB service discovery protocols
Mac OS 9 and Mac OS 8 managed clients also use Open Directory to retrieve some user
information. For more information, see “How Macintosh Manager Works With Directory
Services” on page 420 in Chapter 10, “Client Management: Mac OS 9 and OS 8.”66 Chapter 2
The Open Directory architecture also includes Open Directory Password Server. A Password
Server can securely store and validate the passwords of users who want to log in to client
computers on your network or use other network resources that require authentication. A
Password Server can also enforce such policies as password expiration and minimum length.
To understand the information in this chapter, you should be comfortable with Mac OS X.
You do not need advanced network administrator or UNIX experience to use directory
services provided by Mac OS X Servers. If you want to integrate LDAP directories from other
servers, you need to be familiar with LDAP. If you want to integrate Active Directory servers,
you need to be familiar with Active Directory and LDAP. You need to be comfortable with
UNIX if you want to integrate BSD configuration files.
Storage for Data Needed by Mac OS X
Directory services act as an intermediary between directory domains, which store
information about users and resources, and the application and system software processes
that want to use the information. A directory domain stores information in a specialized
database that is optimized to handle a great many requests for information and to find and
retrieve information quickly. Information may be stored in one directory domain or in
several related directory domains.
Processes running on Mac OS X computers can use directory services to save information in
a directory domain. For example, when you set up a user account, the application that you
use to do this has directory services store information about the user in a directory domain.
m On a computer with Mac OS X version 10.2, you use the My Account pane or the
Accounts pane of System Preferences to set up user accounts that are valid only on the
one computer.
m On a computer with Mac OS X Server version 10.2, you use the Accounts module of
Workgroup Manager to set up user accounts that are valid on all Mac OS X computers on
your network. You can specify additional user attributes in a network user account, such
as the location of the user’s home directory.
Printers
Groups
Servers
Users
Mounts
Processes
Directory
domains
Directory
servicesDirectory Services 67
Whether you use Workgroup Manager or System Preferences to create a user account, the
user information is stored in a directory domain.
When someone attempts to log in to a Mac OS X computer, the login process uses Mac OS X
directory services—Open Directory—to validate the user name and password.
A Historical Perspective
Like Mac OS X, Open Directory has a UNIX heritage. Open Directory provides access to
administrative data that UNIX systems have generally kept in configuration files, which require
much painstaking work to maintain. (Some UNIX systems still rely on configuration files.)
Open Directory consolidates the data and distributes it for ease of access and maintenance.
Directory
domain
Directory
services
Accounts
Accounts68 Chapter 2
Data Consolidation
For years, UNIX systems have stored administrative information in a collection of files located
in the /etc directory. This scheme requires each UNIX computer to have its own set of files,
and processes that are running on a UNIX computer read its files when they need
administrative information. If you’re experienced with UNIX, you probably know about the
files in the /etc directory—group, hosts, hosts.eq, passwd, and so forth. For example, a UNIX
process that needs a user’s password consults the /etc/passwd file, which contains a record for
each user account. A UNIX process that needs group information consults the /etc/group file.
Open Directory consolidates administrative information, simplifying the interactions
between processes and the administrative data they create and use.
UNIX processes
/etc/
passwd
/etc/
hosts
/etc/
group
Mac OS X processes
Directory
servicesDirectory Services 69
Processes no longer need to know how and where administrative data is stored. Open
Directory gets the data for them. If a process needs the location of a user’s home directory,
the process simply has Open Directory retrieve the information. Open Directory finds the
requested information, and then returns it, insulating the process from the details of how the
information is stored. If you set up Open Directory to access administrative data in several
directory domains, Open Directory automatically consults them as needed.
Some of the data stored in a directory domain is identical to data stored in UNIX
configuration files. For example, the authentication attributes, home directory location, real
name, user ID, and group ID—all stored in the user records of a directory domain—have
corresponding entries in the standard /etc/passwd file. However, a directory domain stores
much additional data to support functions that are unique to Mac OS X, such as support for
managed clients and Apple Filing Protocol (AFP) directories.
Data Distribution
Another characteristic of UNIX configuration files is that the administrative data they contain
is available only to the computer on which they are stored. Each computer has its own UNIX
configuration files. With UNIX configuration files, each computer that someone wants to use
must have that person’s user account settings stored on it, and each computer must store
the account settings for every person who may want to use the computer. To set up a
computer’s network settings, the administrator needs to go to the computer and directly
enter the IP address and other information that identifies the computer on the network.
Similarly, when user or network information needs to be changed in UNIX configuration files,
the administrator must make the changes on the computer where the files reside. Some
changes, such as network settings, require the administrator to make the same changes on
multiple computers. This approach becomes unwieldy as networks grow in size and complexity.
Directory
domain
Mac OS X processes
Directory
domain
Directory
services70 Chapter 2
Open Directory solves this problem by letting you store administrative data in a directory
domain that can be managed by a system administrator from one location. Open Directory
lets you distribute the information so that it is visible on a network to the computers that
need it and the administrator who manages it:
Uses of Directory Data
Open Directory makes it possible to consolidate and maintain network information easily in
a directory domain, but this information has value only if application and system software
processes running on network computers actually access the information. The real power of
Open Directory is not that it provides directory services, but the fact that Mac OS X software
accesses data through Open Directory.
Here are some of the ways in which Mac OS X system and application software use directory
data:
m Authentication. As mentioned already, the Accounts module of Workgroup Manager
or the Accounts pane of System Preferences creates user records in a directory domain,
and these records are used to authenticate users who log in to Mac OS X computers.
When a user specifies a name and a password in the Mac OS X login window, the login
process asks Open Directory for the user record that corresponds to the name that the
user specified. Open Directory finds the user record in a directory domain and retrieves
the record.
Directory
services
System
administrator
Users
Directory
domainDirectory Services 71
m Folder and file access. After logging in successfully, a user can access files and folders.
Mac OS X uses another data item from the user record—the user ID (UID)—to determine
the user’s access privileges for a file or folder that the user wants to access. When a user
accesses a folder or file, the file system compares this user’s UID to the UID assigned to
the folder or file. If the UIDs are the same, the file system grants owner privileges (usually
read and write privileges) to the user. If the UIDs are different, the user doesn’t get owner
privileges.
m Home directories. Each user record in a directory domain stores the location of the user’s
home directory, which is also known as the user’s home folder. This is where the user
keeps personal files, folders, and preferences. A user’s home directory can be located on
a particular computer that the user always uses or on a network file server.
m Automount share points. Share points can be configured to automount (appear
automatically) in the /Network folder (the Network globe) in the Finder windows of client
computers. Information about these automount share points is stored in a directory
domain. Share points are folders, disks, or disk partitions that you have made accessible
over the network.
m Mail account settings. Each user’s record in a directory domain specifies whether the
user has mail service, which mail protocols to use, how to present incoming mail,
whether to alert the user when mail arrives, and more.
m Resource usage. Disk, print, and mail quotas can be stored in each user record of a
directory domain.
m Managed client information. A user’s personal preference settings, as well as preset
preferences that affect the user, are stored in a directory domain.
m Group management. In addition to user records, a directory domain also stores group
records. Each group record affects all users who are in the group. Information in group
records specifies preferences settings for group members. Group records also determine
access to files, folders, and computers.
Inside a Directory Domain
Information in a directory domain is organized into record types, which are specific categories
of records, such as users, machines, and mounts. For each record type, a directory domain may
contain any number of records. Each record is a collection of attributes, and each attribute has
one or more values. If you think of each record type as a spreadsheet that contains a category of
information, then records are like the rows of the spreadsheet, attributes are like spreadsheet
columns, and each spreadsheet cell contains one or more values.72 Chapter 2
For example, when you define a user by using the Accounts module of Workgroup Manager,
you are creating a user record (a record of the user’s record type). The settings that you
configure for the user—short name, full name, home directory location, and so on—become
values of attributes in the user record. The user record and the values of its attributes reside
in a directory domain.
Discovery of Network Services
Open Directory can provide more than administrative data from directories. Open Directory
can also provide information about services that are available on the network. For example,
Open Directory can provide information about file servers that are currently available.
Information about file servers and other services tends to change much more frequently than
information about users. Therefore, information about network services typically isn’t stored
in directory domains. Instead, information about file servers and other network servers is
discovered as the need arises.
Open Directory can discover network services that make their existence and whereabouts
known. Services make themselves known by means of standard protocols. Open Directory
supports the following service discovery protocols:
m Rendezvous, the Apple protocol that uses multicast DNS
m AppleTalk, the legacy Mac OS protocol for file services
m Service Location Protocol (SLP), an open standard for discovering file and print services
m Server Message Block (SMB), the protocol used by Microsoft Windows
Directory
services
File server
File serverDirectory Services 73
In fact, Open Directory can provide information about network services both from service
discovery protocols and from directory domains. To accomplish this, Open Directory simply
asks all its sources of information for the type of information requested by a Mac OS X
process. The sources that have the requested type of information provide it to Open
Directory, which collects all the provided information and hands it over to the Mac OS X
process that requested it.
For example, if Open Directory requests information about file servers, the file servers on the
network respond via service discovery protocols with their information. A directory domain
that contains relatively static information about some file servers also responds to the
request. Open Directory collects the information from the service discovery protocols and
the directory domains.
When Open Directory requests information about a user, service discovery protocols don’t
respond because they don’t have user information. (Theoretically, AppleTalk, Rendezvous,
SMB, and SLP could provide user information, but in practice they don’t have any user
information to provide.) The user information that Open Directory collects comes from
whatever sources have it—from directory domains.
Directory Domain Protocols
Administrative data needed by directory services is stored on Mac OS X Servers in Open
Directory databases. An Open Directory database is one type of directory domain. Open
Directory can use either of two protocols to store and retrieve directory data:
Directory
File server services
File server
Directory
domain74 Chapter 2
m Lightweight Directory Access Protocol (LDAP), an open standard commonly used in
mixed environments
m NetInfo, the Apple directory services protocol for Mac OS X
The directory services of Mac OS X version 10.2—Open Directory—can also store and
retrieve administrative data that resides in existing directory domains on other servers. Open
Directory can read and write data in the following domains:
m Shared NetInfo domains on other Mac OS X computers (servers or clients)
m OpenLDAP directories on various UNIX servers
m Active Directory domains on Windows servers
m Other LDAPv3-compliant directories that are configured to allow remote administration
and read and write access
In addition, Open Directory can retrieve but not store administrative data in the following
domains:
m BSD configuration files located on the Mac OS X Server
m LDAPv2 domains and read-only LDAPv3 domains on other servers
Local and Shared Directory Domains
Where you store your server’s user information and other administrative data is determined
by whether the data needs to be shared.
Local Data
Every Mac OS X computer has a local directory domain. A local domain’s administrative data
is visible only to applications and system software running on the computer where the
domain resides. It is the first domain consulted when a user logs in or performs some other
operation that requires data stored in a directory domain.
When the user logs in to a Mac OS X computer, Open Directory searches the computer’s
local directory domain for the user’s record. If the local directory domain contains the user’s
record (and the user typed the correct password), the login process proceeds and the user
gets access to the computer.
Local
domain
Local
domain
Log in to
Mac OS X
Connect to
Mac OS
X ServerDirectory Services 75
After login, the user may choose Connect To Server from the Go menu and connect to a file
server on a computer running Mac OS X Server. In this case, Open Directory on the server
searches for the user’s record in the server’s local directory domain. If the server’s local
directory domain has a record for the user (and the user types the correct password), the
server grants the user access to the file services.
When you first set up a Mac OS X computer, its local directory domain is automatically
created and populated with records. For example, a user record is created for the user who
performed the installation. It contains the user name and password entered during setup, as
well as other information, such as a unique ID for the user and the location of the user’s
home directory.
Shared Data
While Open Directory on any Mac OS X computer can store administrative data in the
computer’s local directory domain, the real power of Open Directory is that it lets multiple
Mac OS X computers share administrative data by storing the data in shared directory domains.
When a computer is configured to use a shared domain, any administrative data in the shared
domain is also visible to applications and system software running on that computer.
If Open Directory does not find a user’s record in the local domain of a Mac OS X computer,
Open Directory automatically searches for the user’s record in any shared domains to which
the computer has access. In the following example, the user can access both computers
because the shared domain accessible from both computers contains a record for the user.
Shared domains generally reside on Mac OS X Servers, because servers are equipped with
the tools, such as Workgroup Manager and Server Settings, that facilitate managing network
resources and network users.
Shared
domain
Local
domain
Local
domain
Log in to
Mac OS X
Connect to
Mac OS
X Server76 Chapter 2
Similarly, you can make network resources such as printers visible to certain computers by
setting up printer records in a shared domain accessed by those computers. For example,
graphic artists in a company might need to access color printers, while copy center personnel
need to use high-speed laser printers. Rather than configuring printer access for each
computer individually, you could use the Print module of Server Settings to add printers to
two shared domains: Graphics and Repro.
Printers visible in the Print Center of graphic artists’ computers would be those in the
Graphics domain, while printers in the Repro domain would be visible to computers used by
copy center personnel. Printers that have records in shared domains appear in the Directory
Services printer list in Print Center.
Repro
domain
Graphics
domain
Graphic artists Copy center personnelDirectory Services 77
While some devices may need to be used only by specific departments, other resources, such
as personnel forms, may need to be shared by all employees. You could make a folder of
those forms available to everybody by setting up a share point for the folder in another
shared domain that all computers can access.
The shared domain at the top of a hierarchy of directory domains is sometimes called the
root domain.
Repro
domain
Company
domain
Graphics
domain
Graphic artists Copy center personnel78 Chapter 2
Shared Data in Existing Directory Domains
Some organizations—such as universities and worldwide corporations—maintain user
information and other administrative data in directory domains on UNIX or Windows servers.
Open Directory can be configured to search these non-Apple domains as well as shared
Open Directory domains of Mac OS X Servers.
When a user logs in to a computer on your network, Open Directory still searches for the
user in the computer’s local domain and in shared domains on Mac OS X Servers. But if the
user is not found and Open Directory has been configured to search an LDAP domain on a
UNIX server, Open Directory consults the LDAP domain for information about the user.
Directory Domain Hierarchies
Local and shared domains are organized into hierarchies, tree-like topologies that have a
shared domain at the top and local domains at the bottom of the tree. A hierarchy can be as
simple as a local domain and a shared domain, or it can contain more shared domains.
Mac OS 9 user Mac OS X user Windows user
Mac OS X Server
Local
domain
Shared
domain
LDAP server
2
1
3Directory Services 79
Two-Level Hierarchies
The simplest hierarchy is a two-level hierarchy:
Here’s a scenario in which a two-level hierarchy might be used:
Each department (English, Math, Science) has its own computer. The students in each
department are defined as users in the local domain of that department’s computer. All three
of these local domains have the same shared domain, in which all the instructors are defined.
Instructors, as members of the shared domain, can use services on all the departmental
computers. The members of each local domain can only use services on the server where
their local domain resides.
Shared
directory domain
Local directory
domain
Local domain on
English department’s
computer
Local domain on
Math department’s
computer
Local domain on
Science department’s
computer
Shared domain80 Chapter 2
While local domains reside on their respective servers, a shared domain can reside on any
Mac OS X Server accessible from the local domain’s computer. In this example, the shared
domain can reside on any server accessible from the departmental servers. It can reside
on one of the departmental servers, or—as shown here—on an entirely different server on
the network:
When an instructor logs in to any of the three departmental servers and cannot be found in
the local domain, the server searches the shared domain. In this example, there is only one
shared domain, but in more complex hierarchies, there may be many shared domains.
Faculty Mac OS X
Server
English department’s
computer
Math department’s
computer
Local
domain
Shared
domain
Local
domain
Science department’s
computer
Local
domain
Local
domainDirectory Services 81
More Complex Hierarchies
Open Directory also supports multilevel domain hierarchies. Complex networks with large
numbers of users may find this kind of organization useful, although it’s much more complex
to administer.
In this scenario, an instructor defined in the Campus domain can use Mac OS X computers on
which any of the local domains reside. A student defined in the Students domain can log in to
any Mac OS X computers that are below the Graduates domain or Undergraduates domain.
A directory domain hierarchy affects which Mac OS X computers can see particular
administrative data. The “subtrees” of the hierarchy essentially hide information from other
subtrees in the hierarchy. In the education example, computers using the subtree that
includes the Graduates domain do not have access to records in the Undergraduates domain.
But records in the Campus domain are visible to any computer.
Directory domain visibility depends on the computer, not the user. So when a user logs in to
a different computer, administrative data from different directory domains may be visible to
that computer. In the education scenario described here, an undergraduate can log in to a
graduate student’s computer if the undergraduate’s user record resides in the Students
domain. But the devices that are defined in the Undergraduates domain are not visible unless
they are also defined in the Graduates, Students, or Campus domain.
Employees
domain
Students
domain
Campus domain
Undergraduates
domain
Graduates
domain
Faculty
domain
Local domains on Mac OS X clients or servers82 Chapter 2
You can affect an entire network or just a group of computers by choosing which domain to
publish administrative data in. The higher the administrative data resides in a directory
domain hierarchy, the fewer places it needs to be changed as users and system resources
change. Probably the most important aspect of directory services for administrators is
planning directory domains and hierarchies. These should reflect the resources you want to
share, the users you want to share them among, and even the way you want to manage your
directory data.
Search Policies for Directory Domain Hierarchies
In a hierarchy of directory domains, each Mac OS X computer has a search policy that
specifies the order in which Open Directory searches the domains. A search policy, also
known as a search path, is simply a list of directory domains. On a Mac OS X computer, Open
Directory goes down this list of directory domains whenever an application or system
software running on the computer needs administrative data. The list of directory domains
defines the computer’s search policy. The search policy effectively establishes the
computer’s place in the hierarchy.
A computer’s local directory domain is always first on the list. It may be followed by shared
Open Directory domains on Mac OS X Servers and LDAP domains on other servers. It may
also include a set of BSD configuration files that are on the computer.
For example, when someone tries to log in to a Mac OS X computer, Open Directory
searches the computer’s local domain for the user’s record. The local directory domain is
always first on a computer’s search policy.
Graduates
domain
Local domain
Is the user
defined here?Directory Services 83
If the local domain does not contain the user’s record, Open Directory goes to the next
directory domain in the search policy.
If the second directory domain also does not contain the user’s record, Open Directory
searches the remaining directory domains in the search policy one by one until it searches
the last shared domain.
The Automatic Search Policy
Initially, every computer with Mac OS X version 10.2 is set to use an automatic search policy.
It consists of three parts, two of which are optional:
m local directory domain
m shared NetInfo domains (optional)
m shared LDAPv3 domains (optional)
A computer’s automatic search policy always begins with the computer’s local directory
domain.
Graduates
domain
Local domain
Is the user
defined here?
No
Is the user
defined here?
Campus domain
Students domain
Graduates domain
Local domain
No
No
No84 Chapter 2
Next the automatic search policy looks at the binding of shared NetInfo domains. The
computer’s local domain may be bound to a shared NetInfo domain, which may in turn be
bound to another shared NetInfo domain, and so on. The NetInfo binding, if any, constitutes
the second part of the automatic search policy. See “Configuring NetInfo Binding” on
page 111 for additional information.
The third and final part of a computer’s automatic search policy consists of shared LDAPv3
domains. They are included only if the computer uses a DHCP service that’s configured to
supply the addresses of one or more LDAPv3 servers. The DHCP service of Mac OS X Server
can supply LDAPv3 servers. See “Setting the LDAP Server for DHCP Clients” on page 479 in
Chapter 11, “DHCP Service.”
A computer’s automatic search policy may change if the computer is moved to a part of the
network served by a different DHCP service. When the user logs in at the new location, the
computer connects to the new DHCP service. The new DHCP service may change the
NetInfo binding and may supply a different list of LDAPv3 servers than the DHCP service at
the former location.
Custom Search Policies
If you don’t want a Mac OS X version 10.2 computer—server or client—to use the automatic
search policy supplied by DHCP, you can define a custom search policy for the computer.
In this scenario, a custom search policy specifies that LDAP Server 1 be consulted when a
user record or other administrative data cannot be found in the directory domains of the
automatic search policy. The custom search policy also specifies that if the user information
or other administrative data is not found on the LDAP server, a shared Open Directory
domain named “Campus” is searched.
Students domain
Graduates domain
Local domain
LDAP Server 1
Campus domainDirectory Services 85
Directory Domain Planning
Keeping information in shared directory domains gives you more control over your network,
allows more users access to the information, and makes maintaining the information easier for
you. But the amount of control and convenience depends on the effort you put into planning
your shared domains. The goal of directory domain planning is to design the simplest hierarchy
of shared domains that gives your Mac OS X users easy access to the network resources they
need and minimizes the time you spend maintaining administrative data.
General Planning Guidelines
If you do not need to share user and resource information among multiple Mac OS X
computers, there is very little directory domain planning necessary. Everything can be accessed
from local directory domains. Just ensure that all individuals who need to use a particular
Mac OS X computer are defined as users in the local directory domain on the computer.
If you want to share information among Mac OS X computers, you need to set up at least one
shared domain.
A hierarchy this simple may be completely adequate when all your network computer users
share the same resources, such as printers and share points for home directories,
applications, and so forth.
Local
domain
Local
domain
Log in to
Mac OS X
Connect to
Mac OS
X Server
Shared
domain
Local
domain
Local
domain
Log in to
Mac OS X
Connect to
Mac OS
X Server86 Chapter 2
Larger, more complex organizations can benefit from a deeper directory domain hierarchy.
Controlling Data Accessibility
Hierarchies that contain several shared domains let you make directory information visible to
only subsets of a network’s computers. In the foregoing example hierarchy, the administrator
can tailor the users and resources visible to the community of Mac OS X computers by
distributing directory information among six shared domains.
If you want all computers to have access to certain administrative data, you store that data in
the shared domain at the top of your hierarchy, where all computers can access it. To make
some data accessible only to a subset of computers, you store it in a shared domain that only
those computers can access.
You might want to set up multiple shared directory domains to support computers used by
specific groups within an organization. For example, you might want to make share points
containing programming applications and files visible only to engineering computers. On the
other hand, you might give technical writers access to share points that store publishing
software and document files. If you want all employees to have access to each other’s home
directories, you would store mount records for all the home directories in the topmost
shared domain.
Simplifying Changes to Data in Directory Domains
If you need more than one shared directory domain, you should organize your hierarchy of
shared domains to minimize the number of places data has to change over time. You should
also devise a plan that addresses how you want to manage such ongoing events as
m new users joining and leaving your organization
m file servers being added, enhanced, or replaced
Undergraduates
domain
Graduates
domain
Faculty
domain
Employees
Students domain
domain
Campus
domainDirectory Services 87
m printers being moved among locations
You’ll want to try to make each directory domain applicable to all the computers that use it
so you don’t have to change or add information in multiple domains. In the education
hierarchy example, all students may have user records in the Students domain and all
employees have accounts in the Employees domain. As undergraduate students leave or
become graduate students, or as employees are hired or retire, the administrator can make
adjustments to user information simply by editing one domain.
If you have a widespread or complex hierarchy of directory domains in a network that is
managed by several administrators, you need to devise strategies to minimize conflicts. For
example, you can predefine ranges of user IDs (UIDs) to avoid inadvertent file access. (For
more information, see “Defining User IDs” on page 144 in Chapter 3, “Users and Groups.”)
Identifying Computers for Hosting Shared Domains
If you need more than one shared domain, you need to identify the computers on which
shared domains should reside. Shared domains affect many users, so they should reside on
Mac OS X Servers that have the following characteristics:
m restricted physical access
m limited network access
m equipped with high-availability technologies, such as uninterruptible power supplies
You should select computers that will not be replaced frequently and that have adequate
capacity for growing directory domains. While you can move a shared domain after it has
been set up, you may need to reconfigure the search policies of computers that bind to the
shared domain so that their login hierarchies remain intact.
Open Directory Password Server
Besides providing directory services on Mac OS X Servers and other Mac OS X computers,
Open Directory can also provide authentication services. An Open Directory Password Server
can store and validate user passwords for login and other network services that require
authentication. A Password Server supports basic authentication as well as authentication
protocols that protect the privacy of a password during transmission on the network. A
Password Server lets you set up specific password policies for each user, such as automatic
password expiration and minimum password length.
Your Mac OS X Server can host a Password Server, or it can get authentication services from a
Password Server hosted by another Mac OS X Server. 88 Chapter 2
Authentication With a Password Server
When a user’s account is configured to use a Password Server, the user’s password is not
stored in a directory domain. Instead, the directory domain stores a unique password ID
assigned to the user by the Password Server. To authenticate a user, directory services pass
the user’s password ID to the Password Server. The Password Server uses the password ID to
find the user’s actual password and any associated password policy.
For example, the Password Server may locate a user’s password but discover that it has
expired. If the user is logging in, the login window asks the user to replace the expired
password. Then the Password Server can authenticate the user.
A Password Server can’t authenticate a user during login on a computer with Mac OS X
version 10.1 or earlier.
You’ll find more information about configuring user accounts to use a Password Server in
“Understanding Password Validation” on page 189 of Chapter 3, “Users and Groups.”
Network Authentication Protocols
The Password Server is based on a standard known as Simple Authentication and Security
Layer (SASL). This standard enables a Password Server to support the wide range of network
user authentication protocols used by various network services of Mac OS X Server, such as
mail service and file services. Here are a few of the network authentication protocols that the
Password Server supports:
m CRAM-MD5
m MD5
m APOP
m NT and LAN Manager (for SMB)
m SHA-1
m DHX
m AFP 2-Way Random
m WebDAV Digest
Password Server Database
The Password Server maintains a record for each user that includes the following:
m Password ID, a 128-bit value assigned when the password is created. The value includes a
key for finding a user’s Password Services record.Directory Services 89
m The password, stored in recoverable or hashed form. The form depends on the network
authentication protocols enabled for the Password Server (using Open Directory
Assistant). If APOP or 2-Way Random is enabled, the Password Server stores a recoverable
(encrypted) password. If neither of these methods is enabled, only hashes of the
passwords are stored.
m Data about the user that is useful in log records, such as the user’s short name.
m Password policy data.
Password Server Security
The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users who want to gain access to your server must try to
log in over the network. Invalid password instances, logged by the Password Server, can alert
you to such attempts.
Using a Password Server offers flexible and secure password validation, but you need to make
sure that the server on which a Password Server runs is secure:
m Set up Password Servers on a server that is not used for any other activity.
m Since the load on a Password Server is not particularly high, you can have several (or even
all) of your Open Directory server domains share a single Password Server.
m Set up IP firewall service so nothing is accepted from unknown ports. Password Server
uses a well-known port.
m Make sure that the Password Server’s computer is located in a physically secure location,
and don’t connect a keyboard or monitor to it.
m Equip the server with an uninterruptible power supply.
The Password Server must remain available to provide authentication services. If the
Password Server goes down, password validation cannot occur, because you cannot replicate
a Password Server.
Overview of Directory Services Tools
The following applications help you set up and manage directory domains and Password
Servers.
m Open Directory Assistant. Use to create and configure shared or standalone Open
Directory domains (NetInfo or LDAPv3) and to set up Open Directory Password Servers.
Located in /Applications/Utilities.
m Directory Access. Use to enable or disable individual directory service protocols; define
a search policy; configure connections to existing LDAPv3, LDAPv2, and NetInfo
domains; and configure data mapping for LDAPv3 and LDAPv2 domains. Located in
/Applications/Utilities.90 Chapter 2
m Server Status. Use to monitor directory services and view directory services logs. Located
in /Applications/Utilities.
Experts can also use the following applications to manage directory domains:
m Property List Editor. Use to add BSD configuration files that you want Open Directory to
access for administrative data, and change the mapping of the data in each BSD
configuration file to specific Mac OS X record types and attributes. Located in /Developer/
Applications if you have installed the developer tools from the Developer Tools CD.
m NetInfo Manager. Use to view and change records, attributes, and values in an Open
Directory domain (LDAPv3 or NetInfo) or in a NetInfo domain; manage a NetInfo
hierarchy; and back up and restore a NetInfo domain. Located in /Applications/Utilities.
m Terminal. Open to use UNIX command-line tools that manage NetInfo domains. Located
in /Applications/Utilities.
Setup Overview
Here is a summary of the major tasks you perform to set up and maintain directory services.
See the pages indicated for detailed information about each task.
Step 1: Before you begin, do some planning
See “Before You Begin” on page 91 for a list of items to think about before you start
configuring directory domains.
Step 2: Set up Open Directory domains and Password Servers
Create shared directory domains on the Mac OS X Servers that you want to host them. At the
same time, set up Open Directory Password Servers. See the following sections:
m “Setting Up an Open Directory Domain and Password Server” on page 92
m “Deleting a Shared Open Directory Domain” on page 93
Step 3: Set up access to directory domains on other servers
If some of your user information and other administrative data will not reside in Open
Directory domains, you must make sure your other sources of data are set up for Mac OS X.
For instructions, see the following sections of this chapter:
m “Configuring Access to Existing LDAPv3 Servers” on page 98
m “Using an Active Directory Server” on page 104
m “Accessing an Existing LDAPv2 Directory” on page 106
m “Using NetInfo Domains” on page 110
m “Using Berkeley Software Distribution (BSD) Configuration Files” on page 115Directory Services 91
Step 4: Implement search policies
Set up search policies so that all computers have access to the shared directory domains they
need. Note that if all computers have Mac OS X version 10.2 and can use the automatic
search policy, there is nothing to set up. Otherwise, see “Setting Up Search Policies” on
page 94.
If your network includes computers with Mac OS X versions earlier than 10.2, configure the
local domain on each of them so that it binds to a shared NetInfo domain. See “Using
NetInfo Domains” on page 110.
Step 5: Configure Open Directory service protocols (optional)
You may want to disable some of the protocols that Open Directory uses to access directory
domains and to discover network services. See “Configuring Open Directory Service
Protocols” on page 93.
Before You Begin
Before setting up directory services for the first time:
m Understand why clients need directory data, as discussed in the first several sections of
this chapter.
m Assess your server access requirements.
Identify which users need to access your Mac OS X Servers.
Users whose information can be managed most easily on a server should be defined in a
shared Open Directory domain on a Mac OS X Server. Some of these users may instead be
defined in Active Directory domains or LDAP domains on other servers.
For more information, see “Local and Shared Directory Domains” on page 74 and
“Directory Domain Hierarchies” on page 78.
m Understand search policies, as described in “Search Policies for Directory Domain
Hierarchies” on page 82.
m Design the hierarchy of shared directory domains.
Determine whether user information should be stored in a local directory domain or in a
directory domain that can be shared among servers. Design your directory domain
hierarchy, identifying the shared and local domains you want to use, the servers on which
the shared domains should reside, and the relationships between shared domains. In
general, try to limit the number of users associated with any directory domain to no more
than 10,000.
“Directory Domain Planning” on page 85 provides some guidelines that will help you
decide what your directory domain hierarchy should look like.
m Assess your authentication needs.92 Chapter 2
Decide whether to use an Open Directory Password Server. Decide which Mac OS X
Server will host the Password Server. See “Open Directory Password Server” on page 87.
m Consider the best equipment and location for your servers.
Choose computers and locations that are reliable and accessible.
If possible, use a dedicated Mac OS X Server for directory services.
Make the server physically secure. It shouldn’t have a keyboard or monitor, especially if it
hosts a Password Server.
m Pick server administrators very carefully. Give only trusted people administrator
passwords.
Have as few administrators as possible. Don’t delegate administrator access for minor
tasks, such as changing settings in a user record.
Always remember: directory information is authoritative. It vitally affects everyone whose
computers use it.
Setting Up an Open Directory Domain and Password Server
You can use the Open Directory Assistant application to configure how a Mac OS X Server
works with directory information and a Password Server. This application can configure a
server to use a directory domain in one of the following ways:
m Use a shared directory domain hosted by another server.
m Host a shared Open Directory domain.
m Use only the server’s own local directory domain.
m Delete the server’s shared directory domain.
In addition, Open Directory Assistant can configure a server to use a Password Server in one
of the following ways:
m Use an existing Password Server.
m Host a Password Server.
m Don’t use a Password Server.
Open Directory Assistant runs automatically as part of the installation and setup process of
Mac OS X Server. At any other time, you can open Open Directory Assistant from the Finder.
To configure how your server works with directory information and a Password
Server:
1 Open the Open Directory Assistant application.
It is located in the /Applications/Utilities folder.
2 Enter the connection and authentication information for the Mac OS X Server that you want
to configure, then click Connect.Directory Services 93
For Address, enter the DNS name or IP address of the server that you want to configure.
For User Name, enter the user name of an administrator on the server.
For Password, enter the password for the user name you entered.
3 Follow the self-guided steps for configuring the server’s use of a directory domain and a
Password Server.
Deleting a Shared Open Directory Domain
You can delete a shared Open Directory domain that is hosted by a Mac OS X Server. Use
Open Directory Assistant to do this.
To delete a shared directory domain hosted by a Mac OS X Server:
1 Start Open Directory Assistant.
2 Enter the connection and authentication information for the Mac OS X Server that hosts the
shared domain you want to delete, then click Connect.
For Address, enter the DNS name or IP address of the server.
For User Name, enter the user name of an administrator on the server.
For Password, enter the password for the user name you entered.
3 Choose Delete Hosted Domain from the Domain menu.
After deleting a shared domain that is supplied automatically by DHCP, you must remove it
from the DHCP service. Otherwise client computers may pause for long periods of time
while trying to access the deleted domain. For instructions, see “Setting the LDAP Server for
DHCP Clients” on page 479 in Chapter 11, “DHCP Service.”
Configuring Open Directory Service Protocols
Open Directory uses many protocols to access administrative data in directory domains and
discover services on the network. You can enable or disable each of the protocols individually
by using the Directory Access application. The protocols include
m AppleTalk, the legacy Mac OS protocol for file and print services
m BSD Configuration Files, the original method still used by some organizations for
accessing administrative data on UNIX computers
m Lightweight Directory Access Protocol version 2 (LDAPv2), an open standard that Open
Directory can use to access (read-only) directory domains on a variety of servers
Warning When you delete a directory domain, all user account information and other
administrative data that it contains is lost.94 Chapter 2
m LDAPv3, a newer version of the popular directory services protocol, which Open
Directory uses to access (read and write) data in Open Directory domains on computers
and servers with Mac OS X version 10.2, Active Directory domains on Windows servers,
and directory domains on various other servers
m NetInfo, an Apple directory services protocol that Open Directory can use to access (read
and write) data in directory domains on all Mac OS X computers
m Rendezvous, an Apple protocol for discovering file, print, and other services on Internet
Protocol (IP) networks
m Service Location Protocol (SLP), an open standard for discovering file and print services
on IP networks
m Server Message Block (SMB), a protocol used by Microsoft Windows for file and print
services
If you disable a protocol on a computer, Open Directory does not use it for directory access or
service discovery on the computer. Other network services may still use the protocol,
however. For example, if you disable the AppleTalk protocol, Open Directory does not use it to
discover file servers, but you can still connect to an AppleTalk file server if you know its URL.
To enable or disable protocols used by Open Directory:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Click the checkbox next to the protocol that you want to enable or disable.
4 Click Apply.
Setting Up Search Policies
This section describes how to configure the search policy that Open Directory uses when it
retrieves authentication information and other administrative data from directory domains.
The search policy can also include protocols for discovering services on the network, such as
file and print services.
A Mac OS X computer—server or client—actually has more than one search policy. The
authentication search policy is used to find authentication information and most other
administrative data. The contacts search policy is used by mail, address book, personal
information manager, and similar applications to locate name, address, and other contact
information.Directory Services 95
You can configure the authentication search policy for a Mac OS X Server or other Mac OS X
computer by using the Directory Access application. You can use the same application to
configure the computer’s contacts search policy. (The Open Directory Assistant application
also configures the authentication search policy of a Mac OS X Server, but does not offer as
many options as Directory Access.)
You can configure the search policy of the computer on which you are running Directory
Assistant as follows:
m Use the automatic search policy—shared NetInfo domains, list of LDAP servers supplied
by DHCP, or both.
m Define a custom search policy for the computer if it needs to search additional directory
servers, BSD configuration files, or service discovery protocols.
m Use only the computer’s local directory domain.
Using the Automatic Search Policy
You can configure a Mac OS X computer to use the automatic search policy. This is the
default configuration. You can configure a computer to use the automatic search policy by
using the Directory Access application on the computer.
The automatic search policy always includes the local directory domain. The automatic
search policy also includes shared NetInfo domains to which the computer is bound and
shared LDAPv3 domains supplied by DHCP. The shared NetInfo domains are optional, as are
the shared LDAPv3 domains. For more information, see “Using NetInfo Domains” on
page 110 and “Setting the LDAP Server for DHCP Clients” on page 479.
To use the automatic search policy supplied by DHCP:
1 In Directory Access, click the Authentication tab or the Contacts tab.
Click Authentication to configure the search policy used for authentication and most other
administrative data.
Click Contacts to configure the search policy used for contact information in some mail,
address book, and personal information manager applications.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Choose Automatic from the Search pop-up menu, then click Apply.
Defining a Custom Search Policy
You can configure a Mac OS X computer to search specific Open Directory servers, LDAP
servers, NetInfo domains, BSD configuration files, or directory service protocols in addition
to the servers in the automatic search policy. You define a custom search policy with the
Directory Access application on the computer that you want to configure.96 Chapter 2
Note: Make sure the computer has been configured to access the LDAP servers, Active
Directory servers, NetInfo domains, and BSD configuration files that you want to add to the
search policy. For instructions, see the subsequent sections of this chapter.
To define a custom search policy for the computer:
1 In Directory Access, click the Authentication tab or the Contacts tab.
Click Authentication to configure the search policy used for authentication and most other
administrative data.
Click Contacts to configure the search policy used for contact information in some mail,
address book, and personal information manager applications.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Choose “Custom path” from the Search pop-up menu.
4 Click Add.
5 Select from the list of available directories and click Add.
To add multiple directories, select more than one and click Add.
6 Change the order of the listed directory domains as needed, and remove listed directory
domains that you don’t want in the search policy.
Move a listed directory domain by dragging it up or down.
Remove a listed directory domain by selecting it and clicking Remove.
7 Click Apply.
Using a Local Directory Search Policy
If you want to limit the access that a computer has to authentication information and other
administrative data, you can restrict the computer’s authentication search policy to the local
directory domain. If you do this, users without local accounts on the computer will be unable
to log in or authenticate for any services it provides. You can configure a computer to use
only its local directory domain by using the Directory Access application on the computer.
To restrict a computer to its local directory domain:
1 In Directory Access, click the Authentication tab or the Contacts tab.
Click Authentication to configure the search policy used for authentication and most other
administrative data.
Click Contacts to configure the search policy used for contact information in some mail,
address book, and personal information manager applications.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Choose “Local directory” from the Search pop-up menu, then click Apply.Directory Services 97
Changing Basic LDAPv3 Settings
You can use the Directory Access application to change basic settings for accessing LDAPv3
servers, including the shared Open Directory domains of Mac OS X Servers:
m Enable or disable use of LDAPv3 servers supplied by DHCP.
m Reveal an intermediate level of LDAPv3 information and options.
The Open Directory Assistant application also configures use of LDAPv3 servers supplied by
DHCP, but does not offer as many options as Directory Access.
Enabling or Disabling Use of DHCP-Supplied LDAPv3 Servers
Your Mac OS X computer can automatically access LDAPv3 servers via DHCP. This automatic
access requires that the DHCP service be configured to supply an LDAPv3 server on request.
You can enable or disable this method of accessing an LDAPv3 server for each network
location that is defined in the Network pane of System Preferences.
To enable or disable automatic access to an LDAPv3 server:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 From the Location pop-up menu, choose the network location that you want to affect, or
use Automatic.
5 Click the checkbox to enable or disable use of the LDAPv3 server supplied by DHCP.
If you disable this setting, this computer doesn’t use any LDAPv3 servers supplied by DHCP.
However, the computer may automatically access shared NetInfo domains. See “Using
NetInfo Domains” on page 110 for more information.
If you enable this setting, the DHCP service should be configured to supply one or more
LDAPv3 server addresses. For instructions, see “Setting the LDAP Server for DHCP Clients”
on page 479 in Chapter 11, “DHCP Service.”
Showing or Hiding Available LDAPv3 Configurations
You can show or hide a list of available LDAPv3 server configurations. When you show the
list, you see and can change some settings for each LDAPv3 configuration.
To show or hide the available LDAPv3 configurations:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.98 Chapter 2
4 From the Location pop-up menu, choose the network location that you want to see, or
use Automatic.
5 Click Show Options or Hide Options.
Configuring Access to Existing LDAPv3 Servers
On a Mac OS X computer that is not configured to access an LDAPv3 server automatically via
DHCP, you can manually configure access to one or more LDAPv3 servers. You can do the
following:
m Create server configurations and enable or disable them individually. For instructions, see
“Creating an LDAPv3 Configuration” on page 98.
m Edit the settings of a server configuration. For instructions, see “Editing an LDAPv3
Configuration” on page 99.
m Duplicate a configuration. For instructions, see “Duplicating an LDAPv3 Configuration” on
page 99.
m Delete a configuration. For instructions, see “Deleting an LDAPv3 Configuration” on
page 100.
m Change the connection settings for an LDAPv3 configuration. For instructions, see
“Changing an LDAPv3 Configuration’s Connection Settings” on page 100.
m Define custom mappings of Mac OS X record types and attributes to LDAPv3 record types,
search bases, and attributes. For instructions, see “Configuring LDAPv3 Search Bases and
Mappings” on page 101.
m Populate LDAPv3 directory domains with records and data. For instructions, see
“Populating LDAPv3 Domains With Data for Mac OS X” on page 103.
Creating an LDAPv3 Configuration
You can use Directory Access to create a configuration for an LDAPv3 server.
To create an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Click New and enter a name for the configuration.
6 Press Tab and enter the LDAPv3 server’s DNS name or IP address.
7 Choose a mapping template from the inline pop-up menu, or choose From Server.Directory Services 99
8 Enter the search base for your LDAPv3 server and click OK.
If you chose a template in step 7, you must enter a search base, or the LDAPv3 server will
not function.
If you chose From Server in step 7, you may be able to leave the search base blank and have
the LDAPv3 server function. In this case, Open Directory will look for the search base at the
first level of the LDAPv3 server.
9 Select the SSL checkbox if you want Open Directory to use Secure Sockets Layer (SSL) for
connections with the LDAPv3 server.
After creating a new server configuration, you should add the server to an automatic search
policy supplied by a DHCP server or to a custom search policy. A computer can access an
LDAP server only if the server is included in the computer’s search policy, either automatic
or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting
the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.”
Editing an LDAPv3 Configuration
You can use Directory Access to change the settings of an LDAPv3 server configuration.
To edit an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Change any of the settings displayed in the list of server configurations.
Click an Enable checkbox to activate or deactivate a server.
To change a configuration name, double-click it in the list.
To change a server name or IP address, double-click it in the list.
Choose a mapping template from the inline pop-up menu.
Click the SSL checkbox to enable or disable Secure Sockets Layer (SSL) connections.
Duplicating an LDAPv3 Configuration
You can use Directory Access to duplicate an LDAPv3 server configuration. After duplicating a
configuration, you can change its settings.
To duplicate an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.100 Chapter 2
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Duplicate.
6 Change any of the duplicate configuration’s settings.
Click an Enable checkbox to activate or deactivate a server.
To change a configuration name, double-click it in the list.
To change a server name or IP address, double-click it in the list.
Choose a mapping template from the inline pop-up menu.
Click the SSL checkbox to enable or disable Secure Sockets Layer (SSL) connections.
After duplicating a server configuration, you should add the duplicate to an automatic search
policy supplied by a DHCP server or to a custom search policy. A computer can access an
LDAP server only if the server is included in the computer’s search policy, either automatic
or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting
the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.”
Deleting an LDAPv3 Configuration
You can use Directory Access to delete an LDAPv3 server configuration.
To delete an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Delete.
Changing an LDAPv3 Configuration’s Connection Settings
You can use Directory Access to change the connection settings for an LDAPv3 server
configuration.
To change the connection settings of an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Edit.Directory Services 101
6 Click the Connection tab and change any of the settings.
Configuration Name identifies this configuration in the list of LDAPv3 configurations. ( You
can also change the name directly in the list of LDAPv3 configurations.)
Server Name or IP Address specifies the server’s DNS name or its IP address. ( You can also
change this directly in the list of LDAPv3 configurations.)
“Open/close times out in” specifies the number of seconds that Open Directory waits before
cancelling an attempt to connect to the LDAPv3 server.
“Connection times out in” specifies the number of seconds that Open Directory allows an
idle or unresponsive connection to remain open.
“Use authentication when connecting” determines whether Open Directory authenticates
itself as a user of the LDAPv3 server by supplying the Distinguished Name and Password
when connecting to the server.
“Encrypt using SSL” determines whether Open Directory encrypts communications with the
LDAPv3 server by using Secure Sockets Layer (SSL) connection. ( You can also change this
setting directly in the list of LDAPv3 configurations.)
“Use custom port” specifies a port number other than the standard port for LDAPv3
connections (389 without SSL or 636 with SSL).
Configuring LDAPv3 Search Bases and Mappings
Each LDAPv3 configuration that you create specifies where data needed by Mac OS X resides
on the LDAPv3 server. You can edit the LDAPv3 search base for each Mac OS X record type.
You can edit the mapping of each Mac OS X record type to one or more LDAPv3 object
classes. For each record type, you can also edit the mapping of Mac OS X data types, or
attributes, to LDAPv3 attributes. You edit search bases and mappings with the Directory
Access application.
Note: The mapping of Mac OS X data types to LDAPv3 attributes can be different for each
record type. Mac OS X has separate LDAPv3 mappings for each record type.
For detailed specifications of record types and attributes required by Mac OS X, see
Appendix A, “Open Directory Data Requirements.”
To edit the search bases and mappings for an LDAPv3 server:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Edit.102 Chapter 2
6 Click the Search & Mappings tab.
7 Select the mappings that you want to use as a starting point, if any.
Click “Read from Server” to edit the mappings currently stored in the LDAPv3 server whose
configuration you are editing.
Click the “Access this LDAPv3 server using” pop-up menu, choose a mapping template to use
its mappings as a starting point, or choose Custom to begin with no predefined mappings.
8 Add record types and change their search bases as needed.
To add record types, click the Add button below the Record Types and Attributes list. In the
sheet that appears, select Record Types, select one or more record types from the list, and
then click OK.
To change the search base of a record type, select it in the Record Types and Attributes List.
Then click the “Search base” field and edit the search base.
To remove a record type, select it in the Record Types and Attributes List and click Delete.
To add a mapping for a record type, select the record type in the Record Types and Attributes
List. Then click the Add button below “Map to __ items in list” and enter the name of an
object class from the LDAPv3 domain. To add another LDAPv3 object class, you can press
Return and enter the name of the object class. Specify whether to use all or any of the listed
LDAPv3 object classes by using the pop-up menu above the list.
To change a mapping for a record type, select the record type in the Record Types and
Attributes List. Then double-click the LDAPv3 object class that you want to change in the
“Map to __ items in list” and edit it. Specify whether to use all or any of the listed LDAPv3
object classes by using the pop-up menu above the list.
To remove a mapping for a record type, select the record type in the Record Types and
Attributes List. Then click the LDAPv3 object class that you want to remove from the “Map to
__ items in list” and click the Delete button below “Map to __ items in list.”
9 Add attributes and change their mappings as needed.
To add attributes to a record type, select the record type in the Record Types and Attributes
List. Then click the Add button below the Record Types and Attributes list. In the sheet that
appears, select Attribute Types, select one or more attribute types, and then click OK.
To add a mapping for an attribute, select the attribute in the Record Types and Attributes List.
Then click the Add button below “Map to __ items in list” and enter the name of an attribute
type from the LDAPv3 domain. To add another LDAPv3 attribute type, you can press Return
and enter the name of the attribute type.
To change a mapping for an attribute, select the attribute in the Record Types and Attributes
List. Then double-click the item that you want to change in the “Map to __ items in list” and
edit the item name.Directory Services 103
To remove a mapping for an attribute, select the attribute in the Record Types and Attributes
List. Then click the item that you want to remove from the “Map to __ items in list” and click
the Delete button below “Map to __ items in list.”
10 Click Write to Server if you want to store the mappings on the LDAPv3 server so that it can
supply them automatically to its clients.
You must enter a search base to store the mappings, a distinguished name of an
administrator (for example, cn=admin,dc=example,dc=com) and a password.
The LDAPv3 server supplies its mappings to clients that are configured to use an automatic
search policy. For instructions on configuring the client search policy, see “Setting Up Search
Policies” on page 94.
The LDAPv3 server also supplies its mappings to clients that have been configured manually
to get mappings from the server. For instructions on configuring client access to the server,
see “Creating an LDAPv3 Configuration” on page 98 through “Changing an LDAPv3
Configuration’s Connection Settings” on page 100.
Populating LDAPv3 Domains With Data for Mac OS X
After configuring LDAPv3 directory domains and setting up their data mapping, you can
populate them with records and data for Mac OS X. For directory domains that allow remote
administration (read/write access), use the Workgroup Manager application and the Server
Settings application as follows:
m Identify share points and shared domains that you want to mount automatically in a
user’s /Network directory (the Network globe in Finder windows). Use the Sharing
module of Workgroup Manager. For instructions, see Chapter 4, “Sharing.”
m Define users records and group records and configure their settings. Use the Accounts
module of Workgroup Manager. For instructions, see Chapter 3, “Users and Groups.”
m Define lists of computers that have the same preference settings and are available to the
same users and groups. Use the Computers module of Workgroup Manager. For
instructions, see Chapter 6, “Client Management: Mac OS X.”
m Create records for shared printers that you want to appear in the Directory Services
printer list in Print Center. Use the Print module of Server Settings. For instructions, see
Chapter 7, “Print Service.”
Note: To add records and data to a read-only LDAPv3 domain, you must use tools on the
server that hosts the LDAPv3 domain.104 Chapter 2
Using an Active Directory Server
Your Mac OS X Server, like any computer with Mac OS X version 10.2, can use Open
Directory to access an Active Directory domain hosted by a Microsoft Windows server. This
section explains how to configure your Mac OS X Server and client Mac OS X computers to
access an Active Directory server. This section also explains how to use your Mac OS X Server
to populate the Active Directory domain with records and data.
In addition, you can edit, duplicate, or delete an Active Directory server configuration. You
can also change the connection settings and customize the mappings of an Active Directory
server configuration. The procedures for all these tasks are the same for Active Directory
servers as for LDAPv3 servers. For instructions, see “Configuring Access to Existing LDAPv3
Servers” on page 98.
Creating an Active Directory Server Configuration
You can use Directory Access to create a configuration for an Active Directory server.
To create an Active Directory server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Click New and enter a name for the configuration.
6 Press Tab and enter the Active Directory server’s DNS name or IP address.
7 Click the inline pop-up menu and choose Active Directory.
8 Enter the search base for your Active Directory server, then click OK.
9 Select the SSL checkbox if you want Open Directory to use Secure Sockets Layer (SSL) for
connections with the Active Directory server.
Important Open Directory uses the LDAPv3 protocol, not Microsoft’s proprietary Active
Directory Services Interface (ADSI), to connect to Microsoft’s Active Directory. This chapter
does not explain how to configure Active Directory on a Windows server for LDAPv3 read/
write access. If you need assistance, consult an individual with Windows and Active Directory
expertise, refer to the documentation for these products, or go to the Microsoft Web site:
www.microsoft.com/support/Directory Services 105
After creating a new Active Directory server configuration, you should add the server to an
automatic search policy supplied by a DHCP server or to a custom search policy. A computer
can access an Active Directory server only if the server is included in the computer’s search
policy, either automatic or custom. For more information, see “Setting Up Search Policies” on
page 94 and “Setting the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP
Service.”
Setting Up an Active Directory Server
If you want a Mac OS X computer to get administrative data from an Active Directory server,
the data must exist on the Active Directory server in the format required by Mac OS X. You
may need to add, modify, or reorganize data on the Active Directory server. You must make
the necessary modifications by using tools on the Active Directory server.
To set up an Active Directory server for Mac OS X directory services:
1 Go to the Active Directory server and configure it to support LDAPv3-based authentication
and password checking.
2 Modify the Active Directory object classes and attributes as necessary to provide the data
needed by Mac OS X.
For detailed specifications of the data required by Mac OS X directory services, see
Appendix A, “Open Directory Data Requirements.”
Populating Active Directory Domains With Data for Mac OS X
After creating an Active Directory server configuration and setting it up for Mac OS X
directory services, you can populate it with records and data for Mac OS X. If the Active
Directory server allows remote administration (read/write access), use the Workgroup
Manager application and the Server Settings applications as follows:
m Identify share points and shared domains that you want to mount automatically in a
user’s /Network directory (the Network globe in Finder windows). Use the Sharing
module of Workgroup Manager. For instructions, see Chapter 4, “Sharing.”
m Define user records and group records and configure their settings. Use the Accounts
module of Workgroup Manager. For instructions, see Chapter 3, “Users and Groups.”
m Define lists of computers that have the same preference settings and are available to the
same users and groups. Use the Computers module of Workgroup Manager. For
instructions, see Chapter 6, “Client Management: Mac OS X.”
m Create records for shared printers that you want to appear in the Directory Services
printer list in Print Center. Use the Print module of Server Settings. For instructions, see
Chapter 7, “Print Service.”
Note: To add records and data to a read-only Active Directory server, you must use tools on
the Windows server.106 Chapter 2
Accessing an Existing LDAPv2 Directory
You can configure a Mac OS X computer to retrieve administrative data from one or more
LDAPv2 servers. For each LDAPv2 server that you want the computer to access, you generally
do the following:
m Prepare the LDAPv2 server data. For instructions, see “Setting Up an LDAPv2 Server” on
page 106.
m Create an LDAPv2 server configuration. For instructions, see “Creating an LDAPv2 Server
Configuration” on page 106.
m Change LDAPv2 server access settings as needed. For instructions, see “Changing LDAPv2
Server Access Settings” on page 107.
m Edit LDAPv2 search bases and data mappings as needed. For instructions, see “Editing
LDAPv2 Search Bases and Data Mappings” on page 108.
m Make sure the LDAPv2 server is included in a custom search policy. For more information,
see “Setting Up Search Policies” on page 94.
Setting Up an LDAPv2 Server
If you want a Mac OS X computer to get administrative data from an LDAPv2 server, the data
must exist on the LDAPv2 server in the format required by Mac OS X. You may need to add,
modify, or reorganize data on the LDAPv2 server. Mac OS X cannot write data to an LDAPv2
directory, so you must make the necessary modifications by using tools on the server that
hosts the LDAPv2 directory.
To set up an LDAPv2 server for Mac OS X:
1 Go to the LDAPv2 server and configure it to support LDAPv2-based authentication and
password checking.
2 Modify LDAPv2 server object classes and attributes as necessary to provide the data needed
by Mac OS X.
For detailed specifications of the data required by Mac OS X directory services, see
Appendix A, “Open Directory Data Requirements.”
Creating an LDAPv2 Server Configuration
You need to create a configuration for an LDAPv2 server from which you want your computer
to get administrative data. Use the Directory Access application to create an LDAPv2
configuration.
To create an LDAPv2 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.Directory Services 107
3 Select LDAPv2 in the list of services, then click Configure.
4 Create a new configuration or duplicate an existing configuration.
Click New to create a new configuration.
Click Duplicate to create a copy of the currently selected configuration.
5 Click the Identity tab, then enter a configuration name and server address.
In the Name field, enter a descriptive name for the LDAPv2 server.
In the Address field, enter the LDAPv2 server’s DNS name or IP address.
6 Click the Access tab, then change the access settings as needed.
For detailed instructions, see “Changing LDAPv2 Server Access Settings” on page 107.
7 Click the Records tab and for any Mac OS X record type listed on the left, edit the LDAPv2
search base as needed on the right.
For detailed instructions, see “Editing LDAPv2 Search Bases and Data Mappings” on page 108.
8 Click the Data tab and for any Mac OS X data type listed on the left, edit the corresponding
LDAPv2 attributes on the right.
For detailed instructions, see “Editing LDAPv2 Search Bases and Data Mappings” on page 108.
9 Click OK.
10 Select the Enable checkbox to make the LDAPv2 server you just configured available for use
by directory services, then close the window and click Save.
After creating a new LDAPv2 server configuration, you should add the server to a custom
search policy. A computer can access an LDAPv2 server only if the server is included in the
computer’s custom search policy. For more information, see “Setting Up Search Policies” on
page 94 and “Setting the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP
Service.”
Changing LDAPv2 Server Access Settings
You can change settings that determine how your computer accesses an LDAPv2 server. Use
the Directory Access application to change the settings.
To change access settings for an LDAPv2 server:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv2 in the list of services, then click Configure.
4 Select a server configuration in the list, then click Edit.
5 Click the Access tab, then change the access settings as needed.108 Chapter 2
Select “Use anonymous access” if Open Directory should connect to the LDAPv2 server
without using a name and password.
Select “Use the username and password below” if Open Directory should not connect
anonymously. Enter the distinguished name (for example, cn=admin, cn=users,
dc=example, dc=com) and password that Open Directory should use to establish an
LDAPv2 server connection. Ensure that the LDAPv2 server is configured to accept any name
and password you specify.
Enter the number of seconds for “Open & close timeout,” which defines the maximum time to
wait before cancelling an attempt to connect to the LDAPv2 server. The default is 120 seconds.
Enter the number of seconds for “Search timeout,” which defines the maximum time to
spend searching for data on the LDAPv2 server. The default is 120 seconds.
Identify the port that should be used for the connection. The default is port 389. Ensure that
any number you specify is actually used by the LDAPv2 server.
6 Click OK, then close the window and click Save.
Editing LDAPv2 Search Bases and Data Mappings
Each LDAPv2 configuration that you create specifies where data needed by Mac OS X resides
on the LDAPv2 server. You can edit the LDAPv2 search base for each Mac OS X record type.
You can also edit the mapping of Mac OS X data types, or attributes, to LDAPv2 attributes.
You edit search bases and data mappings with the Data Access application.
Note: The mapping of Mac OS X data types to LDAPv2 attributes is the same for all record
types. Mac OS X cannot have different LDAPv2 mappings for different record types.
For detailed specifications of record types and attributes required by Mac OS X, see
Appendix A, “Open Directory Data Requirements.”
To edit the search bases and data mappings for an LDAPv2 server:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv2 in the list of services, then click Configure.
4 Select a server configuration in the list, then click Edit.
5 Click the Records tab and for any Mac OS X record type listed on the left, edit the LDAPv2
search base as needed on the right.
Select an item in the Record Type list, and then edit the “Maps to” value to specify a search
base on the LDAPv2 server that provides appropriate information.Directory Services 109
Select Users in the Record Type list. Then edit the “Maps to” value to specify a search base on
the LDAPv2 server that provides user information. The default search base for the Users
record type is ou=people, o=company name.
Select Groups in the Record Type list. Then edit the “Maps to” value to specify a search base
on the LDAPv2 server that provides group information. The default search base for the
Groups record type is ou=groups, o=company name.
As needed, select other items in the Record Types list and edit their “Maps to” values to
specify a search base on the LDAPv2 server that specifies the appropriate information.
6 Click the Data tab and for any Mac OS X data type listed on the left, edit the corresponding
LDAPv2 attributes on the right.
Select RecordName in the Data Type column. Then edit the “Maps to” value to identify one
or more LDAPv2 attributes that store the names a user can be known by, including the user’s
short name. This same mapping identifies the LDAPv2 attributes that store a group name for
the Groups record type.
Select UniqueID in the Data Type column. Then edit the “Maps to” value to identify the
LDAPv2 attribute that uniquely identifies a user. This same mapping identifies the LDAPv2
attribute that uniquely identifies a group in the Groups record type.
Select RealName in the Data Type column. Then edit the “Maps to” value to identify the
LDAPv2 attribute that stores the full user name.
Select MailAttribute in the Data Type column if users will be using mail service on the server.
Then edit the “Maps to” value to identify the LDAPv2 attribute that stores the user’s mail
settings in the required format.
Select EMailAddress in the Data Type column. Then edit the “Maps to” value to identify the
LDAPv2 attributes that store the forwarding address. This attribute is used for users without a
mail attribute.
Select Password in the Data Type column only if the LDAPv2 server stores user passwords in
UNIX crypt format. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores
the password.
Select PrimaryGroupID in the Data Type column. Then edit the “Maps to” value to identify
the LDAPv2 attribute that stores the ID number for the user’s primary group.
Select HomeDirectory in the Data Type column. Then edit the “Maps to” value to identify the
LDAPv2 attributes that store the home directory information in the required format.
Select UserShell in the Data Type column. Then edit the “Maps to” value to identify the
LDAPv2 attribute that stores the path and filename of the user login shell. This is the default
shell used for command-line interactions with the server. Enter “None” to prevent users who
are defined in this directory from accessing the server remotely via a command line.110 Chapter 2
Select GroupMembership in the Data Type column. Then edit the “Maps to” value to identify
the LDAPv2 attribute that stores a list of users associated with the group. Users should be
identified using their short names.
If other items in the Data Type column will be retrieved from the LDAPv2 server, select them
one by one. When you select an item, edit the “Maps to” value to identify one or more
LDAPv2 attributes that store the appropriate information.
7 Click OK, then close the window and click Save.
Using NetInfo Domains
Your Mac OS X Server can be part of a hierarchy of shared NetInfo domains. If you create a
shared directory domain on your server, other Mac OS X computers can access it via the
NetInfo protocol (as well as the LDAPv3 protocol). This makes your server a NetInfo parent,
and the other computers that bind to it are NetInfo children. Instructions for creating a
shared NetInfo domain are next.
You can also configure your Mac OS X Server to bind to a shared NetInfo domain on another
Mac OS X Server. This makes your server a NetInfo child of a NetInfo parent. For instructions,
see “Configuring NetInfo Binding” on page 111.
Expert system administrators can manage NetInfo domains as follows:
m Create machine records for broadcast binding to a shared NetInfo domain. For
instructions, see “Adding a Machine Record to a Parent NetInfo Domain” on page 113.
m Configure a shared NetInfo domain to use a particular port number instead of a
dynamically assigned port number. For instructions, see “Configuring Static Ports for
Shared NetInfo Domains” on page 113.
m View the contents of any NetInfo domain. For instructions, see “Viewing and Changing
NetInfo Data” on page 114.
m Perform other operations by using the Terminal application. For more information, see
“Using UNIX Utilities for NetInfo” on page 114.
Creating a Shared NetInfo Domain
Your Mac OS X Server can host a shared NetInfo domain. Then other Mac OS computers can
access the shared NetInfo domain for information about users and resources. The server that
hosts a shared NetInfo domain is called a parent, and a computer that accesses it is known as
a child.
The shared domain is actually a shared Open Directory domain that other computers access
using the NetInfo protocol. You set it up with the Open Directory Assistant application.Directory Services 111
To create a shared NetInfo domain:
1 Open the Open Directory Assistant application.
2 Enter the connection and authentication information for the Mac OS X Server where you
want to create the shared NetInfo domain, then click Connect.
3 Click the right arrow to get to the Location step, and then select the setting that indicates the
server is at its permanent network location.
You cannot set up a shared NetInfo domain on a server that is in a temporary location.
4 Advance to the Directory Use step, and then select the option to provide directory
information to other servers.
5 Go to the Configure step, where you may select the option to enable LDAP support.
The shared directory automatically supports the NetInfo protocol. LDAP support is optional.
6 Go through the steps for configuring a Password Server.
As you go through each step, Open Directory Assistant displays the current Password Server
settings of the Mac OS X Server that you are configuring.
If you want the Password Server configuration to remain as-is, do not change any settings as
you go through these steps.
7 When you reach the Finish Up step, review its configuration summary and click Go Ahead to
apply the settings.
If you want to change any of the settings in the configuration summary, click the left arrow.
Keep clicking the left arrow until you get back to the step where you can make the desired
change. After changing the setting, click the right arrow until you get to the Finish Up step
again.
Configuring NetInfo Binding
When a Mac OS X computer starts up, it can bind its local directory domain to a shared
NetInfo domain. The shared NetInfo domain can bind to another shared NetInfo domain.
The binding process creates a hierarchy of NetInfo domains.
A NetInfo hierarchy has a structure like an upside-down tree. Local domains at the bottom of
the hierarchy bind to one or more shared domains, which may in turn bind to one or more
other shared domains, and so on. Each domain binds to only one shared domain, but a
shared domain can have any number of domains bind to it. A shared domain is called parent
domain, and each domain that binds to it is a child domain. At the top of the hierarchy is one
shared domain that doesn’t bind to another domain; this is the root domain.
A Mac OS X computer can bind to a shared NetInfo domain by using any combination of
three protocols: static, broadcast, or DHCP. 112 Chapter 2
m With static binding, you specify the address and NetInfo tag of the shared NetInfo
domain. This is most commonly used when the shared domain’s computer is not on the
same IP subnet as the computer that needs to access it.
m With DHCP binding, a DHCP server automatically supplies the address and NetInfo tag of
the shared NetInfo domain. To use DHCP binding, the DHCP server must be configured
to supply a NetInfo parent’s address and tag. For instructions, see “Setting NetInfo
Options for a Subnet” on page 482 in Chapter 11, “DHCP Service.”
m With broadcast binding, the computer locates a shared NetInfo domain by sending out an
IP broadcast request. The computer hosting the shared domain responds with its address
and tag.
For broadcast binding, both computers must be on the same IP subnet or on a network
that is configured for IP broadcast forwarding.
The parent domain must have the NetInfo tag “network.”
The parent domain must have a machine record for each of its child domains. See “Adding
a Machine Record to a Parent NetInfo Domain” on page 113 for more information.
If you configure a computer to use multiple binding protocols and a parent is not located
with one protocol, another one is used. The protocols are used in this order: static, DHCP,
broadcast.
You can configure NetInfo binding by using the Directory Access application.
To bind a Mac OS X computer to a shared NetInfo domain:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select NetInfo in the list of services, then click Configure.
4 Select the binding protocols that you want the computer to use.
For broadcast binding, select “Attempt to connect using Broadcast protocol.”
For DHCP binding, select “Attempt to connect using DHCP protocol.”
For static binding, select “Attempt to connect to a specific NetInfo server.” Then enter the IP
address of the parent domain’s computer in the Server Address field and the parent domain’s
NetInfo tag in the Server Tag field.
5 Click OK, then click Apply.
6 Restart the computer.Directory Services 113
Adding a Machine Record to a Parent NetInfo Domain
Mac OS X computers can bind their directory domains to a parent NetInfo domain by
using broadcast binding. The parent NetInfo domain must have a machine record for each
Mac OS X computer that can bind to it with broadcast binding. You can create a machine
record with the NetInfo Manager application.
To add a machine record to a parent NetInfo domain:
1 Open NetInfo Manager on the computer where the parent domain resides, then open the
domain.
2 Click the lock and log in using the user name and password specified when the domain was
created.
3 Select the machines directory in the Directory Browser list.
4 Choose New Subdirectory from the Directory menu,.
5 Double-click new_directory in the lower list and enter the DNS name of the child computer.
6 Choose New Property from the Directory menu.
7 In the lower list, change new_property to ip_address and change new_value to the IP
address of the child computer.
8 Choose New Property from the Directory menu.
9 Change new_property to “serves” and then change new_value to the name and NetInfo tag
of the child’s local domain, using a “/” to separate them.
For example, you would change new_value to marketing.demo/local for the local domain of
the computer named marketing.demo.
10 Choose Save Changes from the Domain menu, then click Update This Copy.
Configuring Static Ports for Shared NetInfo Domains
By default, Mac OS X dynamically selects a port in the range 600 through 1023 when it
accesses a shared NetInfo domain. You can configure a shared domain for NetInfo access
over specific ports. Use the NetInfo Manager application to do this.
To configure specific ports for NetInfo access to shared domains:
1 Open NetInfo Manager on the computer where the shared domain resides, then open the
domain.
2 Click the lock icon and log in using the administrator name and password specified when the
domain was created.
3 Select the “/” directory in the Directory Browser list.
4 To change the value of an existing port property, double-click the value in the Value(s)
column and make the change. 114 Chapter 2
5 To delete a port property, select it and choose Delete from the Edit menu.
6 To add a property, choose New Property from the Directory menu and proceed as follows.
If you want to use one port for both TCP and UDP packets, double-click new_property and
change it to port. Then change new_value to the port number you want to use.
If you want separate TCP and UDP ports, double-click new_property and change it to
tcp_port. Then change new_value to the TCP port number you want to use. Next doubleclick new_property and change it to udp_port. This time, change new_value to the UDP
port number you want to use.
Viewing and Changing NetInfo Data
Information in a NetInfo database is organized into directories, which are specific categories
of NetInfo records, such as users, machines, and mounts. For example, the users directory
contains a record for each user defined in the domain.
Each record is a collection of properties. Each property has a key (listed in the Property
column) and one or more values (shown in the Value(s) column). The key is used by
processes to retrieve values.
The user named “root” in a domain can change any of its properties or add new ones.
Properties with the prefix “_writers_” list the short names of other users authorized to
change the value of a particular property. For example, _writers_passwd is the short name of
the user who can change this user’s password.
You can use NetInfo Manager, located in /Applications/Utilities, on any Mac OS X computer to
view the administrative data in a NetInfo domain.
Using UNIX Utilities for NetInfo
Several UNIX command-line utilities that interact with NetInfo are available through the
Terminal application. To find out more about these utilities, view their man pages.
Utility Description
niload Loads data from UNIX configuration files (such as /etc/passwd) into a NetInfo
database.
nidump Converts data from a NetInfo database to a UNIX configuration file.
niutil Reads from a NetInfo database and writes to one.
nigrep Searches all NetInfo domains for all instances of a string you specify.
nicl Creates, reads, or manages NetInfo data.Directory Services 115
Using Berkeley Software Distribution (BSD) Configuration
Files
Historically, UNIX computers have stored administrative data in configuration files such as
/etc/passwd
/etc/group
/etc/hosts
Mac OS X is based on a BSD version of UNIX, but normally gets administrative data from
directory domains for the reasons discussed at the beginning of this chapter.
In Mac OS X version 10.2 and later (including Mac OS X Server version 10.2 and later), Open
Directory can retrieve administrative data from BSD configuration files. This capability enables
organizations that already have BSD configuration files to use copies of the existing files on
Mac OS X computers. BSD configuration files can be used alone or in conjunction with other
directory domains.
To use BSD configuration files, you must do the following:
m Specify which BSD configuration files to use, and map their contents to Mac OS X record
types and attributes. Instructions for doing this are next.
m Set up each BSD configuration file with the data required by Mac OS X directory services.
See “Setting Up Data in BSD Configuration Files” on page 118 for instructions.
m Create a custom search policy that includes the BSD configuration files domain. For
instructions, see “Defining a Custom Search Policy” on page 95.
Mapping BSD Configuration Files
A computer with Mac OS X version 10.2 or later can get information about users and
resources from BSD configuration files. Mac OS X determines which BSD configuration files
to use by inspecting the file DSFFPlugin.plist (located in /Library/Preferences/
DirectoryService). This file identifies each BSD configuration file that contains administrative
data. In addition, DSFFPlugin.plist maps the data in each BSD configuration file to specific
Mac OS X record types and attributes. In other words, DSFFPlugin.plist tells Mac OS X how to
extract particular data items from BSD configuration files.
The DSFFPlugin.plist file initially specifies four BSD configuration files for administrative
data:
/etc/master.passwd
/etc/group
/etc/hosts
/etc/fstab116 Chapter 2
You can specify different BSD configuration files by editing the DSFFPlugin.plist file. This file
contains structured text in XML format and is known as a property list or plist. You can edit
this file with a text editor, but the Property List Editor application makes the job easier.
Property List Editor is specifically designed to work with plist files.
You may not have Property List Editor on your computer, because it is not part of a standard
installation of Mac OS X. However, Property List Editor is included if you install the Mac OS X
Developer Tools from the Developer Tools CD. (The Developer Tools CD comes with the
Mac OS X CD.) Then Property List Editor is located in /Developer/Applications.
You can use Directory Access to open the DSFFPlugin.plist file with Property List Editor.
Note: To use the files specified by DSFFPlugin.plist, a computer must have a custom search
policy that includes the BSD configuration files domain. An automatic search policy does not
include the BSD configuration files domain. See “Defining a Custom Search Policy” on
page 95 for instructions.
To map BSD configuration files to Mac OS X record types and attributes:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select BSD Configuration Files in the list of services, then click Configure.
Directory Access tells Property List Editor to open /Library/Preferences/DirectoryService/
DSFFPlugin.plist.
4 With DSFFPlugin.plist open in Property List Editor, click disclosure triangles in the Property
List column to see the contents of FileTypeArray.
FileTypeArray contains dictionary items. Each dictionary identifies one BSD configuration file
and maps its contents. Each dictionary is identified by a number. Initially, dictionary 0 maps
data in the /etc/hosts file; dictionary 1 maps data in the /etc/group file; dictionary 2 maps
data in the /etc/master.passwd file, and directory 3 maps to data in the /etc/fstab file.
5 To include another BSD configuration file, add a new dictionary under FileTypeArray and add
fields under the new dictionary to specify the file name and path, record type, attributes, and
so on.
Add a dictionary for another BSD configuration file by selecting FileTypeArray and clicking
New Child. Then click the class of the new dictionary and choose Dictionary from the pop-up
menu.
Add a field under a dictionary by selecting the dictionary, clicking its disclosure triangle so
it points down, and clicking New Child. Type a name for the field. Then click the class of the
field and select the appropriate class from the pop-up menu. Next, change the field’s value
as needed.Directory Services 117
The dictionary that defines a BSD configuration file has the fields specified in the table
below. You can see examples of these fields in the preconfigured dictionaries for /etc/hosts,
/etc/group, /etc/master.passwd, and /etc/fstab. For detailed specifications of the data
required by Mac OS X directory services, see Appendix A, “Open Directory Data
Requirements.”
6 If necessary, you can delete any line, including a dictionary line, by selecting the line and
clicking Delete.
If you delete a line by mistake, immediately choose Undo from the Edit menu.
7 When you finish, save and close the file.
Field name Purpose
AlternateRecordNameIndex
(optional)
An index that can be used as a second field to be searched as the
record name
CommentChar
(optional)
A string that contains the hexadecimal ASCII code of a character to
be used to denote comment lines. This character must appear at
the beginning of any line that is to be interpreted as a comment.
Typically this character is # (hexadecimal 23)
FieldDelimiter A string that contains the hexadecimal ASCII code of a character to
be used to delimit each field within a record. Typically this character
is a colon (hexadecimal 3A)
FieldNamesAndPositions An array of dictionaries. Each dictionary is one field within the
record. Each dictionary contains the FieldName and its position
(zero based) within the record. The field names must be Mac OS X
directory services attributes such as
dsAttrTypeStandard:RecordName
FilePath The path to the BSD configuration file
NumberOfFields Specifies how many fields are in each record
PasswordArrayIndex
(optional)
Specifies which field in each record contains the password
RecordDelimiter Specifies the hexadecimal ASCII codes of up to eight characters
used to delimit the end of a record. Typically this is the newline
character (hexadecimal 0A).
RecordNameIndex An index of the field to be used as the record name118 Chapter 2
Setting Up Data in BSD Configuration Files
If you want a Mac OS X computer to get administrative data from BSD configuration files, the
data must exist in the files and must be in the format required by Mac OS X. You may need to
add, modify, or reorganize data in the files. Mac OS X cannot write data to BSD configuration
files, so you must make the necessary modifications by using a text editor or other tools.
For detailed specifications of the data required by Mac OS X directory services, see
Appendix A, “Open Directory Data Requirements.”
Configuring Directory Access on a Remote Computer
You can use the Directory Access application to configure a computer that uses Mac OS X
version 10.2 or later. Remote configuration is initially disabled on Mac OS X client computers
and is initially enabled on Mac OS X Servers.
Note: Apple recommends that remote configuration never be disabled on a Mac OS X
Server.
To configure directory access on a remote computer:
1 Make sure the remote computer has remote access enabled.
On the remote computer, open Directory Access. If its Sever menu includes Enable Remote
Configuration, choose this item.
2 In Directory Access on your computer, choose Connect from the Server menu.
3 Enter the connection and authentication information for the computer that you want to
configure, then click Connect.
For Address, enter the DNS name or IP address of the server that you want to configure.
For User Name, enter the user name of an administrator on the server.
For Password, enter the password for the user name you entered.
4 Click the Services, Authentication, and Contacts tabs and change settings as needed.
All the changes you make affect the remote computer to which you connected in the
foregoing steps.
RecordType The directory services record type of this record
ValueDelimiter
(optional)
A string that contains the hexadecimal ASCII code of a character to
be used to delimit values within a multivalued field. Typically this is
a comma (hexadecimal 2C).
Field name PurposeDirectory Services 119
5 When you finish configuring the remote computer, choose Disconnect from the Server menu
on your computer.
Monitoring Directory Services
You can use the Server Status application to view directory service status and directory
service logs. The following logs are available:
m Local directory client log
m LDAP server log
m NetInfo server log
To see directory services status or logs:
1 In Server Status, select Directory Servers in the Devices & Services list.
2 Click the Overview tab to see status information.
3 Click the Logs tab and choose a log from the Show pop-up menu.
Backing Up and Restoring Directory Services Files
You can back up the following directory services data:
m Open Directory domain data: Information associated with Open Directory domains is
stored in files that reside in /var/db/netinfo/. Back up the entire directory.
m Authentication Manager for Windows data: If you upgraded your Mac OS X Server from
an earlier version and enabled the Authentication Manager for Windows clients before
upgrading, a file containing the encrypted password for each NetInfo domain on the
server is stored in /var/db/netinfo/. If the NetInfo database name is MyDomain, the
encryption key file is .MyDomain.tim. After restoring the domain, restore the
corresponding .tim file to ensure proper authentication for Windows users who are
configured to use Authentication Manager.
m Directory services configuration: Configurations set up using the Directory Access
application are stored in /Library/Preferences/DirectoryService/. Back up the entire
directory.
Before backing up this data, quit Directory Access.121
C H A P T E R
3
3 Users and Groups
User and group accounts play a fundamental role in a server’s day-to-day operations:
m A user account stores data Mac OS X Server needs to validate a user’s identity and
provide services for the user, such as access to particular files on the server and
preferences that various services use.
m A group account offers a simple way to manage a collection of users with similar needs. A
group account stores the identities of users who belong to the group as well as
information that lets you customize the working environment for members of a group.
This chapter begins by highlighting the main characteristics of user and group accounts, then
goes on to summarize the aspects of account administration and tell you how to
m manage user accounts
m manage home directories
m manage group accounts
m find user and group accounts defined on your network
m use Workgroup Manager shortcuts for defining users and groups
m import user and group accounts from a file
m set up a password validation scheme for each user
Most of the information in this chapter does not require extensive server administration or
UNIX experience, but here are several suggestions for server administrators:
m An understanding of Mac OS X Server’s directory service options is very useful for
working with user and group accounts in different kinds of directory domains and for
creating and using Password Servers. Chapter 2, “Directory Services,” provides conceptual
information as well as directory domain and Password Server setup instructions.
m The dsimportexport tool information may be easier to understand if you have experience
with command-line tools.
m Kerberos information presumes a working familiarity with Kerberos. 122 Chapter 3
How User Accounts Are Used
When you define a user’s account, you specify the information needed to prove the user’s
identity: user name, password, and user ID. Other information in a user’s account is needed
by various services—to determine what the user is authorized to do and perhaps to
personalize the user’s environment.
Authentication
Before a user can log in to or connect with a Mac OS X computer, he or she must enter a
name and password associated with a user account that the computer can find.
A Mac OS X computer can find user accounts that are stored in a directory domain of the
computer’s search policy. A directory domain is like a database that a computer is
configured to access in order to retrieve configuration information. A search policy is a list of
directory domains the computer searches when it needs configuration information, starting
with the local directory domain on the user’s computer. Chapter 2, “Directory Services,”
describes the different kinds of directory domains and tells you how to configure search
policies on any Mac OS X computer.
In the following picture, for example, a user logs in to a Mac OS X computer that can locate
the user’s account in a directory domain of its search policy.
After login, the user can connect to a remote Mac OS X computer if the user’s account can be
located within the search policy of the remote computer
Log in to
Mac OS X
Directory domains
in search policy
Connect to
Mac OS X Server
Directory domains
in search policyUsers and Groups 123
If Mac OS X finds a user account containing the name entered by the user, it attempts to
validate the password associated with the account. If the password can be validated, the user
is authenticated and the login or connection process is completed.
After logging in to a Mac OS X computer, a user has access to all the resources, such as
printers and share points, defined in directory domains of the search policy set up for the
user’s computer. A share point is a hard disk (or hard disk partition), CD-ROM disc, or folder
that contains files you want users to share. The user can access his home directory by
clicking Home in a Finder window or in the Finder’s Go menu.
A user does not have to log in to a server to gain access to resources on a network, however.
For example, when a user connects to a Mac OS X computer, the user can access files he or
she is authorized to access on the computer, although the file system may prompt the user
to enter a user name and password first. When a user accesses a server’s resources without
logging in to the server, the search policy of the user’s computer is still in force, not the
search policy of the computer the user has connected with.
Password Validation
When authenticating a user, Mac OS X first locates the user’s account and then uses the
password strategy designated in the user’s account to validate the user’s password. There are
several password strategies from which to choose:
m The password a user provides can be validated using a value stored in the user’s account.
The account can be stored in a server-resident directory domain or in a directory domain
that resides on another vendor’s directory server, such as an LDAP or Active Directory
server.
m The password a user provides can be validated using a value stored in an Open Directory
Password Server
m A Kerberos server can be used to validate the password.124 Chapter 3
m A non-Apple LDAP server can be used to validate the password.
Clients needing password validation, such as login window and the AFP server, call Mac OS X
directory services. Directory services determine from the user’s account how to validate the
password.
m Directory services can validate a password stored in the account or by interacting with the
Password Server or a remote LDAP directory server (using LDAP bind authentication).
m If a Kerberos server is used to validate a user, when the user accesses a Kerberized client,
such as Mac OS X AFP or mail, the client interacts directly with the Kerberos server to
validate the user. Then the client interacts with directory services to retrieve the user’s
record for other information it needs, such as the user ID (UID) or primary group ID.
Information Access Control
All directories (folders) and files on Mac OS X computers have access privileges for the file’s
owner, a group, and everyone else.
Mac OS X uses a particular data item in a user’s account—the UID—to keep track of directory
and file access privileges.
Directory
services
Password Server
Kerberos server
Directory server
User
account
Password provided
can be validated
using value stored
in account.
Password can also
be validated using
value stored on
another server on
the network.
Owner 127 can: Read & Write
Group 2017 can: Read only
Everyone else can: None
MyDocUsers and Groups 125
Directory and File Owner Access
When a directory or file is created, the file system stores the UID of the user who created it.
When a user with that UID accesses the directory or file, he or she has read and write
privileges to it by default. In addition, any process started by the creator has read and write
privileges to any files associated with the creator’s UID.
If you change a user’s UID, the user may no longer be able to modify or even access files and
directories he or she created. Likewise, if the user logs in as a user whose UID is different
from the UID he or she used to create the files and directories, the user will no longer have
owner access privileges for them.
Directory and File Access by Other Users
The UID, in conjunction with a group ID, is also used to control access by users who are
members of particular groups.
Every user belongs to a primary group. The primary group ID for a user is stored in his user
account. When a user accesses a directory or file and the user is not the owner, the file
system checks the file’s group privileges.
m If the user’s primary group ID matches the ID of the group associated with the file, the
user inherits group access privileges.
m If the user’s primary group ID does not match the file’s group ID, Mac OS X searches for
the group account that does have access privileges. The group account contains a list of
the short names of users who are members of the group. The file system maps each short
name in the group account to a UID, and if the user’s UID matches a UID of a group
member, the user is granted group access privileges for the directory or file.
Administration Privileges
A user’s administrator privileges are stored in the user’s account. Administrator privileges
determine the extent to which the user can view information about or change the settings of
a particular Mac OS X Server or a particular directory domain residing on Mac OS X Server.
Server Administration
Server administration privileges control the powers a user has when logged in to a particular
Mac OS X Server. For example:
m A user who is a server administrator can use Server Status and can make changes to a
server’s search policy using Directory Access.
m A server administrator can see all the AFP directories on the server, not just share points.
When you assign server administration privileges to a user, the user is added to the group
named “admin” in the local directory domain of the server. Many Mac OS X applications—
such as Server Status, Directory Access, and System Preferences—use the admin group to
determine whether a particular user can perform certain activities with the application.126 Chapter 3
Local Mac OS X Computer Administration
Any user who belongs to the group “admin” in the local directory domain of any Mac OS X
computer has administrator rights on that computer.
Directory Domain Administration
When you want certain users to be able to use Workgroup Manager to manage only certain
user, group, and computer accounts residing in Apple’s directory domains, you can make
them directory domain administrators. For example, you may want to make a network
administrator the server administrator for all your classroom servers, but give individual
teachers the privileges to manage student accounts in particular directory domains.
Any user who has a user account in a directory domain can be made an administrator of
that domain.
You can control the extent to which a directory domain administrator can change account
data stored in a domain. For example, you may want to set up directory domain privileges so
that your network administrator can add and remove user accounts, but other users can
change the information for particular users. Or you may want different users to be able to
manage different groups.
When you assign directory domain administration privileges to a user, the user is added to
the admin group of the server on which the directory domain resides.
Home Directories
The location of a user’s home directory is stored in the user account. A home directory is a
folder where a user’s files and preferences are stored. Other users can see a user’s home
directory and read files in its Public folder, but they can’t (by default) access anything else in
that directory.
When you create a user in a directory domain on the network, you specify the location of the
user’s home directory on the network, and the location is stored in the user account and
used by various services, including the login window and Mac OS X managed user services.
Here are several examples of activities that use the location of the home directory:
m A user’s home directory is displayed when the user clicks Home in a Finder window or
chooses Home from the Finder’s Go menu.
m Home directories that are set up for mounting automatically in a network location, such
as /Network/Servers, appear in the Finder on the computer where the user logs in.
m System preferences and managed user settings for Mac OS X users are retrieved from
their home directories and used to set up their working environments when they log in.Users and Groups 127
Mail Settings
You can create a Mac OS X Server mail service account for a user by setting up mail settings
in the user’s account. To use the mail account, the user simply configures a mail client using
the user name, password, mail service, and mail protocol you specify in the mail settings.
Mail account settings let you enable and disable the user’s access to mail services running on
a particular Mac OS X Server. You can also manage such account characteristics as how to
handle automatic message arrival notification.
Settings for Mac OS X mail service are configured using Server Settings, as Chapter 9, “Mail
Service,” describes.
Resource Usage
Disk, print, and mail quotas can be stored in a user account.
Mail and disk quotas limit the number of megabytes a user can use for mail or files.
Print quotas limit the number of pages a user can print using Mac OS X Server print services.
Print quotas also can be used to disable a user’s print service access altogether. User print
settings work in conjunction with print server settings, which are explained in “Enforcing
Quotas for a Print Queue” on page 322.
User Preferences
Any preferences you define for a Mac OS X user are stored in the user’s account. Preferences
you define for Mac OS 8 and 9 users are stored using Macintosh Manager. See Chapter 6,
“Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,”
for information about user preferences.
How Group Accounts Are Used
A group is simply a collection of users who have similar needs. For example, you can add all
English teachers to one group and give the group access privileges to certain files or folders
on Mac OS X Server.
Groups simplify the administration of shared resources. Instead of granting access to various
resources to each individual who needs them, you can simply add the users to a group and
grant access to the group.
Information Access Control
Information in group accounts is used to help control user access to directories and files. See
“Directory and File Access by Other Users” on page 125 for a description of how this works.128 Chapter 3
Group Directories
When you define a group, you can also specify a directory for storing files you want group
members to share. The location of the directory is stored in the group account.
You can grant administration privileges for a group directory to a user. A group directory
administrator has owner privileges for the group directory and can use the Finder to change
group directory attributes.
Workgroups
When you define preferences for a group it is known as a workgroup. A workgroup provides
you with a way to manage the working environment of group members.
Any preferences you define for a Mac OS X workgroup are stored in the group account.
Preferences for Mac OS 8 and 9 workgroups are stored using Macintosh Manager. See
Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9
and OS 8,” for a description of workgroup preferences.
Computer Access
You can set up computer accounts, which let you restrict access to particular computers by
members of specific groups. See Chapter 6, “Client Management: Mac OS X,” and Chapter 10,
“Client Management: Mac OS 9 and OS 8,” for a description of how to set up computer
accounts and specify preferences for them.
Kinds of Users and Groups
Mac OS X Server uses several different kinds of users and groups. Most of these are userdefined—user and group accounts that you create. There are also some pre-defined user and
group accounts, which are reserved for use by Mac OS X.
Users and Managed Users
Depending on how you have your server and your user accounts set up, users can log in
using Mac OS 8, 9, and X computers; Windows computers; or UNIX computers—stationary
or portable—and be supported by Mac OS X Server in their work.
Most users have an individual account, which is used to authenticate them and control their
access to services. When you want to personalize a user’s environment, you define user,
group, and/or computer preferences for the user. Sometimes the term “managed client” or
“managed user” is used for a user who has preferences associated with his account.
“Managed client” is also used to refer to computer accounts that have preferences defined
for them.Users and Groups 129
When a managed user logs in, the preferences that take effect are a combination of his user
preferences and preferences set up for any workgroup or computer list he or she belongs to.
See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management:
Mac OS 9 and OS 8,”for managed user information.
Groups, Primary Groups, and Workgroups
As noted earlier, when you define preferences for a group, the group is known as a
workgroup.
A primary group is the user’s default group. As “Directory and File Access by Other Users”
on page 125 describes, primary groups can expedite the checking done by the Mac OS X file
system when a user accesses a file.
Administrators
Users with server or directory domain administration privileges are known as
administrators. Administrators are always members of the predefined “admin” group.
Guest Users
Sometimes you want to provide services for individuals who are anonymous—that is, they
can’t be authenticated because they don’t have a valid user name or password. These users
are known as guest users.
Some services, such as AFP, let you indicate whether you want to let guest users access files.
If you enable guest access, users who connect anonymously are restricted to files and folders
with privileges set to Everyone.
Another kind of guest user is a managed user that you can define to allow easy setup of
public computers or kiosk computers. See Chapter 10, “Client Management: Mac OS 9 and
OS 8,” for more about these kinds of users.130 Chapter 3
Predefined Accounts
The following table describes the user accounts that are created automatically when you
install Mac OS X (unless otherwise indicated).
Predefined user name
Short
name UID Use
Anonymous FTP User ftp 98 The user name given to anyone using
FTP as an anonymous user. This user is
created the first time the FTP server is
accessed if the FTP server is turned on,
if anonymous FTP access is enabled, and
if the anonymous-ftp user does not
already exist.
Macintosh Manager User mmuser -17 The user created by Macintosh
Management Server when it is first
started on a particular server. It has no
home directory, and its password is
changed periodically.
System Administrator root 0 The most powerful user.
System Services daemon 1 A legacy UNIX user.
Sendmail User smmsp 25 The user that sendmail runs as.
Unknown User unknown 99 The user that is used when the system
doesn’t know about the hard drive.
Unprivileged User nobody -2 This user was originally created so that
system services don’t have to run as
System Administrator. Now, however,
service-specific users, such as World
Wide Web Server, are often used for this
purpose.
World Wide Web Server www 70 The nonprivileged user that Apache
uses for its processes that handle
requests.
My SQL Server mysql 74 The user that the MySQL database
server uses for its processes that handle
requests.Users and Groups 131
The following table characterizes the group accounts that are created automatically when you
install Mac OS X.
Predefined
group name Group ID Use
admin 80 The group to which users with administrator privileges
belong.
bin 7 A group that owns all binary files.
daemon 1 A group used by system services.
dialer 68 A group for controlling access to modems on a server.
guest 31
kmem 2 A legacy group used to control access to reading kernel
memory.
mail 6 The group historically used for access to local UNIX mail.
mysql 74 The group that the MySQL database server uses for its
processes that handle requests.
network 69 This group has no specific meaning.
nobody -2 A group used by system services.
nogroup -1 A group used by system services.
operator 5 This group has no specific meaning.
smmsp 25 The group used by sendmail.
staff 20 The default group into which UNIX users are traditionally
placed.
sys 3 This group has no specific meaning.
tty 4 A group that owns special files, such as the device file
associated with an SSH or telnet user.
unknown 99 The group used when the system doesn’t know about the
hard drive.
utmp 45 The group that controls what can update the system’s list of
logged-in users.
uucp 66 The group used to control access to UUCP spool files.132 Chapter 3
Setup Overview
These are the major user and group administration activities:
m Step 1: Before you begin, do some planning.
m Step 2: Set up directory domains in which user and group accounts will reside.
m Step 3: Configure server search policies so servers can find user and group accounts.
m Step 4: Set up share points for home directories.
m Step 5: Set up share points for group directories.
m Step 6: Create users.
m Step 7: Create groups.
m Step 8: Set up client computers.
m Step 9: Review user and group account information as needed.
m Step 10: Update users and groups as needed.
m Step 11: Perform ongoing user and group account maintenance.
Following is a summary of each of these activities. See the pages indicated for detailed
information.
Step 1: Before you begin, do some planning
See “Before You Begin” on page 135 for a list of items to think about before you start creating
a large number of users and groups.
Step 2: Set up directory domains in which user and group accounts
will reside
Make sure you have created any directory domain in which you’ve decided to store user and
group accounts. See Chapter 2, “Directory Services,” for instructions on creating shared, or
network-visible, domains.
wheel 0 Another group (in addition to the admin group) to which
users with administrator privileges belong.
www 70 The nonprivileged group that Apache uses for its processes
that handle requests.
Predefined
group name Group ID UseUsers and Groups 133
Make sure that any user who will be using Workgroup Manager to add and change users and
groups in directory domains has directory domain administration privileges in the domains
for which the user is responsible. You can use Workgroup Manager to add and change user
and group accounts that reside in NetInfo or LDAPv3 directory domains.
If you will be using LDAPv2, read-only LDAPv3, BSD configuration file, or other read-only
directory domains, make sure the domains are configured to support Mac OS X Server access
and that they provide the data you need for user and group accounts. It may be necessary to
add, modify, or reorganize information in a directory to provide the information in the
format needed:
m Chapter 2, “Directory Services,” describes how to configure Mac OS X Server to access
remote servers on which these domains reside to retrieve information.
m Appendix A, “Open Directory Data Requirements,” describes the user and group account
data formats that Mac OS X expects. When you configure your Mac OS X Server directory
services to use directory domains that do not reside on Mac OS X Server, you may need to
refer to this appendix to determine the data mapping requirements for particular kinds of
directory domains.
Step 3: Configure server search policies so servers can find user and
group accounts
Make sure that the search policy of any server which needs to access user and group
information to provide services for particular users is configured to do so. Chapter 2,
“Directory Services,” tells you how to set up search policies.
Step 4: Set up share points for home directories
Before you assign a home directory to a user, you need to define the share point in which
the home directory will reside. You also need to configure the share point to automatically
mount on the user’s computer when he or she logs in. See “Distributing Home Directories
Across Multiple Servers” on page 156 through “Setting Up NFS Home Directory Share Points”
on page 160 for information about setting up share points.
Step 5: Set up share points for group directories
A group directory is like a home directory for group users. It is a directory for storing
documents, applications, and other items you want to share among group members. See
“Working With Volume Settings for Groups” on page 170 for information about setting up
group directories.
Step 6: Create users
You can use Workgroup Manager to create user accounts in directory domains that reside on
Mac OS X Server and in non-Apple LDAPv3 directory domains that have been configured for
write access. See these sections for instructions:134 Chapter 3
m “Creating User Accounts in Directory Domains on Mac OS X Server” on page 137 and
“Creating Read-Write LDAPv3 User Accounts” on page 138
m “Shortcuts for Working With Users and Groups” on page 176
m “Using Presets” on page 176
m “Importing and Exporting User and Group Information” on page 178
For working with read-only user accounts, see “Working With Read-Only User Accounts” on
page 139.
For details about all the settings for a user account, see “Working With Basic Settings for
Users” on page 139 through “Working With Managed Users” on page 154.
For details about setting up managed users, see Chapter 6, “Client Management: Mac OS X,”
and Chapter 10, “Client Management: Mac OS 9 and OS 8.” When you use managed users,
creating users in a network directory domain is optional. All users can be locally defined on
client computers.
Step 7: Create groups
You can use Workgroup Manager to create group accounts in directory domains that reside
on Mac OS X Server and in non-Apple LDAPv3 directory domains that have been configured
for write access. See these sections for instructions:
m “Creating Group Accounts in a Directory Domain on Mac OS X Server” on page 165 and
“Creating Read-Write LDAPv3 Group Accounts” on page 166
m “Shortcuts for Working With Users and Groups” on page 176
m “Using Presets” on page 176
m “Importing and Exporting User and Group Information” on page 178
For working with read-only group accounts, see “Working With Read-Only Group Accounts”
on page 167.
For details about all the settings for a group account, see “Working With Member Settings for
Groups” on page 167 through “Working With Group and Computer Preferences” on
page 173.
Step 8: Set Up Client Computers
Make sure that the directory services of Mac OS X computers are set up so they can access
user accounts at login. See “Supporting Client Computers” on page 202 for details about how
to configure Mac OS X computers as well as other client computers so that users can be
authenticated and access the services you want them to.Users and Groups 135
Step 9: Review user and group account information as needed
Workgroup Manager makes it easy for you to review and optionally update information for
users and groups. See the sections starting with “Finding User and Group Accounts” on
page 173 for details.
Step 10: Update users and groups as needed
As users come and go and the requirements for your servers change, keep user and group
records up to date. Information in these sections will be useful:
m “Working With Basic Settings for Users” on page 139 through “Working With Print Settings
for Users” on page 151 describe all the user account settings you may need to change.
m “Defining a Guest User” on page 154 through “Disabling a User Account” on page 155
describe common user account maintenance activities.
m “Working With Member Settings for Groups” on page 167 describes the group account
settings you may need to change.
m “Adding Users to a Group” on page 168, “Removing Users From a Group” on page 168,
and “Deleting a Group Account” on page 173 describe some group maintenance activities.
Step 11: Perform ongoing user and group account maintenance
Information in these sections will help you with your day-to-day account maintenance
activities:
m “Monitoring a Password Server” on page 197
m “Solving Problems” on page 202
m “Backing Up and Restoring Files” on page 201
Before You Begin
Before setting up user and group accounts for the first time:
m Identify the directory domains in which you will store user and group account
information.
If you have an Active Directory or LDAP server already set up, you might be able to take
advantage of existing records. See Chapter 2, “Directory Services,” for details about the
directory domain options available to you.
If you have an earlier version of an Apple server, you might be able to migrate existing
records. See Upgrading to Mac OS X Server for available options.
Create new directory domains as required to store user records. See Chapter 2,
“Directory Services,” for instructions.136 Chapter 3
Note: If all the domains have not been finalized when you are ready to start adding
accounts, simply add them to any domain that already exists on your server. ( You can use the
local directory domain—it’s always available.) You can move users and groups to another
directory domain later by using your server’s export and import capabilities, described in
“Importing and Exporting User and Group Information” on page 178.
m Determine which password verification policy or policies you will use. See
“Understanding Password Validation” on page 189 for information about the options.
m Determine which users you want to make managed users. See Chapter 6, “Client
Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for
planning guidelines.
m Devise a home directory strategy.
Determine which users need home directories and identify the computers on which you
want user home directories to reside. For performance reasons, avoid using network
home directories over network connections slower than 100 Mbps. A user’s network
home directory does not need to be stored on the same server as the directory domain
containing the user’s account. In fact, distributing directory domains and home
directories among various servers can help you balance your network workload.
“Distributing Home Directories Across Multiple Servers” on page 156 and “Setting Up
Home Directories for Users Defined in Existing Directory Servers” on page 157 describe
several such scenarios.
You may want to store home directories for users with last names from A to F on one
computer, G to J on another, and so on. Or you may want to store home directories on a
Mac OS X Server but store user and group accounts on an Active Directory or LDAP
server. Pick a strategy before creating users. You can move home directories, but if you
do, you may need to change a large number of user and share point (mount) records.
Determine the access protocol to use for the home directories. Most of the time you will
use AFP, but if you support a large number of UNIX clients with your server, you may want
to use NFS for them. “Choosing a Protocol for Home Directories” on page 160 provides
some information on this topic.
Once you have decided how many and which computers you want to use for home
directories, plan the domain name or IP address of each computer. Also determine the
names and any share points on computers that will be used for home directories.
m Determine the groups and workgroups you will need.
Users with similar server requirements should be placed in the same group.
Workgroups are useful when you want to set up group preferences. See Chapter 6, “Client
Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for
guidelines on using workgroups.
Determine where you want to store group directories.Users and Groups 137
m Decide who you want to be able to administer users and groups and make sure they have
administrator privileges. “Administration Privileges” on page 125 describes administrator
privileges.
When you use Server Assistant to initially configure your server, you specify a password for
the owner/administrator. The password you specify also becomes the root password for
your server. Use Workgroup Manager to create an administrator user with a password that
is different from the root password. Server administrators do not need root privileges.
The root password should be used with extreme caution and stored in a secure location.
The root user has full access to the system, including system files. If you need to, you can
use Workgroup Manager to change the root password.
m Decide how you want to configure client computers so that the users you want to support
can effortlessly log in and work with your server. Chapter 2, “Directory Services,” provides
some information about this topic.
Administering User Accounts
This section describes how to administer user accounts stored in various kinds of directory
domains.
Where User Accounts Are Stored
User accounts, as well as group accounts and computer accounts, can be stored in any Open
Directory domain accessible from the Mac OS X computer that needs to access the account.
A directory domain can reside on a Mac OS X computer (for example, a NetInfo or LDAPv3
domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory
server).
You can use Workgroup Manager to work with accounts in all kinds of directory domains, but
you can update only NetInfo and LDAPv3 directory domains using Workgroup Manager.
See Chapter 2, “Directory Services,” for complete information about the different kinds of
Open Directory domains.
Creating User Accounts in Directory Domains on Mac OS X Server
You need administrator privileges for a directory domain to create a new user account in it.
To create a user account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to access the domain of interest. See Chapter 2, “Directory Services,” for instructions.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the domain in which you want the user’s account to reside.138 Chapter 3
4 Click the lock to be authenticated as a directory domain administrator.
5 From the Server menu, choose New User.
6 Specify settings for the user in the tabs provided. See “Working With Basic Settings for Users”
on page 139 through “Working With Print Settings for Users” on page 151 for details.
You can also use a preset or an import file to create a new user. See “Using Presets” on
page 176 and “Importing and Exporting User and Group Information” on page 178 for
details.
Creating Read-Write LDAPv3 User Accounts
You can create a user account on a non-Apple LDAPv3 server if it has been configured for
write access.
To create an LDAPv3 user account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to use the LDAP server for user accounts. See Chapter 2, “Directory Services,” for details
about how to use Directory Access to configure an LDAP connection and Appendix A, “Open
Directory Data Requirements,” for information about the user account elements that may
need to be mapped.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the LDAPv3 domain in which you want the user’s account
to reside.
4 Click the lock to be authenticated.
5 From the Server menu, choose New User.
6 Specify settings for the user in the tabs provided. See “Working With Basic Settings for Users”
on page 139 through “Working With Print Settings for Users” on page 151 for details.
You can also use a preset or an import file to create a new user. See “Using Presets” on
page 176 and “Importing and Exporting User and Group Information” on page 178 for
details.
Changing User Accounts
You can use Workgroup Manager to change a user account that resides in a Mac OS X or nonApple LDAPv3 directory domain.
To make changes to a user account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to access the directory domain of interest. See Chapter 2, “Directory Services,” for
instructions.
2 In Workgroup Manager, click the Accounts button.Users and Groups 139
3 Use the At pop-up menu to open the domain in which the user’s account resides.
4 Click the lock to be authenticated.
5 Click the User tab to select the user you want to work with.
6 Edit settings for the user in the tabs provided. See “Working With Basic Settings for Users” on
page 139 through “Working With Print Settings for Users” on page 151 for details.
Working With Read-Only User Accounts
You can use Workgroup Manager to review information for user accounts stored in read-only
directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains
not configured for write access, and BSD configuration files.
To work with a read-only user account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to access the directory domain in which the account resides. See Chapter 2, “Directory
Services,” for information about using Directory Access to configure server connections and
Appendix A, “Open Directory Data Requirements,” for information about the user account
elements that need to be mapped.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the directory domain in which the user’s account resides.
4 Use the tabs provided to review the user’s account settings. See “Working With Basic Settings
for Users” on page 139 through “Working With Print Settings for Users” on page 151 for
details.
Working With Basic Settings for Users
Basic settings are a collection of attributes that must be defined for all users.
In Workgroup Manager, use the Basic tab in the user account window to work with basic
settings.
Defining User Names
The user name is the long name for a user. Sometimes the user name is referred to as the
“real” name. Users can log in using the user name or a short name associated with their
accounts.
A user name can contain as many as 255 characters (127 double-byte characters). Use only
these characters:
m a through z
m A through Z140 Chapter 3
m 0 through 9
m _ (underscore)
m - (hyphen)
m . (period)
m (space)
For example, Dr. Arnold T. Smith.
You can use Workgroup Manager to edit the user name of an account stored in a directory
domain residing on Mac OS X Server or in a non-Apple LDAPv3 directory domain or to
review the user name in any directory domain accessible from the server you are using.
To work with the user name using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To change the name, click the lock to be
authenticated. Select the user in the user list.
2 In the Name field on the Basic tab, review or edit the user name. Initially, the value of user
name is “Untitled .” After changing the name, Workgroup Manager does
not check to verify that the user name is unique.
Defining Short Names
A short name is an abbreviated name for a user. Users can log in using the short name or the
user name associated with their accounts. The short name is used by Mac OS X for home
directories and groups:
m When Mac OS X automatically creates a user’s home directory, it names the directory
after the user’s short name. See “Administering Home Directories” on page 155 for more
information about home directories.
m When Mac OS X checks to see whether a user belongs to a group authorized to access a
particular file, it uses short names to find UIDs of group members. See “Avoiding
Duplicate Short Names” on page 143 for an example.
You can have as many as 16 short names associated with a user account, but the first one in
the list must consist of all 7-bit ASCII characters, with no symbols or spaces. The first short
name is the name used for home directories and group membership lists.
A short name can contain as many as 255 characters (127 double-byte characters). Use only
these characters:
m a through z
m A through Z
m 0 through 9Users and Groups 141
m _ (underscore)
m - (hyphen)
m . (period)
Typically, short names contain eight or fewer characters.
You can use Workgroup Manager to edit the short name of an account stored in a directory
domain on Mac OS X Server or a non-Apple LDAPv3 directory domain or to review the short
name in any directory domain accessible from the server you are using.
To work with a user’s short name using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To change the short name, click the lock
to be authenticated. Select the user in the user list.
2 In the Short Names field on the Basic tab, review or edit the short names. Initially, the value
of the short name is “untitled_.” If you specify multiple short names, each
should be on its own line.
After the user’s account has been saved, you cannot change the first short name, but you can
change others in a list of short names.
Choosing Stable Short Names
When you create groups, Mac OS X identifies users in them by their first short name, which
can’t be changed.
If a short name change is unavoidable, you can create a new account for the user (in the
same directory domain) that contains the new short name, but retains all other information
(UID, primary group, home directory, and so forth). Then disable login for the old user
account. Now the user can log in using the changed name, yet have the same access to files
and other network resources as before. (See “Disabling a User Account” on page 155 for
information on disabling use of an account for login.)
Avoiding Duplicate Names
If separate user accounts have the same name (user name or short name) and password, a
Mac OS X computer may authenticate a user different from the one you want it to
authenticate. Or it may mask the user record that should be used for authentication.142 Chapter 3
Consider an example that consists of three shared directory domains. Tony Smith has an
account in the Students domain, and Tom Smith has an account in the root domain. Both
accounts contain the short name “tsmith” and the password “smitty.”
When Tony logs in to his computer with a user name “tsmith” and the password “smitty,” he
is authenticated using the record in the Students domain. Similarly, Tom can use the same
login entries at his computer and be authenticated using his record in the root domain. If
Tony and Tom ever logged in to each other’s computers using tsmith and smitty, they would
both be authenticated, but not with the desired results. Tony could access Tom’s files, and
vice versa.
Now let’s say that Tony and Tom have the same short name, but different passwords.
If Tom attempts to log in to Tony’s computer using the short name “tsmith” and his password
(smitty), his user record is masked by Tony’s user record in the Students domain. Mac OS X
finds “tsmith” in Students, but its password does not match the one Tom used to log in. Tom
is denied access to Tony’s computer, and his record in the root domain is never found.
Faculty
Tony’s computer Tom’s computer
Faculty
Tony’s computer Tom’s computerUsers and Groups 143
If Tony has a user record in his local directory domain that has the same names and password
as his record in the Students domain, the Students domain’s record for Tony would be
masked. Tony’s local domain should offer a name/password combination that distinguishes it
from the Students domain’s record. If the Students domain is not accessible (when Tony
works at home, for example), he can log in using the local name and continue using his
computer. Tony can still access local files created when he logged in using the Students
domain if the UID in both records is the same.
Duplicate short names also have undesirable effects in group records, described in the next
section.
Avoiding Duplicate Short Names
Since short names are used to find UIDs of group members, duplicate short names can result
in file access being granted to users you hadn’t intended to give access.
Return to the example of Tony and Tom Smith, who have duplicate short names. Assume that
the administrator has created a group in the root domain to which all students belong. The
group—AllStudents—has a GID of 2017.
Now suppose that a file, MyDoc, resides on a computer accessible to both Tony and Tom.
The file is owned by a user with the UID 127. It has read-only access privileges for
AllStudents. Tom is not a member of AllStudents, but the short name in his user record,
“tsmith,” is the same as Tony’s, who is in AllStudents.
Faculty
Owner 127 can: Read & Write
Group 2017 can: Read only
Everyone else can: None
MyDoc
Tony’s computer Tom’s computer144 Chapter 3
When Tom attempts to access MyDoc, Mac OS X searches the login hierarchy for user
records with short names that match those associated with AllStudents. Tom’s user record is
found because it resides in the login hierarchy, and the UID in the record is compared with
Tom’s login UID. They match, so Tom is allowed to read MyDoc, even though he’s not
actually a member of AllStudents.
Defining User IDs
A user ID (UID) is a number that uniquely identifies a user. Mac OS X computers use the UID
to keep track of a user’s directory and file ownership. When a user creates a directory or file,
the UID is stored as the creator ID. A user with that UID has read and write privileges to the
directory or file by default.
The UID should be a unique string of digits from 500 through 2,147,483,647. Assigning the
same UID to different users is risky, since two users with the same UID have identical
directory and file access privileges.
The UID 0 is reserved for the root user. UIDs below 100 are reserved for system use; users
with these UIDs can’t be deleted and shouldn’t be modified except to change the password
of the root user.
You can use Workgroup Manager to edit the UID of an account stored in a NetInfo or LDAPv3
directory domain or to review the UID in any directory domain accessible from the server
you are using.
To work with the UID using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To change the UID, click the lock to be
authenticated. Select the user in the user list.
2 If you specify a value in the User ID field on the Basic tab, make sure it will be unique in the
search policy of computers the user will log in to. When creating new user accounts in any
shared directory domain, UIDs are automatically assigned; the value assigned is an unused
UID (1025 or greater) in the server’s search path. (New users created using the Accounts
Preferences pane on Mac OS X Desktop computers are assigned UIDs starting at 501.)
Once UIDs have been assigned and users start creating files and directories throughout a
network, you shouldn’t change UIDs. One possible scenario in which you may need to
change a UID is when merging users created on different servers into one new server or
cluster of servers. The same UID may have been associated with a different user on the
previous server.Users and Groups 145
Defining Passwords
See “Understanding Password Validation” on page 189 for details about setting up and
managing passwords.
Assigning Administrator Rights for a Server
A user who has server administration privileges can control most of the server’s
configuration settings and use applications, such as Server Status, that require a user to be a
member of the server’s admin group.
You can use Workgroup Manager to assign server administrator privileges to an account
stored in a NetInfo or LDAPv3 directory domain or to review the server administrator
privileges in any directory domain accessible from the server you are using.
To work with server administrator privileges in Workgroup Manager:
1 To edit server administrator privileges, log in to Workgroup Manager by specifying the name
or IP address of the server for which you want to grant administrator privileges.
2 Click the Account button.
3 Use the At pop-up menu to open the directory domain in which the user’s account resides.
4 To change the privileges, click the lock to be authenticated.
5 In the Basic tab, select the “User can administer the server” option to grant server
administrator privileges.
Assigning Administrator Rights for a Directory Domain
A user who has administration privileges for an Apple directory domain is able to make
changes to user, group, and computer accounts stored in that domain using Workgroup
Manager. The changes the user can make are limited to those you specify.
You can use Workgroup Manager to assign directory domain administrator privileges for an
account stored in a NetInfo or LDAPv3 directory domain or to review these privileges in any
directory domain accessible from the server you are using.
To work with directory domain administrator privileges in Workgroup Manager:
1 To assign directory domain privileges, ensure the user has an account in the directory
domain.
2 In Workgroup Manager, click the Account button.
3 Use the At pop-up menu to open the directory domain in which the user’s account resides.
4 To edit privileges, click the lock to be authenticated.
5 In the Basic tab, select the “User can administer this directory domain” option to grant
privileges.146 Chapter 3
6 Click Privileges to specify what the user should be able to administer in the domain. By
default, the user has no directory domain privileges.
7 To work with privileges to change user, group, or computer accounts, click the Users,
Groups, or Computers tab, respectively.
8 Select a checkbox to indicate whether you want the user to be able to change account and/or
preference settings. If a box is not checked, the user can view the account or preference
information in Workgroup Manager, but not change it.
9 Select “For all ...” to allow the user to change information for all users, groups, or computers
in the directory domain.
Select “For ... listed below” to limit the items a user can change to the list on the right. To add
an item to the list, double-click the item in the “Available” list. To remove an item from the
list, double-click it.
10 To give the user the ability to add and delete users, groups, or computer accounts, check the
“Edit ... accounts” box and select “For all ...” .
Working With Advanced Settings for Users
Advanced settings include login settings, password validation policy, and a comment.
In Workgroup Manager, use the Advanced tab in the user account window to work with
advanced settings.
Defining Login Settings
By specifying user login settings, you can
m Control whether the user can be authenticated using the account.
m Allow a managed user to simultaneously log in to more than one managed computer at a
time or prevent the user from doing so.
m Indicate whether a user of a managed computer can or must select a workgroup during
login or whether you want to avoid showing workgroups when the user logs in.
m Identify the default shell the user will use for command-line interactions with Mac OS X,
such as /bin/csh or /bin/tcsh. The default shell is used by the Terminal application on the
computer the user is logged in to, but Terminal has a preference that lets you override the
default shell. The default shell is used by SSH (Secure Shell) or Telnet when the user logs
in to a remote Mac OS X computer.
You can use Workgroup Manager to define login settings of an account stored in a NetInfo or
LDAPv3 directory domain or to review login settings in any directory domain accessible from
the server you are using.Users and Groups 147
To work with login settings using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To edit settings, click the lock to be
authenticated. Select the user in the user list.
2 Click the Advanced tab.
3 Select “Allow simultaneous login” to let a user log in to more than one managed computer at
a time.
4 During Login pop-up menu options let you choose a workgroup option if the user is using a
managed computer. Choose an option if appropriate.
5 Choose a shell from the Login Shell pop-up menu to specify the default shell for the user
when logging in to a Mac OS X computer. Click Custom if you want to enter a shell that does
not appear on the list. To make sure a user cannot access the server remotely using a
command line, use the option None.
Defining a Password Validation Strategy
For details about setting up and managing passwords, see “Understanding Password
Validation” on page 189.
Editing Comments
You can save a comment in a user’s account to provide whatever documentation might help
with administering the user. A comment can be as long as 32,676 characters.
You can use Workgroup Manager to define the comment of an account stored in a NetInfo or
LDAPv3 directory domain or to review the comment in any directory domain accessible from
the server you are using.
To work with a comment using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To edit a comment, click the lock to be
authenticated. Select the user in the user list.
2 Click the Advanced tab.
3 Edit or review the contents of the Comment field.
Working With Group Settings for Users
Group settings identify the groups a user is a member of.148 Chapter 3
In Workgroup Manager, use the Groups tab in the user account window to work with group
settings.
See “Administering Group Accounts” on page 165 for information on administering groups.
Defining a User’s Primary Group
A primary group is the group to which a user belongs by default.
The ID of the primary group is used by the file system when the user accesses a file he or she
does not own. The file system checks the file’s group privileges, and if the primary group ID
of the user matches the ID of the group associated with the file, the user inherits group
access privileges. The primary group offers the fastest way to determine whether a user has
group privileges for a file.
The primary group ID should be a unique string of digits. By default, it is 20 (which identifies
the group named “staff ”), but you can change it. The maximum value is 2,147,483,647.
You can use Workgroup Manager to define the primary group ID of an account stored in a
NetInfo or LDAPv3 directory domain or to review the primary group information in any
directory domain accessible from the server you are using.
To work with a primary group ID using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To edit the primary group, click the lock
to be authenticated. Select the user in the user list.
2 Click the Groups tab.
3 Edit or review the contents of the Primary Group ID field. The value must be associated with
a group that already exists and that is accessible in the search path of computers using the
user account. Workgroup Manager displays the full and short names of the group after you
enter a primary group ID.
Adding a User to Groups
Add a user to a group when you want multiple users to have the same file access privileges or
when you want to manage their Mac OS X preferences using workgroups or computer lists.
You can use Workgroup Manager to add a user to a group if the user and group accounts are
in a NetInfo or LDAPv3 directory domain.
To add a user to a group using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open. Users and Groups 149
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Groups tab.
3 Click Add to open a drawer listing the groups defined in the directory domain you are
working with. (To include system groups in the list, choose Preferences on the Workgroup
Manager menu, then select “Show system users and groups.”)
4 Select the group, then drag it into the Other Groups list on the Groups tab.
Removing a User From a Group
You can use Workgroup Manager to remove a user from a group if the user and group
accounts reside in a NetInfo or LDAPv3 directory domain.
To remove a user from a group using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Groups tab.
3 Select the group or groups from which you want to remove the user, then click Remove.
Reviewing a User’s Group Memberships
You can use Workgroup Manager to review the groups a user belongs to if the user account
resides in a directory domain accessible from the server you are using.
To review group memberships using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Select the user in the user list.
2 Click the Groups tab. The primary group to which the user belongs is displayed, and other
groups the user belongs to are listed in the Other Groups list.
Working With Home Settings for Users
Home settings describe a user’s home directory attributes. See “Administering Home
Directories” on page 155 for information about using and setting up home directories.150 Chapter 3
Working With Mail Settings for Users
You can create a Mac OS X Server mail service account for a user by specifying mail settings
for the user in the user’s account. To use the account, the user simply configures a mail client
to identify the user name, password, mail service, and mail protocol you specify in the mail
settings.
In Workgroup Manager, use the Mail tab in the user account window to work with a user’s
mail service settings.
See Chapter 9, “Mail Service,” for information about how to set up and manage Mac OS X
Server mail service.
Disabling a User’s Mail Service
You can use Workgroup Manager to disable mail service for a user whose account is stored in
a NetInfo or LDAPv3 directory domain.
To disable a user’s mail service using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Mail tab.
3 Select None.
Enabling Mail Service Account Options
You can use Workgroup Manager to enable mail service and set mail options for a user
account stored in a NetInfo or LDAPv3 directory domain or to review the mail settings of
accounts stored in any directory domain accessible from the server you are using.
To work with a user’s mail account options using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Mail tab.
3 Selecting the Enabled button enables the user to use mail service.Users and Groups 151
4 The Mail Server field contains the DNS name or IP address of the server to which the user’s
mail should be routed. When you enter a value, Workgroup Manager does not check to
ensure it is valid.
5 The Mail Quota field specifies the maximum number of megabytes for the user’s mailbox. A 0
or null value means no quota is used. When the user’s message space approaches or
surpasses the mail quota you specify, mail service displays a message prompting the user to
delete unwanted messages to free up space.
6 The Mail Access selection identifies the protocol used for the user’s mail account: Post
Office Protocol (POP) and/or Internet Message Access Protocol (IMAP).
7 The Options setting determines inbox characteristics for mail accounts that access email
using both POP and IMAP.
“Use separate inboxes for POP and IMAP” creates an inbox for POP mail and a separate inbox
for IMAP mail. “Show POP Mailbox in IMAP folder list” shows an IMAP folder named POP Inbox.
8 “Enable NotifyMail” lets you automatically notify the user’s mail application when new mail
arrives. The IP address to which the notification is sent can be either the last IP address from
which the user logged in or an address you specify.
Forwarding a User’s Mail
You can use Workgroup Manager to set up email forwarding for a user whose account is
stored in a NetInfo or LDAPv3 directory domain.
To forward a user’s mail using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Mail tab.
3 Select Forward and enter the forwarding email address in the Forward To field. The existence
of the address is not verified by Workgroup Manager.
Working With Print Settings for Users
Print settings associated with a user’s account define the ability of a user to print to
accessible Mac OS X Server print queues for which print service enforces print quotas.
“Enforcing Quotas for a Print Queue” on page 322 tells you how to set up quota-enforcing
print queues.152 Chapter 3
In Workgroup Manager, use the Print tab in the user account window to work with a user’s
print quotas:
m Select None (the default) to disable a user’s access to print queues enforcing print quotas.
m Select All Queues to let a user print to all accessible print queues that enforce quotas.
m Select Per Queue to let a user print to specific print queues that support quotas.
Disabling a User’s Access to Print Queues Enforcing Quotas
You can use Workgroup Manager to prevent a user from printing to any accessible Mac OS X
print queue that enforces quotas. To use Workgroup Manager, the user’s account must be
stored in a NetInfo or LDAPv3 directory domain.
To disable a user’s access to print queues enforcing quotas:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Print tab.
3 Select None.
Enabling a User’s Access to Print Queues Enforcing Quotas
You can use Workgroup Manager to allow a user to print to all or only some accessible
Mac OS X print queues that enforce quotas. To use Workgroup Manager, the user’s account
must be stored in a NetInfo or LDAPv3 directory domain.
To set a user’s print quota for print queues enforcing quotas:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Print tab.
To set up a quota that applies to all queues, go to step 3. Alternatively, to set up quotas for
specific print queues, go to step 4.
3 Click “All Queues,” then specify the maximum number of pages the user should be able to
print in a certain number of days for any print queue enforcing quotas.Users and Groups 153
4 Click “Per Queue,” then use the Queue Name pop-up menu to select the print queue for
which you want to define a user quota. If the print queue you want to specify is not on the
Queue Name pop-up menu, click Add to enter the queue name and specify, in the Print
Server field, the IP address or DNS name of the server where the queue is defined.
To give the user unlimited printing rights to the queue, click “Unlimited printing.” Otherwise,
specify the maximum number of pages the user should be able to print in a certain number
of days. Then click Save.
Deleting a User’s Print Quota for a Specific Queue
To delete a user’s print quota using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Print tab.
3 Use the Queue Name pop-up menu and the Print Server field to identify the print queue to
which you want to disable a user’s access.
4 Click Delete.
Restarting a User’s Print Quota
To restart a user’s print quota using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to work with if it is not already
open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Click the Print tab.
3 If the user is set up for printing to all print queues supporting quotas, click Restart Print
Quota.
If the user’s print quotas are print queue–specific, use the Queue Name pop-up menu and
the Print Server field to identify a print queue, then click Restart Print Quota.154 Chapter 3
Working With Managed Users
See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management:
Mac OS 9 and OS 8,” for information about how you can make a user a managed user, which
lets you set up preferences for the user.
Defining a Guest User
You can set up some services to support users who are anonymous, that is, they can’t be
authenticated because they do not have a valid user name or password. The following
services can be set up this way:
m Windows services (see “Windows Services” on page 235 for information about configuring
guest access)
m Apple file service (see “Apple File Service” on page 224 for information about configuring
guest access)
m FTP service (see “File Transfer Protocol (FTP) Service” on page 244 for information about
configuring guest access)
m Web service (see Chapter 8, “Web Service,” for information about configuring guest
access)
Users who connect to a server anonymously are restricted to files, folders, and Web sites with
privileges set to Everyone.
Another kind of guest user is a managed user that you can define to allow easy setup of
public computers or kiosk computers. See Chapter 6, “Client Management: Mac OS X,” and
Chapter 10, “Client Management: Mac OS 9 and OS 8,” for more about these kinds of users.
Deleting a User Account
You can use Workgroup Manager to delete a user account stored in a NetInfo or LDAPv3
directory domain.
To delete a user account using Workgroup Manager:
1 In Workgroup Manager, open the user account you want to delete if it is not already open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
user in the user list.
2 Choose Delete Selected User from the Server menu.Users and Groups 155
Disabling a User Account
To disable a user account, you can
m delete the account (see “Deleting a User Account” on page 154)
m change the user’s password to an unknown value (see “Defining Passwords” on page 145)
Administering Home Directories
A home directory is a folder for a user’s personal use. Mac OS X also uses the home
directory, for example, for storing system preferences and managed user settings for
Mac OS X users.
A user’s home directory does not need to be stored on the same server as the directory
domain containing the user’s account. In fact, distributing directory domains and home
directories among various servers can help you balance your workload among several
servers. “Distributing Home Directories Across Multiple Servers” on page 156 and “Setting
Up Home Directories for Users Defined in Existing Directory Servers” on page 157 describe
several such scenarios.
After deciding where you want home directories to reside, you need to set up share points
for them and configure the share points to automount. You may also need to create home
directory folders. See “Setting Up AFP Home Directory Share Points” on page 160 and
“Creating Home Directory Folders” on page 161 for details.
To assign a home directory to a user, follow the instructions in “Defining a User’s Home
Directory” on page 161 through “Using Import Files to Create AFP Home Directories” on
page 165.156 Chapter 3
Distributing Home Directories Across Multiple Servers
The following illustration depicts using one Mac OS X Server for storing user accounts and
two other Mac OS X Servers for storing AFP home directories.
When a user logs in, he or she is authenticated using an account stored on the accounts
server. The location of the user’s home directory, stored in his account, is used to mount his
or her home directory, which resides physically on one of the home directory servers.
Here are the steps you could use to set up this scenario for AFP home directories:
1 Set up the directory services of the client computers so their search policy includes the
server where the user accounts are stored. See Chapter 2, “Directory Services,” for
instructions.
2 On each home directory server, create the folder that will serve as the share point for the
home directories. Set up automounting for each share point. Doing so ensures that a user
can automatically see his home directory after logging in because it is mounted on his
computer. See “Setting Up AFP Home Directory Share Points” on page 160 for more
information about setting up AFP share points for home directories.
When you set up automounting, Mac OS X Server creates a mount record for the share point
in the directory domain you designate. The mount record that describes home directory
share points can reside in the same directory domain as the user account or in a directory
domain in the search path used to find related user records.
3 Set up the user accounts on the account server so that the home directory share point is one
of the two you created in step 1. See “Defining a Network Home Directory” on page 163.
Because the home directories are accessed using AFP, the first time a user logs in his or her
home directory is created automatically on the appropriate server and is visible on the user’s
computer.
Mac OS X Servers
User accounts
Home directories A thru M Home directories N thru ZUsers and Groups 157
Setting Up Home Directories for Users Defined in Existing Directory
Servers
When you integrate Mac OS X Server into an environment that uses an existing directory server
for storing user information, you can take advantage of that information for authenticating
users, but use one or more Mac OS X Servers to store home directories for users.
The following picture illustrates this scenario. A user has access to his home directory on
Mac OS X Server after logging in to a Mac OS X computer and being authenticated using
Active Directory information.
The numbers in this figure illustrate the sequence of interactions that occur between the
time a user logs in to the Mac OS X client computer and can choose Home from the Go
menu to access his home directory:
Windows 2000 server
hosting Active Directory
Mac OS X
client computer
Mac OS X Server
hosting home directories
1 3
2
4158 Chapter 3
1 Retrieving user information. When the user logs in, the Mac OS X computer retrieves the
user’s account from Active Directory and authenticates the user. Home directory information
in the user’s record indicates that the home directory resides on the network, so a mount
record for the home directory is retrieved from Active Directory. The mount record identifies
the home directory share point and its access protocol—AFP in this case.
In this example, the user and mount records reside in the search bases indicated in Active
Directory on the Windows 2000 Server. A search base is like a directory you use to access
particular kinds of records.
2 Requesting authorization to mount the home directory. The Mac OS X client computer then
sends the user’s information to the Mac OS X Server hosting the home directory to request
authorization to mount the home directory.
The home directories, named using the user short names, reside under the share point
named “Homes” on Mac OS X Server.
Windows 2000 server
hosting Active Directory
10.43.12.172
supergirl.corp.apple.com
user: jdm
Mac OS X
client computer
ou=mounts,dc=supergirl,
dc=corp,dc=apple,
dc=com
Users
cn=Users,dc=supergirl,
dc=corp,dc=apple,
dc=com
Mounts
10.43.12.40
bigmac.corp.apple.com
/Homes/jdm
Mac OS X
client computer Mac OS X Server
hosting home directoriesUsers and Groups 159
3 Setting up home directory access. Next, the server retrieves the user’s Active Directory
record and authenticates the user. The server uses the UID and group ID in the record to set
up file access permissions for the user.
4 Accessing the home directory. The home directory is now mounted and visible on the user’s
computer in the Mac OS X Finder under /Network/Servers/bigmac/Homes, and login is
complete.
Here are the steps you would use to set up this scenario:
1 Set up the Windows server to make sure Active Directory contains the necessary user
account and mount data.
2 Set up directory service mappings for Mac OS X computers, both clients and server, so they
can access the Active Directory data. See Chapter 2, “Directory Services,” information about
using the Active Directory mapping template and add the Windows server to the Mac OS X
computer’s search policies.
3 Set up share points on Mac OS X Server.
Because the home directories are accessed using AFP, the first time a user logs in his home
directory is created automatically and is visible on the user’s computer.
Users
/Homes/jdm
Windows 2000 server
hosting Active Directory
Mac OS X Server
hosting home directories
Mac OS X
client computer
Mac OS X Server
hosting home directories
/Network/Servers/bigmac/Homes/jdm160 Chapter 3
Choosing a Protocol for Home Directories
You can set up home directories so they can be accessed using either AFP or NFS.
The preferred protocol is AFP, because it provides authentication-level access security; a user
has to log in with a valid name and password to access files. AFP also simplifies the setup of
home directories; home directories are automatically created the first time a user logs in.
Use NFS only if you need to provide home directories for a large number of users who use
UNIX workstations. NFS file access is based not on user authentication, but on client IP
address, so it is generally less secure than AFP. In addition, NFS home directories need to be
created manually.
See the next two sections information about using AFP and NFS protocols for home
directories.
Setting Up AFP Home Directory Share Points
Before setting up an AFP home directory for a user, define an automountable share point in
which the home directory will reside. Setting up a home directory in an automountable
share point makes the home directory available in /Network/Servers and lets other users
access the home directory using the ~username shortcut.
Because of the way home directory disk quotas work, you may want to set up home
directory share points on a partition different from other share points. See “Setting Disk
Quotas” on page 164 for more information.
To define an AFP share point for home directories:
1 Create a folder on the server where you want the home directories to reside, and share the
folder using AFP. See Chapter 4, “Sharing,” for complete instructions on how to accomplish
this and the remaining steps.
2 Enable guest access to the share point so users can access other users’ public folders without
authenticating. Also, ensure that the share point owner has Read & Write privileges and that
Group and Everyone have Read privileges.
3 Configure a mount record for the share point. To do so, set up the share point to automount,
using AFP, in a directory domain in the search path of Mac OS X computers that need to
use it.
Setting Up NFS Home Directory Share Points
Before setting up an NFS home directory for users, define the share point in which the home
directories will reside. Because NFS offers less access security than AFP, define one NFS share
point for use by all UNIX users who need home directories.Users and Groups 161
Because of the way home directory disk quotas work, you may want to set up home
directory share points on a partition different from other share points. See “Setting Disk
Quotas” on page 164 for more information.
To define an NFS share point for home directories:
1 Create a folder on the server where you want the home directories to reside, and share the
folder using NFS. See Chapter 4, “Sharing,” for complete instructions on setting up NFS share
points.
2 Export the share point, use the pop-up menu to select the clients to whom you want to
export the share point, and map the “root” user to “nobody.”
3 Configure a mount record for the share point. To do so, set up the share point so it is
automounted, using NFS, in a directory domain in the search path of Mac OS X computers
that need to use it.
4 In the share point folder, manually create the home directory folder and all its subfolders for
each user.
UNIX users are accustomed to using SSH to obtain command-line access to a server. With
this kind of access, the user’s home directory isn’t mounted, and the user has only guest
access to it.
Creating Home Directory Folders
AFP home directories and their subfolders are created automatically when users first log in.
NFS home directories must be created manually within the folder that serves as the NFS
share point.
Defining a User’s Home Directory
In Workgroup Manager, use the Home tab in the user account window to work with home
directory settings for a user.
m Select Local to define a home directory on the server you are using for a user defined in a
local directory domain on that server.
m Select Network to set up a home directory for users defined in shared directory domains.
The home directory resides immediately under a share point you select from a list of
automountable share points in directory domains of the server’s search path.
m Select the Advanced option to set up a home directory that has characteristics not
available using the Local or Network options. For example, the Advanced option lets you
set up a network home directory that is not immediately below the share point.
The next four sections describe how to use the user account Home tab.
You can also use an import file to set up home directories. See “Using Import Files to Create
AFP Home Directories” on page 165 for details.162 Chapter 3
Defining No Home Directory
You can use Workgroup Manager to avoid creating a home directory for a user whose
account is stored in a NetInfo or LDAPv3 directory domain. By default, new users have no
home directory.
To define no home directory:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
local directory domain. To edit the home directory information, click the lock to be
authenticated, then select the user in the user list.
2 Click the Home tab.
3 Select No Home.
Defining a Home Directory for Local Users
You can use Workgroup Manager to define a home directory for a user whose account is
stored in the local directory domain on the server you are logged in to. Local user accounts
are visible only on the server itself, not over the network. Local user accounts on Mac OS X
Server are most useful for standalone servers (servers not accessible from a network) and
server administrator accounts.
To create a home directory for a local user account:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
local directory domain. To edit the home directory information, click the lock to be
authenticated, then select the user in the user list.
2 Click the Home tab.
3 Select Local, then choose the share point from the Share Point pop-up menu in which you
want the home directory to reside. By default, /Users is assumed, but you can select any
other share point that has been defined in the local directory domain. The share point does
not have to be configured for automounting.
If the home directory share point is an AFP share point, the home directory is created
automatically when the user logs in if it does not already exist; the name of the home
directory created is the same as the user’s short name (the user’s first short name if there are
multiple short names). If it is an NFS share point, you must create the home directory and its
subfolders manually.Users and Groups 163
Defining a Network Home Directory
In Workgroup Manager, you can set up a home directory for users defined in shared
directory domains. The home directory resides immediately under an automountable
share point.
You can use Workgroup Manager to define a network home directory for a user whose
account is stored in a NetInfo or LDAPv3 directory domain or to review home directory
information in any directory domain accessible from the server you are using.
To create a network home directory using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To edit the home directory information,
click the lock to be authenticated, then select the user in the user list.
2 Click the Home tab, then select Network.
3 Select a share point from the list, which displays all the network-visible share points in the
search path of the server you are using.
If the home directory share point you select is an AFP share point, the home directory is
created automatically when the user logs in if it does not already exist; the home directory is
named after the user’s short name (the first short name if the user has multiple short names).
If it is an NFS share point, you must create the home directory and its subfolders manually.
Defining an Advanced Home Directory
In Workgroup Manager, you can customize a user’s home directory settings using the
Advanced home directory option. You’ll want to customize home directory settings when
m You want the user’s home directory to reside in directories not immediately below the
home directory share point. For example, you may want to organize home directories into
several subdirectories within a share point. If Homes is the home directory share point,
you may want to place teachers’ home directories in Homes/Teachers and student home
directories in Homes/Students.
m You want to specify a home directory name different from the user’s short name.
You can use Workgroup Manager to define an advanced home directory for a user whose
account is stored in a NetInfo or LDAPv3 directory domain or to review home directory
information in any directory domain accessible from the server you are using.
To create an advanced home directory using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open. 164 Chapter 3
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To edit the home directory information,
click the lock to be authenticated, then select the user in the user list.
2 Click the Home tab, then select Advanced.
3 In the Server/Share Point URL field, enter the full URL to an existing share point.
For example, enter “AFP://server.example.com/Homes”. Make sure that the share point has
been set up as an automount.
4 In the Path field, enter the path from the share point to the home directory if there is one.
Any directories you enter must exist.
For example, if the share point is Homes, you might enter Teachers/SecondGrade
5 In the Home field, enter the full path to the home directory.
For example, /Network/Servers/server.example.com/Homes/Teachers/SecondGrade/Smith.
If the home directory share point you select is an AFP share point on Mac OS X Server, the
home directory is created automatically when the user logs in if it does not already exist; the
home directory is named after the user’s short name (the first short name if the user has
multiple short names). If it is an NFS share point, you must create the home directory and its
subfolders manually.
Setting Disk Quotas
You can limit the disk space a user can consume to store files he or she owns in the partition
where his home directory resides.
This quota does not apply to the home directory share point or to the home directory, but to
the entire partition within which the home directory share point and the home directory
reside. Therefore when a user places files into another user’s folder, it can have implications
on the user’s disk quota:
m When you copy a file to a user’s AFP drop box, the owner of the drop box becomes the
owner of the file.
m In NFS, however, when you copy a file to another folder, you remain the owner and the
copy operation decrements your disk quota on a particular partition.
To set up a home directory share point disk quota using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. To edit the disk quota, click the lock to
be authenticated, then select the user in the user list.
2 Click the Home tab. Users and Groups 165
3 Specify the disk quota using the Disk Quota field and the adjacent pop-up menu.
Defining Default Home Directories for New Users
You can define default home directory settings to use for new users by using a preset to
predefine them. See “Using Presets” on page 176 for information about defining and using
presets.
Using Import Files to Create AFP Home Directories
The fastest way to create AFP home directories for a large number of users is to use an
import file. See “Importing and Exporting User and Group Information” on page 178
for details.
Moving Home Directories
If you need to move a home directory, create the new one and manually delete the existing
one to deallocate disk space it uses if you no longer need the existing one.
Deleting Home Directories
When you delete a user account, the associated home directory is not automatically deleted.
You must delete it manually.
Administering Group Accounts
This section describes how to administer group accounts stored in various kinds of directory
domains.
Where Group Accounts Are Stored
Group accounts, as well as user accounts and computer accounts, can be stored in any Open
Directory domain accessible from the Mac OS X computer that needs to access the account.
A directory domain can reside on a Mac OS X computer (for example, a NetInfo or LDAPv3
domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory
server).
You can use Workgroup Manager to work with accounts in all kinds of directory domains, but
you can only update NetInfo and LDAPv3 directory domains using Workgroup Manager.
See Chapter 2, “Directory Services,” for complete information about the different kinds of
Open Directory domains.
Creating Group Accounts in a Directory Domain on Mac OS X Server
You need administrator privileges for a directory domain to create a new group account in it.166 Chapter 3
To create a group account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to access the domain of interest. See Chapter 2, “Directory Services,” for instructions.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the domain in which you want the group account to reside.
4 Click the lock to be authenticated as a directory domain administrator.
5 From the Server menu, choose New Group.
6 Specify settings for the group in the tabs provided. See “Working With Member Settings for
Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for
details.
You can also use a preset or an import file to create a new group. See “Using Presets” on
page 176 and “Importing and Exporting User and Group Information” on page 178 for
details.
Creating Read-Write LDAPv3 Group Accounts
You can create a group account on a non-Apple LDAPv3 server if it has been configured for
write access.
To create an LDAPv3 group account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to use the LDAP server for group accounts. See Chapter 2, “Directory Services,” for
information about using Directory Access to configure an LDAP connection and Appendix A,
“Open Directory Data Requirements,” for information about the group account elements
that may need to be mapped.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the LDAPv3 domain in which you want the group account
to reside.
4 Click the lock to be authenticated.
5 From the Server menu, choose New Group.
6 Specify settings for the group in the tabs provided. See “Working With Member Settings for
Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for
details.
You can also use a preset or an import file to create a new group. See “Using Presets” on
page 176 and “Importing and Exporting User and Group Information” on page 178 for details.Users and Groups 167
Changing Group Accounts
You can use Workgroup Manager to change a group account that resides in a NetInfo or
LDAPv3 directory domain.
To make changes to a group account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to access the directory domain of interest. See Chapter 2, “Directory Services,” for
instructions.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the domain in which the group account resides.
4 Click the lock to be authenticated.
5 Click the Group tab to select the group you want to work with.
6 Edit settings for the group in the tabs provided. See “Working With Member Settings for
Groups” on page 167 and “Working With Volume Settings for Groups” on page 170 for
details.
Working With Read-Only Group Accounts
You can use Workgroup Manager to review information for group accounts stored in readonly directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3
domains not configured for write access, and BSD configuration files.
To work with a read-only group account:
1 Ensure that the directory services of the Mac OS X Server you are using has been configured
to access the directory domain in which the account resides. See Chapter 2, “Directory
Services,” for information about using Directory Access to configure server connections and
Appendix A, “Open Directory Data Requirements,” for information about the group account
elements that need to be mapped.
2 In Workgroup Manager, click the Accounts button.
3 Use the At pop-up menu to open the directory domain in which the group account resides.
4 Use the tabs provided to review the group account settings. See “Working With Member
Settings for Groups” on page 167 and “Working With Volume Settings for Groups” on
page 170 for details.
Working With Member Settings for Groups
Member settings include a group’s names, its ID, and a list of the users who are members of
the group. 168 Chapter 3
In Workgroup Manager, use the Members tab in the group account window to work with
member settings.
When the name of a user in the Members list appears in italics, the group is the user’s
primary group.
Adding Users to a Group
Add users to a group when you want multiple users to have the same file access privileges or
when you want to make them managed users.
When you create a user account and assign the new user a primary group, the user is
automatically added to the group you specify; you do not need to explicitly do so. Otherwise,
you explicitly add users to a group.
You can use Workgroup Manager to add users to a group if the user and group accounts are
in a NetInfo or LDAPv3 directory domain.
To add users to a group using Workgroup Manager:
1 In Workgroup Manager, open the group account you want to work with if it is not already
open. To open the account, click the Account button, then use the At pop-up menu to open
the directory domain where the account resides. Click the lock to be authenticated. Select
the group in the group list.
2 Click the Members tab.
3 Click Add to open a drawer listing the users defined in the directory domain you are working
with. (To include system users in the list, choose Preferences on the Workgroup Manager
menu, then select “Show system users and groups.”) Make sure that the group account
resides in a directory domain specified in the search policy of computers the user will log
in to.
4 Select the user, then drag it into the Members list on the Members tab.
Removing Users From a Group
You can use Workgroup Manager to remove a user from a group that is not the user’s
primary group if the user and group accounts reside in a NetInfo or LDAPv3 directory
domain.
To remove a user from a group using Workgroup Manager:
1 In Workgroup Manager, open the group account you want to work with if it is not already
open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
group in the group list.Users and Groups 169
2 Click the Members tab.
3 Select the user or users you want to remove from the group, then click Remove.
Naming a Group
A group has two names: a full name and a short name:
m The full group name, which is used for display purposes only, can contain as many as 255
characters (127 double-byte characters). Use only these characters:
a through z
A through Z
0 through 9
_ (underscore)
- (hyphen)
. (period)
(space)
For example, English Department Students.
m The short name can contain as many as 255 characters (127 double-byte characters). Use
only these characters:
a through z
A through Z
0 through 9
_ (underscore)
- (hyphen)
. (period)
The short name, typically 8 or fewer characters, is used by Mac OS X to find UIDs of group
members when determining whether a user can access a file as a result of his or her
group membership.
You can use Workgroup Manager to edit the names of a group account stored in a NetInfo or
LDAPv3 directory domain or to review the names in any directory domain accessible from
the server you are using.
To work with group names using Workgroup Manager:
1 In Workgroup Manager, open the group account you want to work with if it is not already
open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. To change a name, click the lock to be
authenticated. Select the group in the group list.170 Chapter 3
2 In the Name or “Short name” field on the Members tab, review or edit the names.
Before saving a new name, Workgroup Manager checks to ensure that it is unique.
Defining a Group ID
A group ID is a string of ASCII digits that uniquely identifies a group. The maximum value is
2,147,483,647. The minimum value is 101.
You can use Workgroup Manager to edit the ID for a group account stored in a NetInfo or
LDAPv3 directory domain or to review the group ID in any directory domain accessible from
the server you are using.
To work with a group ID using Workgroup Manager:
1 In Workgroup Manager, open the group account you want to work with if it is not already
open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. To change a group ID, click the lock to be
authenticated. Select the group in the group list.
2 In the Group ID field on the Members tab, review or edit the ID. Before saving a new group
ID, Workgroup Manager checks to ensure that it is unique in the directory domain you are
using.
Working With Volume Settings for Groups
You can designate a directory for use exclusively by members of a particular group. A group
directory offers a way to organize documents and applications of special interest to group
members and gives group members a directory to use to pass information back and forth
among them.
If the group is a workgroup (if you want to define Mac OS X preferences for the group), you
must set up a group volume. A workgroup’s preferences are stored in the group volume you
associate with the workgroup.
In Workgroup Manager, use the Volumes tab in the group account window to work with
group volume settings:
m Select None to avoid creating a group directory.
m Select Network to automate the creation of group volumes.
m Select Advanced to customize your group volume settings.
Before you can set up a group directory, you must create the share point for it to reside in, as
the next section describes.Users and Groups 171
Creating Group Directories
Before you can designate a directory as a group directory, you must create a share point for
the directory. Chapter 4, “Sharing,” tells you how to use Workgroup Manager to create a
folder and share it.
If you are using AFP to share the group directory, you can take advantage of automatic group
share point and group directory creation by choosing the Network option on the Volumes
tab for the group account in Workgroup Manager. To work with other sharing protocols and
share points, you must use the Advanced option on that tab.
Automatically Creating Group Directories
When you initially set up a server, an AFP share point named /groups is created automatically.
You can automate the (overnight) creation of group directories in the /groups share point
when you use Workgroup Manager to define groups in a NetInfo or LDAPv3 directory domain.
To set up an automatically created group directory:
1 In Workgroup Manager, open the group account you want to work with if it is not already
open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. To edit the group directory information, click
the lock to be authenticated. Select the group in the group list.
2 Click the Volumes tab.
3 Select Network.
4 Click Select to choose a server from a list of servers that host a /groups share point in a
directory domain in your current search path. The group directory is created immediately
below it using the group’s short name. The server name you choose appears in the Server
field.
Alternatively, enter a server name in the Server field. The group directory is created
automatically only if the server you specify hosts a /groups share point in your current search
path. Otherwise, you need to create an AFP share point on that server named /groups and,
within it, a group directory with the short name of the group.
5 In the Owner Name field, enter the name of the user you want to own the group directory so
he or she can act as group directory administrator. Click Users to choose an owner from a list
of users in the current directory domain.
6 Optionally check one of the boxes that automate visibility of the group directory for group
members when they log in to a Mac OS X computer.
Check “Show group documents” to automatically display the group directory in the Dock.172 Chapter 3
Check “Mount group volume at startup” to automatically display the group directory in
the Finder.
Customizing Group Directory Settings
When you need more control over group directory settings than the network group
directory option provides, you can use Workgroup Manager to customize group directory
settings. The group whose directory you want to customize must be defined in a NetInfo or
LDAPv3 directory domain.
For example, you may want to organize group directories as several folders within a share
point. If LanguageGroups is a group directory share point, you may want to place the group
directory for English students in LanguageGroups/English and for French students in
LanguageGroups/French.
To customize group settings:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the group account resides. To edit the group directory information,
click the lock to be authenticated, then select the group in the group list.
2 Click the Volumes tab, then select Advanced.
3 In the URL field, enter the full URL to the group directory’s share point.
For example, enter “SMB://ntserver.com/macgroups” to identify an SMB share point named
“macgroups” on a server whose domain name is “ntserver.com”. The share point must
already exist on the server.
4 In the Path field, enter the path from the share point to the group directory
For example, if the share point is GroupDirs and the full path to the group directory is
GroupDirs/Teachers/Primary/, enter Teachers/Primary in the Path field. These directories
must already exist.
5 In the Owner Name field, enter the name of the user you want to own the group directory so
he or she can act as group directory administrator. Click Users to choose an owner from a list
of users in the current directory domain.
6 Optionally check one of the boxes that automate visibility of the group directory for group
members when they log in to a Mac OS X computer.
Check “Show group documents” to automatically display the group directory in the Dock.
Check “Mount group volume at startup” to automatically display the group directory in
the Finder.Users and Groups 173
Working With Group and Computer Preferences
See Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management:
Mac OS 9 and OS 8,” for information about how you can use groups when you want managed
Mac OS X users to have workgroup and computer list preferences.
Deleting a Group Account
You can use Workgroup Manager to delete a group account stored in a NetInfo or LDAPv3
directory domain.
To delete a group account using Workgroup Manager:
1 In Workgroup Manager, open the group account you want to delete if it is not already open.
To open the account, click the Account button, then use the At pop-up menu to open the
directory domain where the account resides. Click the lock to be authenticated. Select the
group in the group list.
2 Choose Delete Selected Group from the Server menu.
Finding User and Group Accounts
In Workgroup Manager, user and group accounts are listed in tabs at the left side of the
Workgroup Manager window.
Workgroup Manager preferences affect the lists. Choose the Preferences command on the
Workgroup Manager menu to control whether system users and groups are listed and the
order in which items are listed.
To work with one or more of the accounts listed, select them. Data about the selected
accounts appears in tabs to the right of the list.
To populate the list, use the At menu to select the directory domain(s) you want to work
with. Initially, the local directory domain accounts are listed. The domains available for
selection include all directory domains configured for access by the server you are logged in
to. “Listing Users and Groups in the Local Directory Domain” on page 174 through
“Refreshing User and Group Lists” on page 175 tell you how to use the At menu.
Choose the Show Status Bar command on the View menu to display information related to
your current At menu selection:
m When Search Path is selected, the status bar identifies the computer you are currently
logged in to and the user name under which you are logged in.
m When “Other” or “Local” is selected, the status bar identifies the directory domain in
which you are currently authenticated and the user name under which you are
authenticated.174 Chapter 3
After you choose directory domains, all the accounts residing in those domains are listed.
You can sort the list by clicking a column heading. You can filter the list to find specific users
or groups by using the filter options above the list. See “Finding Specific Users and Groups in
a List” on page 175 and “Sorting User and Group Lists” on page 175 for details.
Listing Users and Groups in the Local Directory Domain
The local directory domain is a server-resident domain that is visible only when you are
logged in to the server where it resides.
To list accounts in the local domain of the server you are working with:
1 In Workgroup Manager, log in to the server hosting the domain, then select Local in the At
pop-up menu.
2 User accounts residing in the local domain are listed in the user tab, and local group
accounts are listed in the group tab. To work with a particular account, select it. To change
the account, which requires that you have server or domain administrator privileges, click
the lock to authenticate.
Listing Users and Groups in Search Path Directory Domains
The search path directory domains are those in the search policy defined for the Mac OS X
Server you are logged in to.
To list accounts in search path domains of the server you are working with:
1 In Workgroup Manager, log in to a server whose search policy contains the directory domains
of interest.
2 Select Search Path in the At pop-up menu.
User accounts residing in all directory domains in the search path are listed in the user tab,
and group accounts are listed in the group tab.
3 To work with a particular account, select it. To change the account, which requires that you
have server or domain administrator privileges, click the lock to authenticate.
Listing Users and Groups in Available Directory Domains
You can list user and group accounts residing in any specific directory domain accessible
from the server you are logged in to using Workgroup Manager. You select the domain from a
list of all the directory domains configured to be visible from the server you are using.
Note that “available” directory domains are not the same as directory domains in a search
policy. A search policy consists of the directory domains a server searches routinely when it
needs to retrieve, for example, a user’s account. But the same server might be configured to
access directory domains that have not been added to its search policy. Users and Groups 175
To list accounts in directory domains accessible from a server:
1 In Workgroup Manager, log in to a server from which the directory domains of interest
are visible.
2 Select Other in the At pop-up menu.
3 In the dialog box that appears, select the domain(s), then click OK.
User accounts residing in selected directory domains are listed in the user tab, and group
accounts are listed in the group tab.
4 To work with a particular account, select it. To change a NetInfo or LDAPv3 account, which
requires that you have server or domain administrator privileges, click the lock to
authenticate.
Refreshing User and Group Lists
To refresh the list of user and group accounts currently displayed in Workgroup Manager,
you can
m type in the field above the list
m choose another item in the At pop-up menu, then reselect the domain(s) you had been
working with
User and group lists are automatically refreshed at the rate specified in the Workgroup
Manager preferences. Choose the Preferences command on the Workgroup Manager menu
to display the current setting for automatic refresh and optionally change it.
Finding Specific Users and Groups in a List
After you have displayed a list of users or groups in Workgroup Manager, you can filter the list
to find particular users or groups of interest.
To filter items in the list of accounts:
1 After listing accounts, select the user or group tab.
2 In the pop-up menu above the account list, select an option to describe what you want to
find. When you enter a name option, both full and short names of users or groups are
searched. The original list is replaced by items that satisfy your search criteria.
Sorting User and Group Lists
After displaying a list of accounts in Workgroup Manager, click a column heading to sort
entries using the values in that column. Click the heading again to reverse the order of the
entries in the list.176 Chapter 3
Shortcuts for Working With Users and Groups
When using Workgroup Manager to work with user and group accounts, several shortcuts
can save you time:
m You can make changes to multiple user or group accounts at once. See “Editing Multiple
Users Simultaneously” on page 176.
m You can use presets, which are like templates that let you predefine attributes to apply to
new user or group accounts by default. See “Creating a Preset for User Accounts” on
page 176 through “Changing Presets” on page 178.
m You can import user and group accounts from a file. See “Understanding What You Can
Import” on page 179 through “Using Character-Delimited Files” on page 187.
Editing Multiple Users Simultaneously
You can use Workgroup Manager to make the same change to multiple user accounts in a
NetInfo or LDAPv3 domain at the same time.
To edit multiple users:
1 In Workgroup Manager, list the users in the directory domain of interest.
Click the Account button, then use the At pop-up menu to open the directory domain. Click
the lock to be authenticated, then select the users in the user list. Use Command-click to
select each user whose account you want to change.
2 Click the tab you want to work with and make changes as required for fields that Workgroup
Manager lets you update.
Using Presets
Presets are Workgroup Manager account templates. They let you set up initial attributes for
new accounts you create using Workgroup Manager.
Presets can be used only during account creation. If you change a preset after it has been
used to create an account, accounts already created using the preset are not updated to
reflect those changes.
Creating a Preset for User Accounts
To create a preset for user accounts:
1 Open Workgroup Manager on the server from which you will be creating user accounts.
Ensure that the server has been configured to access the Mac OS X directory domain or nonApple LDAPv3 directory domain in which the preset will be used to create new accounts.
2 Click the Accounts button.Users and Groups 177
3 To create a preset using data in an existing user account, open the account. To create a preset
using an empty user account, create a new user account.
4 Fill in the fields with values you want new user accounts to inherit. Delete any values you do
not want to prespecify if you are basing the preset on an existing account.
The following attributes can be defined in a user account preset: password settings, home
directory settings, quotas, default shell, primary group ID, group membership list, and mail
settings.
5 On the Presets pop-up menu, choose Save Preset, enter a name for the preset, then click OK.
Creating a Preset for Group Accounts
To create a preset for group accounts:
1 Open Workgroup Manager on the server from which you will be creating group accounts.
Ensure that the server has been configured to access the Mac OS X directory domain or nonApple LDAPv3 directory domain in which the preset will be used to create new accounts.
2 Click the Accounts button.
3 To create a preset using data in an existing group account, open the account. To create a
preset using an empty group account, create a new group account.
4 Fill in the fields with values you want new user groups to inherit. Delete any values you do
not want to prespecify if you are basing the preset on an existing account.
5 On the Presets pop-up menu, choose Save Preset, enter a name for the preset, then click OK.
Using Presets to Create New Accounts
To create a new account using a preset:
1 Open Workgroup Manager on a server configured to access the Mac OS X directory domain
or non-Apple LDAPv3 directory domain in which the preset will be used to create the new
account.
2 Click the Accounts button.
3 Use the At pop-up menu to open the directory domain in which you want the new account
to reside.
4 Click the lock to be authenticated as a directory domain administrator.
5 From the Presets pop-up menu, choose the preset you want to use.
6 Create a new account.
7 Add or update attribute values as appropriate, either interactively or using an import file.178 Chapter 3
Renaming Presets
To rename a preset:
1 Open Workgroup Manager on the server where the preset has been defined.
2 Click the Accounts button.
3 From the Presets pop-up menu, choose Rename Preset and enter the new name.
4 Click OK.
Deleting a Preset
To delete a preset:
1 Open Workgroup Manager on the server where the preset has been defined.
2 Click the Accounts button.
3 From the Presets pop-up menu, choose Delete Preset.
4 Select the preset you want to delete then click Delete.
Changing Presets
When you change a preset, existing accounts created using it are not updated to reflect your
changes.
To change a preset:
1 Open Workgroup Manager on the server where the preset has been defined.
2 Click the Accounts button.
3 From the Presets pop-up menu, choose the preset you want to change.
4 After completing your changes, choose Save Preset on the Presets pop-up menu.
You can also change a preset while using it to create a new account by changing any of the
fields defined by the preset, then saving the preset.
Importing and Exporting User and Group Information
Importing user and group accounts from a file is useful when you want to
m Create a large number of users or groups in a batch.
m Migrate user or group accounts from another server. You can import users and groups
from AppleShare IP 6.3 or Mac OS X Server version 10.1 and earlier.
m Update a large number of user or group accounts with new information.
You can import accounts into a NetInfo or LDAPv3 directory domain from
m XML files created by exporting accounts on AppleShare IP 6.3 servers.Users and Groups 179
m XML files created by exporting accounts on Mac OS X Server versions 10.1 and earlier.
m Character-delimited files created by exporting accounts on Mac OS X Server versions later
than 10.1 or created by hand or using a database or spreadsheet application.
There are two ways to import and export accounts: using Workgroup Manager or using the
dsimportexport command-line tool. dsimportexport gives you more control over the import
and export processes, while Workgroup Manager offers a simpler, graphical user experience.
During import and export processing, dsimportexport displays status information and writes
to a log file:
m Status information is provided for each user or group imported or exported. Status data
includes the total number of records processed so far, the number of bytes processed so
far, and the identity of the record being processed currently.
m The log file is created in /Users//Library/Logs/ImportExport/
DSImportExport.logYYYY.MMDD.mmmmmm, where identifies the user
who invoked dsimportexport and mmmmmm is milliseconds. The log file provides both
processing information and error indications. Information logged includes the date and
time that the import or export operation started, the total number of users and groups
imported or exported, and the identity of any accounts that generated errors during
import or export.
This section describes how to prepare files for importing and how to conduct import and
export operations using Workgroup Manager and dsimportexport.
Understanding What You Can Import
The user and group account attributes you can import vary with the kind of import file you
use:
m XML files created with Mac OS X Server 10.1 or earlier (see page 186)
m XML files created with AppleShare IP 6.3 (see page 186)
m character-delimited files (see page 187)
You cannot use an import file to change these predefined users: daemon, root, nobody,
unknown, or www. Nor can you use an import file to change these predefined groups:
admin, bin, daemon, dialer, mail, network, nobody, nogroup, operator, staff, sys, tty
unknown, utmp, uucp, wheel, or www. You can, however, add users to the wheel and
admin groups.
Using Workgroup Manager to Import Users and Groups
You can use Workgroup Manager to import user and group accounts into a NetInfo or
LDAPv3 directory domain. 180 Chapter 3
To import accounts using Workgroup Manager:
1 Create a character-delimited or XML file containing the accounts to import, and place it in a
location accessible from the server on which you will use Workgroup Manager. Ensure the file
contains no more than 10,000 records.
See “Using XML Files Created With Mac OS X Server 10.1 or Earlier” on page 186, “Using XML
Files Created With AppleShare IP 6.3” on page 186, and “Using Character-Delimited Files” on
page 187 for information on creating files to import.
2 In Workgroup Manager, click the Account button, then use the At pop-up menu to open the
directory domain into which you want to import accounts.
3 Click the lock to authenticate as domain administrator.
4 Choose Import from the Server menu, then select the import file.
5 Select one of the Duplicate Handling options to indicate what to do when the short name of
an account being imported matches that of an existing account.
“Overwrite existing record” overwrites any existing record in the directory domain.
“Ignore new record” ignores an account in the import file.
“Add to empty fields” merges data from the import file into the existing account when the
data is for an attribute that currently has no value.
“Append to existing record” appends data to existing data for a particular multivalue attribute
in the existing account. Duplicates are not created. This option might be used, for example,
when importing new members into an existing group.
6 Select one of the Record Format options.
“Import standard users” indicates your import file contains user accounts with these
attributes in the order listed: short name, password, UID, primary group ID, full name, path
to the home directory on the user’s computer, and default shell. The first line of the file must
contain “StandardUserRecord.”
“Import standard groups” indicates your import file contains group accounts with these
attributes in the order listed: group name, group ID, and short names of group members.
The first line of the file must contain “StandardGroupRecord.”
“Use record description in file” indicates that the first line of the file is a complete record
description. “Using Character-Delimited Files” on page 187 describes what the record
description must look like.
“Import XML from AppleShare IP” indicates your import file is an XML file created using
AppleShare IP.
“Import XML from Server Admin” indicates your import file is an XML file created using
Server Admin on Mac OS X Server 10.1 or earlier.Users and Groups 181
7 In the First User ID field, enter the UID at which to begin assigning UIDs to new user
accounts for which the import file contains no UID.
8 In the Primary Group ID field, enter the group ID to assign to new user accounts for which
the import file contains no primary group ID.
9 Click Import to start the import operation.
Using Workgroup Manager to Export Users and Groups
You can use Workgroup Manager to export user and group accounts from a NetInfo or
LDAPv3 directory domain into a character-delimited file that you can import into a different
NetInfo or LDAPv3 directory domain.
To export accounts using Workgroup Manager:
1 In Workgroup Manager, click the Account button, then use the At pop-up menu to open the
directory domain from which you want to import accounts.
2 Click the lock to authenticate as domain administrator.
3 Choose Export from the Server menu.
4 Specify the name to assign to the export file and the location where you want it created.
5 Click Export.
Using dsimportexport to Import Users and Groups
You can use dsimportexport to import user and group accounts into a NetInfo or LDAPv3
directory domain.
Here are the parameters that dsimportexport accepts when importing user and group
accounts. Parameters are delimited using angle brackets (<>) if they are required and
square brackets ([]) if they are optional:
dsimportexport <-g or -s or -p>
<-s startingUID>
[-r primaryGroupID] [-k keyIndex ...] [-n recNameIndex] [-v]
[-T standardRecordType] [-yrnm userName] [-yrpwd password]
[-y ipAddress] [-V] [-h] [-err]
where
-g
imports accounts from a character-delimited file. See “Using Character-Delimited Files” on
page 187 for information about the format of this kind of file.182 Chapter 3
-s
imports accounts from an XML file formatted as “Using XML Files Created With Mac OS X
Server 10.1 or Earlier” on page 186 describes.
-p
imports accounts from an XML file formatted as “Using XML Files Created With
AppleShare IP 6.3” on page 186 describes.
file
names the file from which you want to import accounts, including the path to the file. For
example, /tmp/Import1.
directoryDomain
is the full path to the NetInfo or LDAPv3 directory domain into which you want to import
the accounts. For a NetInfo domain, you might type “NetInfo/root/someDomain”. For an
LDAPv3 domain, an example is “LDAPv3/ldap.example.com”.
userName
is the full or short name of a user who has domain administrator privileges for the
directory domain.
password
is the password associated with the userName you specify.
O
overwrites any existing record in the directory domain with the value(s) in the attribute(s)
identified using the -k option.
M
merges data from the import file into an existing account, using the value(s) in the
attribute(s) identified using the -k option when the data is for an attribute that currently
has no value.
I
ignores an account in the import file if a record with the same value(s) in the attribute(s)
identified using the -k option already exists in the directory domain.
A
appends data to existing data for a particular multivalue attribute in an account in the
directory domain with the value(s) in the attribute(s) identified using the -k option.
Duplicates are not created. This option might be used, for example, when importing new
members into an existing group. Users and Groups 183
-s startingUID
specifies the starting UID to use when importing from an ASIP XML file or a characterdelimited file that contains new user accounts with no UIDs specified. You can omit this
argument if all the accounts in the import file contain UIDs, but use it if some or all of the
accounts do not contain UIDs. For example, -s 559 assigns UIDs to imported users starting
at 559 and incrementing by one for each new user.
-r primaryGroupID
identifies the primary group ID to assign a new user when an account in the import file
has no group ID specified. For example, -r 20 makes the group with a group ID of 20 the
primary group of an imported user with no group ID defined in the file.
-k keyIndex ...
is for character-delimited import files only. It is used to identify as many as four attributes
of an account in the file that you want to use to determine whether the account already
exists. The keyIndex is 0 based, so -k 0 points to the first attribute of an account in the
import file. Separate multiple keyIndex values using commas, for example, -k 1,5,6,8. If
you omit the -k parameter, -k 0 is assumed.
-n recNameIndex
is for character-delimited import files only. It is used to identify the attribute providing a
user’s short name or a group name. The nameIndex is 0 based, so -n 0 points to the first
attribute. If you omit the -n parameter, -n 0 is assumed.
-v
generates verbose output during import. Because this option generates a large amount of
status data for each account (including all data in the import file), use this option only
when debugging import files. The default status data are counts of the number of
accounts and bytes processed and the record name of the account currently being
processed.
-T standardRecordType
is for character-delimited import files only. It is used to indicate that the first line of the
file does not contain a record description because the file contains accounts in standard
formats. A standardRecordType value of xDSStandardUser is used for standard user
accounts, and xDSSttandardGroup is used for standard group accounts. See “Using
Character-Delimited Files” on page 187 for details about account formatting.
-yrnm userName
is the user name for logging in to a remote Mac OS X Server identified in the -y parameter.
-yrpwd password
is the password for logging in to a remote Mac OS X Server identified in the -y parameter.184 Chapter 3
-y ipAddress
is the IP address of a remote Mac OS X Server from which the directory domain is visible.
-V
adds the version number of dsimportexport to the log file.
-h
displays usage information for dsimportexport.
-err
displays error information.
To use dsimportexport to import users and groups:
1 Create a character-delimited or XML file containing the accounts to import, and place it in a
location accessible from the server from which you will use the tool. Ensure the file contains
no more than 10,000 records.
See “Using XML Files Created With Mac OS X Server 10.1 or Earlier” on page 186, “Using XML
Files Created With AppleShare IP 6.3” on page 186, and “Using Character-Delimited Files” on
page 187 for information on creating files to import.
2 As domain administrator, log in to a server that has access to the directory domain into which
you want to import accounts.
3 Open the Terminal application and type the dsimportexport command. The dsimportexport
tool is located in /usr/sbin.
Using dsimportexport to Export Users and Groups
You can use dsimportexport to export user and group accounts from NetInfo or LDAPv3
directory domains into a character-delimited file that you can import into a different
Mac OS X or non-Apple LDAPv3 directory domain.
Here are the parameters that dsimportexport accepts when exporting user and group
accounts. Parameters are delimited using angle brackets (<>) if they are required and
square brackets ([]) if they are optional:
dsimportexport -x
[-v] [-d delimiter ...] [-yrnm userName]
[-yrpwd password] [-y ipAddress] [-V] [-h] [-err]
where
-x
exports accounts into a character-delimited text file. See “Using Character-Delimited Files”
on page 187 for information about the format of this kind of file.Users and Groups 185
file
names the file to which you want to export accounts, including the path to the file. For
example, /tmp/Export1. The file should not already exist.
directoryDomain
is the full path to the NetInfo or LDAPv3 directory domain from which you want to export
the accounts. For a NetInfo domain, you might type “NetInfo/root/someDomain”. For an
LDAPv3 domain, an example is “LDAPv3/ldap.example.com”.
-v
generates verbose output during export. Because this option generates a large amount of
status data for each account (including all data in the export file), use this option only
when debugging export files. The default status data are a count of the number of
accounts processed and the record name of the account currently being processed.
-d delimiter
is for character-delimited export files only. This parameter specifies four delimiters in this
order: end of record, escape, end of field, and end of value. The delimiters values must
be expressed using hex strings, for example, 0x0A. If you omit this parameter, the default
delimiters are \n (end of record, 0x0A), \ (escape, 0x5C), : (end of field, 0x3A), and , (end
of value, 0x2C).
-yrnm userName
is the user name for logging in to a remote Mac OS X Server identified in the -y parameter.
-yrpwd password
is the password for logging in to a remote Mac OS X Server identified in the -y parameter.
-y ipAddress
is the IP address of a remote Mac OS X Server from which the directory domain is visible.
-V
adds the version number of dsimportexport to the log file.
-h
displays usage information for dsimportexport.
-err
displays error information.
To use dsimportexport to export users and groups:
1 As domain administrator, log in to a server that has access to the directory domain from
which you want to export accounts. 186 Chapter 3
2 Open the Terminal application and type the dsimportexport command. The dsimportexport
tool is located in /usr/sbin.
Using XML Files Created With Mac OS X Server 10.1 or Earlier
You can use Server Admin to create an export file from Mac OS X Server versions 10.1 or
earlier, and import that file into a NetInfo or LDAPv3 directory domain using Workgroup
Manager or dsimportexport.
The following user account attributes are exported into these XML files. Attributes in angle
brackets (<>) are required and will generate an error if absent when you use the file as an
import file:
m indication of whether user can log in
m indication of whether user is a server administrator
m
m
m shell
m comment
m
m
m and .
m Apple mail data
m ara (Apple Remote Access; this data is ignored.)
The following group account attributes might be present in these XML files:
m
m
m
m other members’ short names
Using XML Files Created With AppleShare IP 6.3
You can use the Web & File Admin application to create an export file on an AppleShare IP
6.3 server and import that file into a NetInfo or LDAPv3 directory domain using Workgroup
Manager or dsimportexport.
The following user account attributes are exported into these XML files. Attributes in angle
brackets (<>) are required and will generate an error if absent when you use the file as an
import file:
m (mapped to a full name)
m inetAlias (mapped to a short name)Users and Groups 187
m comment
m indication of whether user can log in
m and .
m Apple mail data
m indicator for whether the user is a server administrator, password change data, and
indicator for forcing a password to change (this data is ignored)
The dsimportexport tool generates UIDs when you import this XML file, using the -s
parameter to determine the UID to start with and incrementing each subsequently imported
account’s UID by one. It generates primary group IDs using the -r parameter. When you
import using Workgroup Manager, UIDs and primary group IDs are generated as you indicate
in the dialog box provided.
The following group account attributes might be present in these XML files:
m
m
m other members’ short names
dsimportexport generates group IDs when you import this XML file, using the -r parameter
to determine the group ID to start with and incrementing each subsequently imported
group’s ID by one. When you import using Workgroup Manager, group IDs are generated
using the information you provide for primary group IDs in the import dialog box.
Using Character-Delimited Files
You can create a character-delimited file by using Workgroup Manager or dsimportexport to
export accounts in NetInfo or LDAPv3 directory domains into a file. You can also create a
character-delimited file by hand or by using a database or spreadsheet application.
The first record in the file must characterize the format of each account in the file. There are
three options:
m Write a full record description.
m Use the shorthand “StandardUserRecord.”
m Use the shorthand “StandardGroupRecord.”
The other records in the file describe user or group accounts, encoded in the format
described by the first record.
Any line of a character-delimited file that begins with “#” is ignored during importing.188 Chapter 3
Writing a Record Description
A record description identifies the fields in each record you want to import from a characterdelimited file; indicates how records, fields, and values are separated; and describes the
escape character that precedes special characters in a record. Encode the record description
using the following elements in the order specified, separating them using a space:
End-of-record indicator (in hex notation)
Escape character (in hex notation)
Field separator (in hex notation)
Value separator (in hex notation)
Type of accounts in the file (DSRecTypeStandard:Users or DSRecTypeStandard:Groups)
Number of attributes per account
List of attributes
For user accounts, the list of attributes must include the following, although you can omit
UID and PrimaryGroupID if you specify a starting UID and a default primary group ID when
you import the file:
RecordName (the user’s short name)
Password
UniqueID (the UID)
PrimaryGroupID
RealName (the user’s full name)
In addition, you can include
UserShell (the default shell)
NFSHomeDirectory (the path to the user’s home directory on the user’s computer)
Other user attributes, described in Appendix A
For group accounts, the list of attributes must include
RecordName (the group name)
PrimaryGroupID (the group ID)
GroupMembership
In addition, you can include other user attributes, described in Appendix A.
Here is an example of a record description:
0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Users 7
RecordName Password UniqueID PrimaryGroupID
RealName NFSHomeDirectory UserShell
Here is an example of a record encoded using the description:Users and Groups 189
jim:Adl47E$:408:20:J. Smith, Jr., M.D.:/Network/Servers/somemac/Homes/jim:/bin/csh
Using the StandardUserRecord Shorthand
When the first record in a character-delimited import file contains “StandardUserRecord,” the
record description assumed is
0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Users 7
RecordName Password UniqueID PrimaryGroupID
RealName NFSHomeDirectory UserShell
An example user account looks like this:
jim:Adl47E$:408:20:J. Smith, Jr., M.D.:/Network/Servers/somemac/Homes/jim:/bin/csh
Using the StandardGroupRecord Shorthand
When the first record in a character-delimited import file contains “StandardGroupRecord,”
the record description assumed is
0x0A 0x5C 0x3A 0x2C DSRecTypeStandard:Groups 4
Record Name PrimaryGroupID GroupMembership
Here is an example of a record encoded using the description:
students:Ad147:88:jones,thomas,smith,wong
Understanding Password Validation
A user’s password can be validated using one of these options:
m Using a value stored as a readable attribute in the user’s account. The account can be
stored in a directory domain residing on Mac OS X Server or on another vendor’s
directory server, such as an LDAP or Active Directory server.
m Using a value stored in the Open Directory Password Server.
m Using a Kerberos server.190 Chapter 3
m Using LDAP bind authentication with a non-Apple LDAPv3 directory server.
Clients needing password validation, such as login window and the AFP server, call Mac OS X
directory services. Directory services determines from the user’s account how to validate the
password.
m Directory services can validate a password stored in the account or by interacting with the
Password Server or a remote LDAP directory server (using LDAP bind authentication).
m If a Kerberos server is used to validate a user, when the user accesses a Kerberized client,
such as the AFP server in the following picture, the client interacts directly with the
Kerberos server to validate the user. Then the client interacts with directory services to
retrieve the user’s record for other information it needs, such as the UID or primary
group ID.
See “The Authentication Authority Attribute” on page 192 for information about the attribute
in a user’s account that indicates how to validate a particular user’s password.
Directory
services
Password Server
Kerberos server
Directory server
User
account
Password provided
can be validated
using value stored
in account.
Password can also
be validated using
value stored on
another server on
the network.
Directory
services
Login
window
Telenet
and SSH
AFP file
server
Kerberos
server
Password
Server
Mac OS X
lock icon
User accountUsers and Groups 191
Contrasting Password Validation Options
Here are the pros and cons of the options for validating a user’s password:
m Storing a password in the user’s account. This approach, referred to as the “basic”
password validation strategy, is the default strategy. It is the simplest and fastest strategy,
since it does not depend on another infrastructure for password validation. It is the
strategy most compatible with software that needs to access user records directly, such as
legacy UNIX software. It supports users logging in to computers running Mac OS X
version 10.1 and earlier as well as Windows users authenticated using Authentication
Manager when they log in to a Mac OS X Server version 10.1.
When integrating with existing directory systems, such as LDAP and Active Directory
servers, this strategy offers the greatest opportunity for both Mac OS X Server and the
directory server to use the same record to authenticate a user who wants to use that server.
This strategy may not support clients that require certain network-secure authentication
protocols (such as SMB, APOP, or CRAM-MD5) when transmitting passwords to a
particular service. Also, this strategy can make your server vulnerable to offline attacks,
since readable versions of passwords are used. See “The Problem With Readable
Passwords” on page 194 for more information about offline attacks.
See “Storing Passwords in User Accounts” on page 193 for details about this strategy.
m Using a Password Server. This strategy lets you set up user-specific password policies for
users. You can require a user to change his password periodically or use only passwords
having more than a minimum number of characters. It supports clients that can use basic
authentication as well as clients requiring network-secure authentication protocols that
protect the privacy of a password during transmission. It is the recommended method to
use for Windows clients. It is the only way to authenticate AFP clients prior to version
3.8.3, because they require AFP 2-Way Random authentication, which Password Server
supports.
Password Server passwords can’t be used during login to computers running Mac OS X
version 10.1 or earlier. In addition, this strategy relies on the availability of a Password
Server on a Mac OS X Server; if the Password Server goes down, password validation
cannot occur, because you cannot replicate a Password Server. Also, you must ensure that
physical access to the server on which Password Server resides is controlled.
See “Using a Password Server” on page 195 for details about this strategy.
m Using a Kerberos server. This option is not supported by all services but offers the
opportunity to integrate into existing Kerberos environments. As in the case of the
Password Server, if the Kerberos server is unavailable, users whose passwords are verified
using it are unable to use your server.
See “Using Kerberos” on page 197 for details about this strategy.192 Chapter 3
m Using an LDAP server. This option, like Kerberos, offers a way to integrate your Mac OS X
Server into an existing authentication scheme.
See “Using LDAP Bind Authentication” on page 201 for details about this strategy.
The Authentication Authority Attribute
To authenticate a user, Mac OS X directory services first locates the user’s record using the
user name provided by the user. Then it determines which password validation scheme to
use by consulting the “authentication authority” attribute in the user’s account.
The authentication authority attribute identifies the password validation scheme and
provides additional information as required. For example, if a Password Server is being used,
the location of the Password Server is part of the authentication authority value.
If a user’s account contains no authentication authority attribute, the basic strategy is used.
For example, user accounts created using Mac OS X version 10.1 and earlier contain no
authentication authority attribute.
Choosing a Password
The password associated with a user’s account must be entered by the user before he or she
can be authenticated. The password is case-sensitive (except for SNB LAN Manager
passwords) and does not appear on the screen as it is entered.
Regardless of the password validation option you use for any user, here are some guidelines
for composing a password for Mac OS X Server users.
A password should contain letters, numbers, and symbols in combinations that won’t be
easily guessed by unauthorized users. Avoid spaces and Option-key combinations. Also avoid
characters that can’t be entered on computers the user will be using. (Some computers do
not support passwords that contain double-byte characters, leading spaces, embedded
spaces, and so forth.) A zero-length password is not recommended, and some systems (such
as LDAP bind) do not allow them.
Most of the Mac OS X Server applications and services that require passwords support 7-bit
or 8-bit ASCII passwords without leading or trailing spaces. Use the following information to
determine whether you need to take these restrictions into account when defining
passwords for server users:
m Apple file service accepts 7-bit or 8-bit ASCII passwords.
m File Transfer Protocol (FTP) service accepts 7-bit ASCII passwords.
m IMAP accepts 7-bit ASCII passwords. Some IMAP clients accept 8-bit ASCII passwords.
m Macintosh Manager accepts 7-bit or 8-bit ASCII passwords.
m POP3 accepts 7-bit ASCII passwords.
m Web service accepts 7-bit ASCII passwords.Users and Groups 193
m Windows service accepts 7-bit ASCII passwords.
m Server Settings accepts 7-bit or 8-bit ASCII passwords.
Migrating Passwords
When you import user accounts from computers running Mac OS X Server version 10.1 or
earlier, no authentication authority attribute exists. Therefore all these users have basic
password validation enabled initially. When importing users from servers supporting
Windows users, Authentication Manager passwords may have been used to set the
passwords.
While all the existing passwords can continue to be used after importing the users, if you
want to use the Password Server for imported users, you’ll need to reset their passwords
after importing them. “Enabling the Use of a Password Server for a User” on page 196
describes how to change a basic password to a Password Server password.
Setting Up Password Validation Options
The sections that follow describe how to set up the different kinds of password validation for
individual users:
m To store a password in a user’s account, see “Storing Passwords in User Accounts” on
page 193.
m To use a Password Server to validate a user’s password, see “Enabling the Use of a
Password Server for a User” on page 196.
m To use a Kerberos server, see “Integrating Mac OS X With a Kerberos Server” on page 199.
m To use LDAP bind authentication, see “Using LDAP Bind Authentication” on page 201.
Storing Passwords in User Accounts
This password management strategy is the default strategy, but cannot be used to validate
the passwords of clients that require network-secure authentication protocols. (The single
exception is users created using Mac OS X Server version 10.1 in NetInfo domains with
Authentication Manager enabled.) Use the Password Server if you need to support these
kinds of client computers.
Enabling Basic Password Validation for a User
Basic password validation is the simplest form of password validation. It relies on a readable
version of a user’s password, stored in the user account. Only the first 8 characters are used
for password validation. 194 Chapter 3
A user’s password is stored in the user account in an encrypted form, derived by feeding a
random number along with the clear text password to a mathematical function, known as a
one-way hash function. A one-way hash function always generates the same encrypted value
from particular input, but cannot be used to re-create the original password from the
encrypted output it generates.
To validate a password using the encrypted value, Mac OS X applies the function to the
password entered by the user and compares it with the value stored in the user account. If
the values match, the password is considered valid.
You can use Workgroup Manager to enable using the basic password validation strategy for
user accounts stored in a Mac OS X directory or non-Apple LDAPv3 directory domain.
To enable basic password validation using Workgroup Manager:
1 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. Click the lock to be authenticated, then
select the user in the list.
2 On the Advanced tab, choose Basic from the “Use Password Type” pop-up menu.
3 If the user’s password validation strategy is currently a different one, you will be prompted to
enter and verify a new password.
If you are working with a new user, enter the password on the Basic tab in the Password field,
then reenter it in the Verify field. “Choosing a Password” on page 192 provides guidelines for
choosing passwords.
The Problem With Readable Passwords
Whenever you store passwords in a readable form, they are potentially subject to hacking.
Consider, for example, NetInfo user records. Although the passwords in NetInfo user records
are encrypted using one-way encryption, they are readable because the nidump utility can be
used to copy user records to a file. The file can be transported to a system where a malicious
user can use various techniques to figure out which password values generate the encrypted
values stored in the user records.
This form of attack is known as an offline attack, since it does not require successive login
attempts to gain access to a system. As soon as a password is identified, the correct user name
and password can be supplied and the malicious user can log in successfully without notice.Users and Groups 195
Using a Password Server
The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users must log in over the network to attempt to gain
system access, and invalid password instances, logged by the Password Server, can alert you
to such attempts.
The Password Server is based on a standard known as SASL (Simple Authentication and
Security Layer). This approach helps it support a wide range of network user authentication
protocols that are used by clients of Mac OS X Server services, such as mail and file servers,
that need to authenticate users. Some of the protocols also support clients that require clear
text or unique hashes. Here are a few of the network authentication protocols that the
Password Server supports:
m CRAM-MD5
m MD5
m APOP
m NT and LAN Manager (for SMB)
m SHA-1
m DHX
m AFP 2-Way Random
m WebDAV Digest
The account for a user whose password is validated using the Password Server does not store
the user’s password. Instead, it stores—in its authentication authority attribute—a unique
password ID, assigned by the Password Server when the account was set up to use the
Password Server. To validate a password, directory services passes the password ID to the
Password Server, which it locates using its network address, also stored in the authentication
authority attribute. The Password Server uses the password ID as a key for finding the actual
password and any associated password policy.
For example, the Password Server may locate a user’s password, but discover that it has
expired. If the user is logging in, login window presents the user with a dialog box for
changing the password. After providing a new password, the user can be authenticated.
The Password Server maintains a record for each user that includes
m The password ID, a 128-bit value assigned when the password is created. The value
includes a key for finding a user’s password record.
m The password, stored in recoverable or hashed form. The form depends on the network
authentication protocols enabled for the Password Server (using Open Directory
Assistant). If APOP or 2-way Random is enabled, the Password Server stores a recoverable
(encrypted) password. If neither of these methods is enabled, only hashes of the
passwords are stored.196 Chapter 3
m Data about the user that is useful in log records, such as the short name.
m Password policy data.
Setting Up a Password Server
The account for a user validated using the Password Server is stored in a NetInfo or LDAPv3
directory domain that resides on Mac OS X Server. Before you set up a user’s account to use
a Password Server, you need to set up the Password Server.
See Chapter 2, “Directory Services,” for instructions on how to set up a Password Server. It
describes how to use Open Directory Assistant to
m create a Password Server
m associate a directory domain with a Password Server
m designate an administrator for the Password Server
Any user you designate to be an administrator for the Password Server becomes the domain
administrator for the directory domain with which the server is associated. This
administrator’s password is validated using that Password Server, so that the administrator is
able to update passwords for user accounts that use that Password Server.
Enabling the Use of a Password Server for a User
Use Workgroup Manager to enable the use of a Password Server for validating passwords for
user accounts stored in a NetInfo or LDAPv3 directory domain residing on Mac OS X Server.
To enable the use of a Password Server for a user:
1 Make sure a Password Server has been associated with the directory domain in which the
user’s account resides.
2 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
directory domain where the user’s account resides. Click the lock to be authenticated, then
select the user in the list.
3 On the Advanced tab, choose “Password Server” from the “Use Password Type” pop-up
menu.
4 If the user’s password is currently being validated using a different strategy, you will be
prompted to enter and verify a new password. If you are working with a new user, enter the
password on the Basic tab in the Password field, then reenter it in the Verify field. The
password must contain no more than 512 characters, although there may be different limits
imposed by the network authentication protocol; for example, 128 characters for SMB NT, 14
for SMB LAN Manager, 8 for AFP 2-way random, and 8 for Crypt (basic). “Choosing a
Password” on page 192 provides guidelines for choosing passwords.Users and Groups 197
5 On the Advanced tab, click Options to set up the user’s password policy. Click OK when you
are done.
The password ID is a unique 128-bit number assigned when the password is created on the
Password Server. It may be helpful in troubleshooting, since it appears in the Password Server
log when a problem occurs. View this log in the directory services section of Server Status.
Exporting Users With Password Server Passwords
The Password Server does not let you read passwords. Therefore when you export user
accounts that have Password Server passwords, passwords are not exported.
When you import such users, you must reset all their passwords after importing their
accounts. “Enabling the Use of a Password Server for a User” on page 196 describes how.
Making a Password Server More Secure
Using a Password Server offers flexible and secure password validation, but you need to make
sure that the server on which a Password Server runs is secure:
m Set up Password Servers on a server that is not used for any other activity.
m Since the load on a Password Server is not particularly high, you can have several (or even
all) of your server-resident directory domains share a single Password Server.
m Make sure that the Password Server’s computer is located in a physically secure location.
Monitoring a Password Server
Use the Password Server logs, visible using Server Status, to monitor failed login attempts.
Password Server logs all failed authentication attempts, including IP addresses that generate
them. Periodically review the logs to determine whether there are a large number of failed
trials for the same password ID, indicating that somebody may be generating login guesses.
Using Kerberos
If you already use Kerberos to authenticate users, you can use Kerberos to validate
passwords for the following services of Mac OS X Server version 10.2 and later:
m Login window
m Mail service
m FTP
m AFP server and client198 Chapter 3
m Telnet server
These services have been “Kerberized.” Only services that have been Kerberized can use
Kerberos to validate a user.
Understanding Kerberos
Like the Password Server, a Kerberos server is dedicated to handling data needed for user
validation. Other user data is maintained in a separate server.
Kerberized services are configured to authenticate principals who are known to a particular
Kerberos realm. You can think of a “realm” as a particular Kerberos database or
authentication domain, which contains validation data for users, services, and sometimes
servers (known as “principals”). For example, a realm contains principals’ private keys, which
are the result of a one-way function applied to passwords. Service principals are generally
based on randomly generated secrets rather than passwords.
Here are examples of realm and principal names; note that realm names are capitalized by
convention to distinguish them from DNS domain names:
m Realm: MYREALM.EXAMPLE.COM
m User principal: smitty@MYREALM.EXAMPLE.COM
m Service principal: afpserver/anothername.example.com@MYREALM.EXAMPLE.COM
There are several phases to Kerberos authentication. In the first phase, the client obtains
credentials to be used to request access to Kerberized services. In the second phase, the
client requests authentication for a specific service. In the final phase, the client presents
those credentials to the service.
The following illustration summarizes these activities. Note that the service and the client in
this picture may be the same entity (such as login window) or two different entities (such as
a mail client and the mail server).
1 The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with
realms to access authentication data. This is the only step in which passwords and associated
password policy information needs to be checked.
2 The KDC issues the client a ticket-granting ticket, the credential needed when the client
wants to use Kerberized services. the ticket-granting ticket is good for a configurable period
of time, but can be revoked before expiration. It is cached on the client until it expires.
Key Distribution
Center (KDC)
Kerberized
service
1
2
3
4
5
6
ClientUsers and Groups 199
3 The client contacts the KDC with the ticket-granting ticket when it wants to use a particular
Kerberized service.
4 The KDC issues a ticket for that service.
5 The client presents the ticket to the service.
6 The service verifies that the ticket is valid. If the ticket is valid, usage of the service is granted
to the client if the client is authorized to use the service. (Kerberos only authenticates clients;
it does not authorize them to use services. An AFP server, for example, needs to consult a
user’s account in a directory domain to obtain the UID.) The service uses information in the
ticket if required to retrieve additional information about the user from a directory domain.
Note that the service does not need to know any password or password policy information.
Once a ticket-granting ticket has been obtained, no password information needs to be
provided.
For more information on Kerberos, go to the MIT Kerberos home page:
web.mit.edu/kerberos/www/index.html
Integrating Mac OS X With a Kerberos Server
To integrate Mac OS X with a Kerberos server:
1 Make sure that one or more realms supported by your Kerberos server contain information
for all the users to be validated using Kerberos and for all the Mac OS X Kerberized services
they will use. The Kerberos principal name must be the same as the short name in the user’s
directory domain account.
2 Create user accounts for each of the same users in directory domains accessible from
Mac OS X computers on which Kerberized services will be used. Set the password type to
Basic, and specify passwords that will never be used to authenticate the users.
Kerberized services on Mac OS X computers retrieve user accounts by extracting the user
name part of the principal out of the KDC certificate, which is passed to directory services to
find the account.
3 Before enabling Kerberos for a specific Kerberized service, create one or more principals in
the KDC for it, save the shared secrets into a keytab file, and copy the keytab file from the
KDC to /etc/krb5.keytab on your Mac OS X Server.
Use the kadmin command-line tool to create principals and a keytab file, and use a file
sharing protocol to transfer the keytab file from the Kerberos server to Mac OS X Server. FTP
or SCP (secure copy over SSH) are most likely to be present on the KDC.
Keytab files are sensitive, because they contain information used to determine whether a
client or service is trustworthy.200 Chapter 3
4 On Mac OS X Server, place the edu.mit.Kerberos configuration file in /Library/Preferences/.
This file is not sensitive, so it can be placed on a guest-accessible volume.
This file must also reside in /Library/Preferences/ in the home directory of users you want to
authenticate using Kerberos.
5 Enable individual services (mail, AFP, and FTP) and clients (login window, AFP client, mail
client) to support Kerberos authentication.
6 Make sure that users you want authenticated using Kerberos are in the search path of the
server hosting the Kerberized services.
Enabling Kerberos Authentication for Mail
Use Server Settings to enable mail server support for Kerberos. See “Requiring or Allowing
Kerberos Authentication” on page 381 for details.
To enable mail client support, set up Mac OS X Mail application account preferences to use
Kerberos V5 authentication. Also make sure that edu.mit.Kerberos resides in /Library/
Preferences/ on the user’s computer.
Enabling Kerberos Authentication for AFP
Use Server Settings to enable AFP server support for Kerberos. See Chapter 5, “File Services,”
for details.
AFP client has no special requirements beyond access to /Library/Preferences/
edu.mit.Kerberos.
Enabling Kerberos Authentication for FTP
Use Server Settings to enable FTP server support for Kerberos. See Chapter 5, “File Services,”
for details.
Enabling Kerberos Authentication for Login Window
In addition to access to /Library/Preferences/edu.mit.Kerberos, login window depends on
these settings in /etc/authorization:
system.login.done
eval
switch_to_user,krb5auth:login
Users and Groups 201
Enabling Kerberos Authentication for Telnet
To set up Telnet support, edit the /etc/inetd.conf file to enable Telnet.
Solving Problems With Kerberos
See “Kerberos Users Can’t Authenticate” on page 204 for troubleshooting tips.
Using LDAP Bind Authentication
When you use this password validation technique, you rely on an LDAPv2 or LDAPv3 server
to authenticate a user’s password. Because it supports the Secure Socket Layer (SSL)
protocol, LDAPv3 is preferred.
You can use Workgroup Manager to enable the use of LDAP bind authentication for user
accounts stored in a NetInfo or LDAPv3 directory domain.
To enable LDAP bind user authentication using Workgroup Manager:
1 Make sure the account for a user whose password you want to validate using LDAP bind
resides on an LDAPv3 server in the search path of the Mac OS X computer that needs to
validate the password.
See Chapter 2, “Directory Services,” for information about configuring LDAPv3 server
connections. Avoid mapping the password attribute when configuring the connection; bind
authentication will occur automatically. Also, set up the connection so it uses SSL in order to
protect the password, passed in clear text, while it is in transit.
2 In Workgroup Manager, open the account you want to work with if it is not already open.
To open an account, click the Account button, then use the At pop-up menu to open the
LDAPv3 directory domain where the user’s account resides. Click the lock to be
authenticated, then select the user in the user list.
3 On the Advanced tab, choose Basic from the “Use Password Type” pop-up menu.
4 On the Basic tab, make sure the Password field is empty.
Backing Up and Restoring Files
Regularly back up your Password Server as well as your root and administrator user accounts.
Backing Up a Password Server
Back up your Password Server frequently. When you do so, also back up any directory
domain(s) that use the Password Server: 202 Chapter 3
m To back up a Password Server, back up these two files: /var/db/authserver/
authservermain and /var/db/authserver/authserverfree. Make sure that your Password
Server backup files are as carefully secured as the computer hosting your Password Server.
m See Chapter 2, “Directory Services,” for information on backing up directory domains.
If you restore the Password Server, make sure you also restore the corresponding directory
domains at the same time.
Backing Up Root and Administrator User Accounts
System files are owned by root or system administrator user IDs that exist at the time they
are created. Should you need to restore system files, the same IDs should exist on the server
so that the original permissions are preserved.
To ensure that you can recreate these user IDs, periodically export the server’s user and
group information to a file as “Importing and Exporting User and Group Information” on
page 178 describes.
Supporting Client Computers
Validating Windows User Passwords
Using the Password Server is recommended for validating passwords of Windows users
supported by your server.
Windows users supported by Mac OS X Server 10.1 and earlier were optionally authenticated
using Authentication Manager, which offered encrypted password support. If you export
users such as these and import them, Basic password validation is assumed and the
Authentication Manager information is lost. You need to reset the passwords for such users
before they can be used with certain network protocols.
Setting Up Search Policies on Mac OS X Client Computers
Mac OS X client computer search policies must be set up so that accounts and shared
resources (such as network file servers and printers) are visible from the Mac OS X computer.
See Chapter 2, “Directory Services,” for client configuration options and instructions.
Solving Problems
Follow the suggestions in this section when problems with user and group account
administration arise.
You Can’t Modify an Account Using Workgroup Manager
Before you can modify an account using Workgroup Manager:Users and Groups 203
m You must be a domain administrator for any Apple directory domain storing the account.
m The directory domain must be a NetInfo or LDAPv3 directory domain. Only these
domains can be updated using Workgroup Manager.
A Password Server User’s Password Can’t Be Modified
Before you can modify the password of a user whose password is validated using a Password
Server, you must
m be a domain administrator for the directory domain storing the user’s account
m have your own password validated by the same Password Server
Users Can’t Log In or Authenticate
Try these techniques to determine whether the source of the authentication problem is
configuration or the password itself:
m Reset the password to a known value, then determine whether there is still a problem. Try
using a 7-bit ASCII password, which is supported by most clients.
m If a Password Server is being used for the user and it is not set up to support the
authentication protocol needed by the user’s client, you can use Open Directory Assistant
to enable additional Password Server protocols. You may need to reset the user’s
password after changing the Password Server configuration.
m Basic authentication does not support many authentication protocols. To increase the
possibility that a user’s client applications will be supported, use the Password Server or
suggest that the user try a different application.
m For Kerberos troubleshooting tips, see “Kerberos Users Can’t Authenticate” on page 204.
m If a Password Server or non-Apple directory server used for password validation is not
available, reset the user’s password to use a server that is available.
m Make sure that the password contains characters supported by the authentication
protocol. Leading, embedded, and trailing spaces as well as special characters (for
example, option-8) are not supported by some protocols. For example, leading spaces
work over POP or AFP, but not over IMAP.
m Make sure that the keyboard being used by the user supports the characters necessary for
authentication.
m Make sure the client software encodes the password so that it is recognized correctly. For
example, Password Server recognizes UTF-8 encoded strings, which may not be sent by
some clients.
m Make sure that the client being used by the user supports the password length. For
example, LAN Manager only supports 14-character passwords, so passwords longer than
14 characters would cause an authentication failure even though Mac OS X Server’s
Windows service supports longer passwords.204 Chapter 3
m If an AFP client prior to version 3.8.3 fails to authentiocate, use AFP 2-Way Random
authentication in Password Server for these older clients.
You Can’t Assign Server Administrator Privileges
In order to assign server administrator privileges to a user for a particular server, first log in
to that server in Workgroup Manager.
Users Can’t Access Their Home Directories
Make sure that users have access to the share point in which their home directories are
located and to their home directories. Users need Read access to the share point and Read &
Write access to their home directories.
Mac OS X User in Shared NetInfo Domain Can’t Log In
This problem occurs when a user tries to log in to a Mac OS X computer using an account in
a shared NetInfo domain, but the server hosting the domain isn’t accessible. The user can log
in to the Mac OS X computer by using the local user account created automatically when he
or she set up the computer to use a NetInfo account. The user name is “administrator”
(short name is “admin”) and the password is the NetInfo password.
Kerberos Users Can’t Authenticate
When a user or service that uses Kerberos experiences authentication failures, try these
techniques:
m Kerberos behavior is based on encrypted timestamps. If there’s more than 5 minutes
difference between the KDC, client, and service computers, authentication may fail. Make
sure that the clocks for all computers are synchronized using a network time server.
m If Kerberos is being used, make sure that Kerberos authentication is enabled for the
service in question.
m If a Kerberos server used for password validation is not available, reset the user’s
password to use a server that is available.
m Make sure that the server providing the Kerberized service has access to directory
domains containing accounts for users who are authenticated using Kerberos. One way to
do this is to use a shared directory domain on the KDC server that hosts user records that
correspond to all the user principals.
m Refer to the KDC log (kdc.log) for information that can help you solve problems.
Incorrect setup information such as wrong configuration file names can be detected using
the logs.
m Make sure all your configuration files are complete and correct. For example, make sure
the keytab file on your server has the principals of interest in it.205
C H A P T E R
4
4 Sharing
The Sharing module of Workgroup Manager lets you share information with clients of the
Mac OS X Server and control access to shared information by assigning access privileges.
You share information by designating share points. A share point is a folder, hard disk (or
hard disk partition), or CD that you make accessible over the network. It’s the point of access
at the top level of a group of shared items. Users see share points as volumes mounted on
their desktops, and as volumes in the Finder in Mac OS X.
Setting up share points and assigning privileges is an integral part of setting up file services.
See Chapter 5, “File Services.”
Privileges
Privileges define the kind of access users have to shared items. There are four types of
privileges that you can assign to a share point, folder, or file: Read & Write, Read Only, Write
Only, and None. The table below shows how the privileges affect user access to different
types of shared items (files, folders, and share points).
You can assign Write Only privileges to a folder to create a drop box. The folder’s owner can
see and modify the drop box’s contents. Everyone else can only copy files and folders into
the drop box, without seeing what it contains.
Users can
Read &
Write
Read
Only
Write
Only None
Open a shared file Yes Yes No No
Copy a shared file Yes Yes No No
Open a shared folder or share point Yes Yes No No
Copy a shared folder or share point Yes Yes No No
Edit a shared file’s contents Yes No No No
Move items into a shared folder or share point Yes No Yes No
Move items out of a shared folder or share point Yes No No No206 Chapter 4
Note: QuickTime Streaming Server and WebDAV have their own privileges settings. For
information about QTSS, refer to the QTSS online help and the QuickTime Web site
(www.apple.com/quicktime/products/qtss/). You’ll find information on Web privileges in
“Understanding WebDAV” on page 339.
Explicit Privileges
Share points and the shared items contained in share points (including both folders and
files) have their own individual privileges. If you move an item to another folder, it retains its
own privileges and doesn’t automatically adopt the privileges of the folder where you moved
it. In the following illustration, the second folder (Designs) and the third folder (Documents)
were assigned privileges that are different from those of their “parent” folders:
When new files and folders are created, however, they inherit the privileges of their parent
folder. See “Privileges in the Mac OS X Environment” on page 207.
User Categories
You can assign access privileges separately to three categories of users:
Owner
A user who creates a new item (file or folder) on the file server is its owner and automatically
has Read & Write privileges to that folder. By default, the owner of an item and the server
administrator are the only users who can change its access privileges—allow a group or
everyone to use the item. The administrator can also transfer ownership of the shared item
to another user.
Note: When you copy an item to a drop box on an Apple file server, ownership of that item
is transferred to the owner of the drop box. This is done because only the owner of the drop
box has access to items copied to it.
Group
You can put users who need the same access to files and folders into group accounts. Only
one group can be assigned access privileges to a shared item. For more information on
creating groups see Chapter 3, “Users and Groups.”
Engineering
Read & Write
Designs
Documents
Read Only
Read & WriteSharing 207
Everyone
Everyone is any user who can log in to the file server: registered users, guests, anonymous
FTP users, and Web site visitors.
Privileges Hierarchy
If a user is included in more than one category of users, each of which has different
privileges, these rules apply:
m Group privileges override Everyone privileges.
m Owner privileges override Group privileges.
For example, when a user is both the owner of a shared item and a member of the group
assigned to it, the user has the privileges assigned to the owner.
Client Users and Privileges
Users of AppleShare Client software can set access privileges for files and folders they own.
Windows file sharing users can set folder properties, but not privileges.
Privileges in the Mac OS X Environment
If you are new to Mac OS X and are not familiar with UNIX, it is important to know that there
are some differences from the Mac OS 9 environment in how ownership and privileges are
handled.
To increase security and reliability, Mac OS X sets many system directories, such as /Library,
to be owned by the root user. Files and folders owned by root can’t be changed or deleted by
you unless you are logged in as the root user. Be careful when you log in as the root user
since changing system data can cause problems.
As mentioned above, files and folders are, by default, owned by the user who created them.
They inherit the privileges of the folder in which they are created. After they are created
items keep their privileges even when moved, unless the privileges are explicitly changed by
their owners or an administrator.
Therefore new files and folders you create are not accessible by client users if they are created
in a folder for which the users do not have privileges. When setting up share points, make sure
that items allow appropriate access privileges for the users with whom you want to share them.
Network Globe Contents
You can customize the directory structure and contents of the Network Globe for clients by
setting up automounting for share points. You can add system resources such as fonts and
preferences by automounting share points in specific directory locations.208 Chapter 4
Share Points in the Network Globe
The Network globe on OS X clients represents the Darwin /Network directory. By default,
the Network globe contains the following four folders:
m Applications
m Library
m Servers
m Users
You can mount share points into any of these folders. See “Automounting Share Points” on
page 214 for instructions.
Static Versus Dynamic Linking
Share points can be automounted statically or dynamically. Statically mounted share points
are mounted when the client computer starts up. A connection to the server is opened for
static mounts during startup and remains open until the user shuts down the computer.
Dynamically mounted share points are not mounted until the user opens the directory.
Although an icon for the directory appears in the Network globe during startup, the actual
connection to the server where the directory resides is not made until the user selects the
icon and attempts to access the directory’s contents.
In both cases, when an automounted share point is defined on the server it is not available to
a client computer until the client has restarted.
Adding System Resources to the Network Library Folder
This Library folder in the Network globe is included in the system search path. This gives you
the ability to make available, from the network, any type of system resource that resides in
the local Library folder. These resources could include fonts, application preferences,
ColorSync profiles, desktop pictures, and so forth. OS X accesses the network Library folder
before the local Library folder, so network resources with the same name take precedence.
You can use this capability to customize your managed client environment.
For example, suppose you wish to have a specific set of fonts available to each user in a given
Open Directory domain. You would create a share point containing the desired fonts and then
set the share point to automount into the /Network/Library/Fonts folder on client machines.
See “Automounting Share Points” on page 214 for instructions on setting up automounting.
Setup Overview
You use the Sharing module of Workgroup Manager to create share points and set privileges
for them.
Here is an overview of the basic steps for setting up sharing:Sharing 209
Step 1: Read “Before You Begin”
Read “Before You Begin” on page 209 for issues you should consider before sharing
information on your network.
Step 2: Locate or create the information you want to share
Decide which volumes, partitions, folders, and CDs you want to share. You may want to
move some folders and files to different locations before setting up sharing. You may want to
partition a disk into volumes to give each volume different access privileges or create folders
that will have different levels of access. See “Organize Your Shared Information” on page 210.
Step 3: Designate share points and set privileges
When you designate an item to be a share point, you set its privileges at the same time. You
create share points and set privileges in the Sharing module of Workgroup Manager. See
“Setting Up Sharing” on page 211.
Step 4: Turn file services on
In order for users to be able to access share points, you must turn on the Mac OS X Server
file services. Turn on each file service that you use to share items. For example, if you use
Apple File Protocol with your share point, you must turn on Apple File Server. You can share
an item using more than one protocol. See Chapter 5, “File Services,” on page 221.
Before You Begin
Before you assign privileges, you need to understand how privileges for shared items work.
Consider which users need access to shared items and what type of privileges you want those
users to have. Privileges are described at the beginning of this chapter—see “Privileges” on
page 205.
You also need to determine which protocols clients will use to access share points. In
general, you will want to set up independent share points for each type of client, and share
the item using a single protocol:
m Mac OS clients—Apple Filing Protocol (AFP)
m Windows clients—Server Message Block (SMB)
m FTP clients—File Transfer Protocol (FTP)
m UNIX clients—Network File System (NFS)
In some cases you will want to share an item using more than one protocol. If client users
will be sharing files that have common formats across platforms, you will want to create a
share point that supports users of each platform. For example, Mac OS and Windows users
might want to share graphics or word processing files that can be used on either platform. 210 Chapter 4
Conversely, you might want to set up share points using a single protocol even though you
have different kinds of clients. For example, if almost all of your clients are UNIX users and
just a couple are Mac OS clients, you may want to share items using only NFS in order to
keep your setup simple. Keep in mind, however, that Mac OS users will not enjoy the
features of AFP not provided by NFS, such as the ability to search server contents using
Sherlock, and performance optimization.
See Chapter 5, “File Services,” on page 221 for more information.
Organize Your Shared Information
Once you have created share points, users will start to form “mental maps” of the share
points you have set up and the items contained in them. Changing share points and moving
information around could cause confusion. If you can, organize the information you share
before you start creating share points. This is especially important if you are setting up
network home directories (see “Administering Home Directories” on page 155).
Windows Users
If you have Windows clients, you should set up at least one share point to be used only by
your Windows users. This provides a single point of access for the Windows users.
Security Issues
Security of your data and your network is critical. The most effective method of securing your
network is to assign appropriate privileges for each file, folder, and share point as you create it.
Be careful when creating and granting access to share points, especially if you’re connected
to the Internet. Granting access to Everyone, or to World (in NFS service), could potentially
expose your data to anyone on the Internet.
NFS share points don’t have the same level of security as AFP and SMB, which require user
authentication (typing a user name and password) to gain access to a share point’s contents.
If you have NFS clients, you may want to set up a share point to be used only by NFS users.
Restricting Access by Unregistered Users (Guests)
When you configure any file service, you have the option of turning on guest access. Guests
are users who can connect to the server anonymously without entering a valid user name or
password. Users who connect anonymously are restricted to files and folders with privileges
set to Everyone.
To protect your information from unauthorized access, and to prevent people from
introducing software that might damage your information or equipment, you can take these
precautions using the Sharing module of Server Settings:
m Share individual folders instead of entire volumes. The folders should contain only those
items you want to share.Sharing 211
m Set privileges for Everyone to None for files and folders that guest users should not
access. Items with this privilege setting can only be accessed by the item’s owner or
group.
m Put all files available to guests in one folder or set of folders. Assign the Read Only
privilege to the Everyone category for that folder and each file within it.
m Assign Read & Write privileges to the Everyone category for a folder only if guests must be
able to change or add items in the folder. Make sure you keep a backup copy of
information in this folder.
m Check folders frequently for changes and additions and check the server for viruses
regularly with a virus-protection program.
m Disable anonymous FTP access using the FTP module of Server Settings.
m Don’t export NFS volumes to World. Restrict NFS exports to a specific set of computers.
Setting Up Sharing
This section describes how to create share points and set access privileges for the share
points. It also tells you how to configure the different protocols (AFP, SMB, FTP, and NFS)
that you use to share items and how to automount share points on clients’ desktops.
See “Managing Sharing” on page 215 for additional tasks that you might perform after you
have set up sharing on your server.
Creating Share Points and Setting Privileges
You designate volumes, partitions, folders, or CDs to be share points using the Sharing
module of Workgroup Manager.
To create a share point and set privileges:
1 In Workgroup Manager, click the Sharing button.
2 Select the volume or folder in the All list that you want to make a share point.
3 Click the Sharing tab.
4 Select “Share the selection and its contents.”
Change the owner and group of the shared item by typing names into those fields or by
dragging names from the Users & Groups drawer. You can open the drawer by clicking
“Users & Groups.”
Use the pop-up menus next to the fields to change the privileges for the Owner, Group, and
Everyone. Everyone is any user who can log in to the file server: registered users, guests,
anonymous FTP users, and Web site visitors. If you don’t want everyone to have access, set
the Everyone access privileges to None.212 Chapter 4
Note: You should not assign Write Only access privileges to a file or share point. Only
folders inside a share point should be assigned Write Only access privileges. Otherwise users
won’t be able to see the file or the contents of the share point.
Click the Copy button to apply the ownership and privileges to all items (files and folders)
contained within the share point. This will override privileges that other users may have set.
By default, the new share point is shared through AFP, SMB, and FTP protocols. Use the
Advanced pane to change the settings or stop sharing via these protocols or to export the
item using NFS.
The Advanced settings are described in the following sections.
Configuring Apple File Protocol (AFP) Share Points
You can make share points available to Mac OS 8, Mac OS 9, and Mac OS X clients by sharing
them using AFP.
To configure an AFP share point:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the share point you want to share using AFP.
3 Click the Advanced tab and choose AFP Settings from the pop-up menu.
4 Select the “Share this item using Apple File Protocol” option.
5 Select “Allow AFP guest access” to allow clients to have guest access to this item.
For greater security, do not select this item.
6 Select “AFP clients see custom name for this item” if you want the share point to appear with
a name different from its real one.
7 Enter the name you want AFP users to see in the text field.
8 Click Save.
Configuring Server Message Block (SMB) Share Points
You can make share points available to Windows clients by sharing them using Windows
SMB.
To configure an SMB share point:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the share point you want to share using SMB.
3 Click the Advanced tab and choose SMB Settings from the pop-up menu.
4 Select the “Share this item using Server Message Block” option.Sharing 213
5 Select “SMB clients see custom name for this item” if you want the item to appear with a
name different from its real one.
6 Enter the name you want SMB users to see in the text field.
7 Click Save.
Configuring File Transfer Protocol (FTP) Share Points
You can make share points available to clients over the Internet by sharing them using FTP.
To configure an FTP share point:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the share point you want to share using FTP.
3 Click the Advanced tab and choose FTP Settings from the pop-up menu.
4 Select the “Share this item using FTP” option.
5 Select “Allow FTP guest access” to allow FTP users with guest access to use this item.
For greater security, do not select this item.
6 Select “FTP clients see custom name for this item” if you want the item to appear with a
name different from its real one.
7 Enter the name you want FTP users to see in the text field.
8 Click Save.
Sharing (Exporting) Items Using Network File System (NFS)
You can export share points to UNIX clients using NFS. (Export is the NFS term for sharing.)
To export an item using NFS:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the share point you want to share using NFS.
3 Click the Advanced tab and choose NFS Export Settings from the pop-up menu.
4 Select “Export this item and its contents to” to export the item using NFS.
5 Use the pop-up menu to select who you want to be able to use this information—Client
or World.
By default, NFS exports to the client address 127.0.0.1, which is a loopback to the server
computer. This prevents you from inadvertently exporting a folder to World.
For greater security, do not export to World.
6 Click Add to specify clients who can receive this export. 214 Chapter 4
7 In the text box that appears, type the IP address or host name to add the client to the
“Computer or Netgroup” list.
8 Select ”Map Root user to nobody” if you want users identified as “root” on the remote client
system to have only minimal privileges to read, write, and execute commands.
9 Select “Map All users to nobody” if you want all users to have minimal privileges to read,
write, and execute.
10 Select “Read-only” if you don’t want client users to be able to modify the contents of the
shared item in any way.
This overrides any other privileges set for the shared item. For example, if you allow the
“Everybody” category Read & Write privileges for the item (a setting in the General tab), you
can also define it as an NFS export to “World” with “Read only” privileges.
11 Click Save.
Automounting Share Points
Automount lets you have share points appear automatically on client computers when their
computers start up or in their /Network/Servers folders. You can use the automount feature
with AFP or NFS. When you configure a share point to mount automatically, a mount record
is created in the Open Directory database.
You should publish automounts in the same shared domain in which the user records exist.
This ensures that the users will always have access to the share point.
Be sure to enable guest access both for the share point and for the protocol under which it
is shared.
Note: Automounted share points are available to clients only when their computers start up.
To automount a share point:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the share point you want to automount.
3 Click the Advanced tab and choose Automount Settings from the pop-up menu.
4 Select “Automount to client in domain.”
5 Use the pop-up menu to choose the shared directory domain to which you want to publish
(automount) this item.
The share point will be mounted automatically on any computer configured to use the
shared domain.
6 Enter your user name and password.
Note: You must be authorized (have write privileges) to change the domain.
7 After you are authenticated, click “Automount this item to clients in domain.”Sharing 215
8 For the Mount option:
Choose “dynamically in Network/Servers” if you want client users to see share points in the
/Network/Servers folder of their computers. When a user selects a share point in the folder,
the share point is mounted on the user’s computer. You should choose this option for home
directories.
Choose “statically in” if you want the share point to mount automatically when the client
computer starts up and enter the location in the user’s directory hierarchy where you want
the item to appear. The share point appears as a folder in the location you specify.
9 For the “Mount using” option, choose whether you want to automount the share point using
AFP or NFS.
10 Click Save.
Resharing NFS Mounts as AFP Share Points
Resharing NFS mounts (NFS volumes that have been exported to the Mac OS X Server) as
AFP share points allows clients to access NFS volumes using the secure authentication of an
AFP connection. Resharing NFS mounts also allows Mac OS 9 clients to access NFS file
services on traditional UNIX networks.
To reshare an NFS mount as an AFP share point:
1 From the NFS server, export the directories you want to reshare to the Mac OS X server.
Since AFP runs as root, the NFS export must map root-to-root so that AFP will be able to
access the files for the clients. Restrict the export to the single AFP server (seen as the client
to the NFS server). This can be made even more secure by having a private network for the
AFP-to-NFS connection.
2 On the AFP server, create a mount record that mounts the reshared volumes in the /nfsreshare directory.
3 Use the Sharing module in Workgroup Manager to share the NFS mounts as AFP share
points. The NFS mounts appear as normal volumes in the All list. ( You can also share the NFS
mounts using SMB and FTP, but it is recommended that you only use AFP.) You can change
privileges and ownership, but not enable quotas (quotas work only on local volumes).
However, if quotas are enabled on the NFS server, they should apply to the reshared volume
as well.
Managing Sharing
This section describes tasks you might perform after you have set up sharing on your server.
Setup information appears in “Setting Up Sharing” on page 211.216 Chapter 4
Turning Sharing Off
Because sharing is not a service, you cannot turn sharing on and off on a Mac OS X Server.
You “turn sharing off ” by no longer sharing an item. You can also remove the share point or
stop the file service that clients are using to access the share point.
To stop sharing an item:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the item you want to stop sharing.
3 Click the Advanced tab and choose the protocol used to share the item.
4 Deselect the “Share this item” option.
To completely stop sharing an item, repeat steps 3 and 4 for each protocol you used to share
the item.
5 Click Save.
Removing a Share Point
To “remove a share point” is to stop sharing a volume or folder. You may want to notify
users that you are removing a share point so that they know why the share point is no
longer available.
To remove a share point:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the share point you want to remove.
3 In the Sharing pane, deselect the “Share the selection and its contents” option.
Any Advanced and Automount settings that you have configured for the item are discarded.
Browsing Server Disks
You can view the folders (but not files) located on servers using the Sharing module of
Workgroup Manager.
To browse the folders on a share point or server:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab to browse the folders of share items, or click the All tab to browse
all the folders on the local server.
Viewing Share Points
Workgroup Manager lets you view all volumes and folders on a server or just the share points.Sharing 217
To view share points on a server:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab.
Copying Privileges to Enclosed Items
When you set the privileges for a share point, volume, or folder, you can copy the ownership
and privileges to all the items contained on it.
To copy privileges:
1 In Workgroup Manager, click Sharing.
2 Select the item whose privileges you want to propagate.
To see shared items, select the Share Points tab. To see all volumes and folders on the server,
select the All tab.
3 Click Copy.
Viewing Share Point Settings
You use Workgroup Manager to view the sharing and privilege settings for a share point.
To view sharing and privileges for a share point:
1 In Workgroup Manager, click Sharing.
2 Select the Share Points tab and select the share point you want to view.
3 Select the Sharing tab.
Changing Share Point Owner and Privilege Settings
You use the Workgroup Manager to view and change the owner and privileges for a share
point.
To change privileges for a share point:
1 In Workgroup Manager, click Sharing.
2 Select the Share Points tab and select the share point you want to update.
3 Select the Sharing tab.
Change the owner and group of the shared item by typing names into those fields, or by
dragging names from the Users & Groups drawer. You can open the drawer by clicking
“Users & Groups.”
Use the pop-up menus next to the fields to change the privileges for the Owner, Group, and
Everyone. Everyone is any user who can log in to the file server: registered users, guests,
anonymous FTP users, and Web site visitors.218 Chapter 4
Changing the Protocols for a Share Point
You use the Advanced pane of Workgroup Manager to change the protocols for a share point.
To change the protocols for a share point:
1 In Workgroup Manager, click Sharing.
2 Select the share point you want to change.
Select the Share Points tab to see shared items.
3 Select the Advanced tab.
4 Use the pop-up menu to choose the protocol settings you want to change.
See the following sections for descriptions of the protocol settings:
m “Configuring Apple File Protocol (AFP) Share Points” on page 212
m “Configuring Server Message Block (SMB) Share Points” on page 212
m “Configuring File Transfer Protocol (FTP) Share Points” on page 213
m “Sharing (Exporting) Items Using Network File System (NFS)” on page 213
Deleting an NFS Client from a Share Point
You use the Advanced pane of Workgroup Manager to delete an NFS client from a share
point.
To delete an NFS client from a share point:
1 In Workgroup Manager, click Sharing.
2 Click the Share Points tab and select the NFS share point you want to change.
3 Click the Advanced tab and choose NFS Export Settings from the pop-up menu.
4 Select an IP address from the list and click Remove.
5 Click Save.
Creating a Drop Box
A drop box is a shared folder that you set up to allow others to write to, but not read its
contents.
Note: You should create drop boxes only within AFP share points. AFP is the only protocol
that will automatically change the owner of an item put into a drop box to be the same as the
owner of the drop box. For other protocols, the ownership of the item is not transferred
even though the owner will no longer have access to the item.
To create a drop box:
1 If the folder you want to make into a drop box doesn’t exist, create the folder within an AFP
share point.Sharing 219
2 In Workgroup Manager, click Sharing.
3 Select Share Points and select the folder you want to use as a drop box.
4 Select the Sharing tab.
5 Set “Write Only” privileges for the users you want to have access to the drop box.
To create a drop box for a select group of users, enter the group name (or drag the group
from the U&G Drawer) and choose “Write Only” privileges from the Group pop-up menu.
To create a drop box for all users, choose “Write Only” privileges from the Everyone pop-up
menu. (For greater security, do not allow access to everyone—assign “None” for the
Everyone privileges.)
6 Click Save.
Supporting Client Computers
Users can set some privileges for files or folders that they create on the server or in shared
folders on their desktops. Users of AppleShare client software can set access privileges for
folders they own. Windows file sharing users can set folder properties, but not privileges.
Solving Problems
Users Can’t Access a CD-ROM Disc
m Make sure the CD-ROM disc is a share point.
m If you share multiple CDs, make sure each CD is shared using a unique name in the
Sharing pane.
Users Can’t Find a Shared Item
m If a user can’t find a shared item, check the access privileges for the item. The user must
have Read access privileges to the share point where the item is located and to each
folder in the path to the item.
m Keep in mind that server administrators don’t see share points the same way a user does
over AFP because administrators see everything on the server. To see share points from a
user’s perspective, log in using a user’s name and password.
m Although DNS is not required for file services, an incorrectly configured DNS could cause
a file service to fail.
Users Can’t See the Contents of a Share Point
m If you set Write Only access privileges to a share point, users won’t be able to see its
contents.221
C H A P T E R
5
5 File Services
File services enable clients of the Mac OS X Server to access files, applications, and other
resources over a network. Mac OS X Server includes four distinct file services:
m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources
with clients who use Macintosh or Macintosh-compatible operating systems.
m Windows services use Server Message Block (SMB) protocol to let you share resources
with clients who use Windows or Windows-compatible operating systems, and to provide
name resolution service for Windows clients.
m File Transfer Protocol (FTP) service lets you share files with anyone using FTP.
m Network File System (NFS) service lets you share files and folders with users who have
NFS client software (UNIX users).
The following applications help you set up and manage file services:
m Server Settings—configure and turn file services on and off
m Workgroup Manager—share information and set access privileges
m Server Status—monitor the status of file services
Before You Begin
Before you start setting up file services you should determine which of the file services you
need. In general, you will want to turn on and configure the file services needed to support
all of your clients:
m Apple file service for Mac OS clients
m Windows services for Windows clients
m FTP service for clients using FTP to connect via the Internet
m NFS service for UNIX clients222 Chapter 5
You must configure and turn on file services in order for clients to be able to access shared
information—the volumes and folders that you designate as share points—as described in
Chapter 4, “Sharing.” You must also turn on Windows services if you want to share network
printers using Windows Printing (SMB). Print service is described in Chapter 7, “Print
Service,” on page 315.
For descriptions of the file services, see
m “Apple File Service” on page 224
m “Windows Services” on page 235
m “File Transfer Protocol (FTP) Service” on page 244
m “Network File System (NFS) Service” on page 256
Security Issues
Security of your data and your network is the most critical issue you must consider when
setting up your file services.
The most important protection for your server is how you set the privileges for individual
files. In Mac OS X, every file has its own privilege settings that are independent of the
privileges for its parent folder. Users can set privileges for files and folders they place on the
server, and the server administrator can do the same for share points. See “Privileges” on
page 205.
Allowing Access to Registered Users Only
If you do not want to allow guests to access your server, make sure guest access is turned
off for each file service. If you see a checkmark next to Allow Guest Access in AFP or SMB
Access settings, guest access is turned on for that service. For FTP, guest access is called
“anonymous” access. Click the box to remove the checkmark and turn guest (or anonymous)
access off.
AFP also allows you to control guest access for individual share points, if you allow guest
access for the service. See “Configuring Apple File Protocol (AFP) Share Points” on page 212.
The equivalent to allowing guest access for NFS service is to export a shared item to World.
Unlike guest access, which you set when configuring a service, exporting to World for NFS is
an option you set when sharing an item. See “Sharing (Exporting) Items Using Network File
System (NFS)” on page 213.
Note: NFS lacks authentication. NFS service allows users access to shared information based
on their computers’ IP addresses. This is not as secure a method of preventing unauthorized
access as the authentication techniques employed by the other file services that require users
to enter their user names and passwords in order to gain access to shared information. File Services 223
Client Computer Requirements
For information on client computer requirements, see “Supporting Client Computers” on
page 259.
Setup Overview
Here’s is an overview of the basic steps for setting up file services.
Step 1: Read “Before You Begin”
Read “Before You Begin” on page 221 for issues you should consider before setting up file
services.
Step 2: Define users
In order for users to be able access shared information, they must be given accounts that
register them with the server. See Chapter 3, “Users and Groups,” for information about
setting up user accounts.
Step 3: Create share points and set privileges
You share information on the network by designating volumes and folders as share points.
Chapter 4, “Sharing,” tells you how to create share points and define access privileges for the
shared information.
Step 4: Configure and start up file services
You use Server Settings to configure and start up file services. See these sections for setting
up the individual services:
m “Setting Up Apple File Service” on page 225
m “Setting Up Windows Services” on page 237
m “Setting Up File Transfer Protocol (FTP) Service” on page 250
m “Setting Up NFS Service” on page 257
Step 5: Check client configurations
After you set up file services, you should make sure client computers are configured properly
to connect to the server. Macintosh, Windows, and UNIX client computers all require TCP/IP
in order to make connections to the server. See “Supporting Client Computers” on page 259.224 Chapter 5
Apple File Service
Apple file service allows Macintosh client users to connect to your server and access folders
and files as if they were located on the user’s own computer. If you are familiar with
AppleShare IP 6.3, you will find that Apple file service in Mac OS X Server functions in the
same way. It uses a new version of the Apple Filing Protocol (AFP), version 3.1, which
supports new features such as Unicode file names and 64-bit file sizes. Unicode is a standard
that assigns a unique number to every character regardless of language or the operating
system used to display the language.
One difference in the new Apple file service is that AppleTalk is no longer supported as a
connection method. Mac OS X Server advertises its services over AppleTalk so clients using
AppleTalk can see servers in the Chooser, but they will need to connect to the server using
TCP/IP. See “Supporting Mac OS X Clients” on page 259 and “Supporting Mac OS 8 and
Mac OS 9 Clients” on page 260.
Automatic Reconnect
Mac OS X Server provides the ability to automatically reconnect Mac OS X clients that have
become idle or gone to sleep. When clients become idle or go to sleep, the Mac OS X Server
disconnects those clients to free up server resources. Mac OS X Server can save Mac OS X
client sessions, however, allowing these clients to resume work on open files without loss of
data. You configure this setting in the Idle Users pane of the Apple file service configuration
window. See “Configuring Apple File Service Idle Users Settings” on page 228.
Find By Content
Mac OS X clients can use Sherlock to search the contents of AFP servers. This feature
enforces privileges so that only files to which the user has access are searched.
Kerberos Authentication
Apple File Service supports Kerberos authentication. Kerberos is network authentication
protocol developed at MIT to provide secure authentication and communication over open
networks. In addition to the standard authentication method, Mac OS X Server utilizes
Generic Security Services Application Programming Interface (GSSAPI) authentication
protocol to support Kerberos v.5. You specify the authentication method using the Access
pane of Configure Apple File Service. See “Configuring Apple File Service Access Settings” on
page 226. For information about integrating your Mac OS X Server with Kerberos, see
“Understanding Kerberos” on page 198.
Apple File Service Specifications
Maximum number of connected users,
depending on your license agreement
Unlimited (hardware dependent)
Maximum volume size 2 terabytes File Services 225
Before You Set Up Apple File Service
If you asked the Server Assistant to configure Apple file service when you installed Mac OS X
Server, you don’t have to do anything else to use Apple file service. However, you should
check to see if the default settings meet all your needs. The following section steps you
through each of the Apple file service settings.
Setting Up Apple File Service
You set up Apple file service by configuring four groups of settings in the Configure Apple
File Service window:
m General—set information that identifies your server, enable automatic startup, and create
a login message for Apple file service
m Access—set up client connections and guest access
m Logging—configure and manage logs for Apple file service
m Idle Users—configure and administer idle user settings
The following sections describe the tasks for configuring these settings. A fifth section tells
you how to start up Apple file service after you have completed its configuration.
Configuring Apple File Service General Settings
You use the General pane to set identifying information about your server, enable automatic
startup, and create a login message for Apple file service.
To configure Apple file service General settings:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the General tab.
4 In the Computer Name field, type the name for the server you want users to see when using
the Chooser or the Network Browser.
The name you enter here must be unique among all computers connected to the network. If
you leave this field blank, the server will register itself on the network using its IP address
and the server’s DNS name will show in this field.
5 Select “Start Apple File Service on system startup” to ensure that file services will be available
if the server is restarted after a power failure or other unexpected event.
TCP port number 548
Log file location /Library/Logs in the AppleFileService folder226 Chapter 5
This option is selected automatically when you start the server and in most cases it’s best to
leave it selected.
6 Select “Enable browsing with Network Service Location” if you want to allow users to see this
server in the “Connect to Server” pane in Mac OS X or in the Network Browser in Mac OS 9.
This option also registers with Rendezvous and is available to client computers that have
Mac OS 9 or later installed.
If you turn on this option, you must also enable IP multicasting on your network router. See
Chapter 16, “SLP DA Service,” for more information about Service Location Protocol (SLP)
and IP multicasting.
7 Select “Enable browsing with AppleTalk” if you want Mac OS 8 and Mac OS 9 clients to be able
to find your file server using the Chooser.
To find the server using the Chooser, AppleTalk must be enabled on both the client computer
and the server. Clients will be able to see the server in the Chooser, but will need to connect
using TCP/IP.
8 Choose a character set in the “Encoding for older clients” pop-up menu for the server that
matches the character set used by your Mac OS 8 and Mac OS 9 client users.
When Mac OS 9 and earlier clients are connected, the server converts file names from the
system’s UTF-8 to the chosen set. This has no effect on Mac OS X client users.
9 Select “Do not send same message twice to the same user” if you want users to see your
greeting only the first time they log in to the server.
If you change the message, users will see the new message the next time they connect to
the server.
10 In the Logon Greeting field, type the message that you want users to see when they connect.
Note: The logon message does not appear when a user logs into his or her home directory.
11 Click Save.
Configuring Apple File Service Access Settings
You use the Access pane to control client connections and guest access.
To configure Apple file service Access settings:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Access tab.
4 Choose the authentication method you want to use: Standard, Kerberos, or Any Method.
5 Select “Enable Guest access” if you want to allow unregistered users to access the file server. File Services 227
Guest access is a convenient way to provide occasional users with access to files and other
items in share points that allow guest access. For better security, do not select this option.
Note: If you allow guest access for Apple file service, AFP lets you control guest access for
individual share points.
See “Configuring Apple File Protocol (AFP) Share Points” on page 212.
6 Select “Enable secure connections” if you want to allow clients to connect using secure AFP
(uses SSH).
7 Under the “Maximum client connections (including Guests)” option:
Select Unlimited if you don’t want to limit the number of users who can be connected to
your server at one time.
Enter a number if you want to limit the number of simultaneous users.
The maximum number of simultaneous users is also limited by the type of license you have. For
example, if you have a 10-user license, then a maximum of 10 users can connect at one time.
Limiting the number of connections can free resources to be used by other services and
applications.
8 Under the “Maximum Guest connections” option:
Select Unlimited if you don’t want to limit the number of guest users who can be connected
to your server at one time.
Enter a number if you want to limit how many of your maximum client connections can be
used by guests. This number cannot be greater than the number of client connections
allowed.
9 Click Save.
Configuring Apple File Service Logging Settings
You use the Logging pane to configure and manage logs for Apple file service.
To configure Apple file service Logging settings:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Logging tab.
4 Select “Enable Access log” if you want to create an access log.
The access log stores information about any of the events you select.
5 Select “Archive every __ days” and type the number of days to specify how often the log file
contents are saved to an archive. 228 Chapter 5
The server closes the log at the end of each archive period, renames the log to include the
current date, and then opens a new log file.
You can keep the archived logs for your records or delete them to free disk space when they
are no longer needed. The default setting is 7 days.
6 Select the events that you want Apple file service to log.
Entries are logged each time a user performs one of the actions you select.
Consider your server’s disk size when choosing events to log. The more events you choose,
the larger the log file.
7 Select “Error Log: Archive every __ days” and type the number of days to specify how often
the error log file contents are saved to an archive.
The server closes the log at the end of each archive period, renames the log to include the
current date, and then opens a new log file.
You can keep the archived logs for your records or delete them to free disk space when they
are no longer needed. The default setting is 7 days.
8 Click Save.
You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used
by log files. See “Log Rolling Scripts” on page 555.
Configuring Apple File Service Idle Users Settings
You use the Idle Users pane to configure and administer idle user settings. Idle users are users
who are connected to the server but haven’t used the server volume for a period of time.
To configure Apple file service Idle Users settings:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Idle Users tab.
4 Select “Allow clients to sleep __ hour(s)—will not show as idle” and type the number of
hours to allow clients to automatically reconnect to the server after becoming idle or going
to sleep.
Although the server disconnects clients when they become idle or go to sleep, the clients’
sessions are maintained for the specified period. When a user resumes work within that time,
the client is reconnected with no apparent interruption. If a longer period elapses, open files
are closed and any unsaved work is lost.
5 Select “Disconnect idle users after __ minutes” and type the number of minutes to
disconnect idle users after the specified time. File Services 229
This ensures that server resources are available to active users.
Mac OS X version 10.2 (and later) clients will be able to resume work on open files within the
limits of the “Save sleep and reconnect session” setting.
6 Select the users that you want to exempt from being disconnected: Guests, Registered users
(any user who is not also an administrator or guest), Administrators, or Idle users who have
open files.
7 Type the message in the “Disconnect Message” field that you want users to see when they’re
disconnected.
If you do not type a message, a default message appears stating that the user has been
disconnected because the connection has been idle for a period of time.
Not all client computers can display disconnect messages. For example, Mac OS X version
10.2 (and later) clients will not see this message since they can automatically reconnect to
the server.
8 Click Save.
Starting Apple File Service
Start Apple file service to make the service available to your client users.
To start Apple file service:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Start Apple File Service.
A globe appears on the service icon when the service is turned on.
You can also set Apple file service to start up automatically each time your server starts up.
See “Starting Up Apple File Service Automatically” on page 231.
Managing Apple File Service
This section tells you how to perform day-to-day management tasks for Apple file service
once you have it up and running.
Viewing Apple File Service Status
You use Server Status to check the status of all Mac OS X Server devices and services.
Important If you don’t select the last option, any idle user (guest, registered user, or
administrator) who has open files will be disconnected and may lose unsaved changes to
their work.230 Chapter 5
To view Apple file service status:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select AppleFile in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Overview tab to see whether the service is running and when it started, its
throughput and number of connections, and whether guest access and logging are enabled.
3 Click the Logs tab to see the access and error logs.
Use the Show pop-up menu to choose which log to view.
4 Click the Connections tab to see a list of the users currently connected to Apple file service.
The table includes the user name, type of connection, user’s IP address or domain name,
duration of connection, and the time since the last data transfer (idle time).
Buttons at the bottom of the pane let you send a message to a user and disconnect the user.
5 Click the Graphs tab to see graphs of connected users or throughput.
Use the pop-up menu to choose which graph to view. Adjust the time scale using the slider at
the bottom of the pane.
Viewing Apple File Service Logs
You use Server Status to view the error and access logs for Apple file service (if you have
enabled them). You can also save selected log entries in another file or folder.
To view logs:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select AppleFile in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Logs tab and use the Show pop-up menu to choose between the access and
error logs.
Stopping Apple File Service
To stop Apple file service:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Stop Apple File Service.
3 Enter the length of time you want to wait before file service stops.
4 Type a message in the Additional Message field if you want to send a message to users in
addition to the default message when the service is stopped.
Important When you stop Apple file service, connected users may lose any information
they have not saved.File Services 231
5 Click Shutdown.
Note: Stopping the server disables the “Start Apple File Service on system startup” option.
Starting Up Apple File Service Automatically
You can set Apple file service to start up automatically each time your server starts up.
Note: Apple file service must already be running before you can set this option. See
“Starting Apple File Service” on page 229.
To set Apple file service to start up automatically:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the General tab.
4 Select “Start Apple File Service on system startup” and click Save.
Changing the Apple File Server Name
By default, Apple file service registers itself on the network using its IP address, and the
server’s DNS name is the name users see when using the Chooser or the Network Browser.
To change the name of the file server:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the General tab.
4 Type a new name for your server in the Computer Name field and click Save.
The name you enter here must be unique among all computers connected to the network.
Registering With Network Service Locator
You can register your Apple file server with Network Service Locator (NSL) to allow users to
find the server by browsing through available servers. Otherwise, users must type the
server’s host name or IP address.
To register with NSL:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the General tab, select “Register with Network Service Location,” and click Save.
This option also registers with Rendezvous.
If you turn on this option, you must also enable and configure Service Location Protocol
(SLP) service on your network router. See Chapter 16, “SLP DA Service,” for more
information about SLP.232 Chapter 5
Enabling AppleTalk Browsing for Apple File Service
If you enable browsing with AppleTalk, users can see your servers and other network
resources using the Chooser.
To enable browsing via AppleTalk:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Access tab and select “Allow clients to browse using AppleTalk.”
4 Click Save.
Setting Maximum Connections for Apple File Service
If your server provides a number of services, you can improve server performance by limiting
the number of clients and guests who can be connected at the same time.
To set the maximum number of connections:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Access tab.
4 Under the “Maximum client connections (including Guests)” option type the maximum
number of connections you want to allow.
5 Click Save.
Turning On Access Logs for Apple File Service
The access log can record any time a user logs in or out, opens a file, creates a file or folder,
or deletes a file or folder.
To turn on access logs:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Logging tab and select “Enable access log.”
4 Select the events that you want Apple file service to log.
Entries are logged each time a user performs one of the actions you select.
Consider your server’s disk size when choosing events to log. The more events you choose,
the larger the log file.
You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used
by log files. See “Log Rolling Scripts” on page 555.File Services 233
Archiving Apple File Service Logs
You can specify how often the contents of the access and error logs for Apple file service are
saved to an archive file.
To set how often logs are archived:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Logging tab.
4 Make sure the “Enable Access log” option is selected.
5 Select “Archive every __ days” and type the number of days to specify how often the log file
contents are saved to an archive.
The server closes the log at the end of each archive period, renames the log to include the
current date, and then opens a new log file.
You can keep the archived logs for your records or delete them to free disk space when they
are no longer needed. The default setting is 7 days.
6 Select “Error Log: Archive every __ days” and type the number of days to specify how often
the error log file contents are saved to an archive.
The server closes the log at the end of each archive period, renames the log to include the
current date, and then opens a new log file.
You can keep the archived logs for your records or delete them to free disk space when they
are no longer needed. The default setting is 7 days.
7 Click Save.
You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used
by log files. See “Log Rolling Scripts” on page 555.
Disconnecting a User From the Apple File Server
To disconnect a user:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Show Apple File Service Status.
3 Select the user and click Disconnect.
4 Enter the amount of time before the user is disconnected, and type a disconnect message.
If you don’t type a message, a default message will appear.
5 Click Disconnect. 234 Chapter 5
Disconnecting Idle Users From the Apple File Server
You can set Apple file service to automatically disconnect users who are connected to the
server but have not used the server volume for a period of time.
To set how the server handles idle users:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Idle Users tab and choose the settings you want to use.
4 In the Disconnect Message field, type the message you want client users to see when they
are disconnected.
If you don’t enter a message, a default message will appear.
5 Click Save.
Allowing Guest Access to the Apple File Server
Guests are users who can see information on your server without using a name or password
to log in. For better security, do not allow guest access.
To enable guest access:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the Access tab and select “Allow Guest access.”
4 Under the “Maximum guest connections” option:
Select Unlimited if you don’t want to limit the number of guest users who can be connected
to your server at one time.
Enter a number if you want to limit how many of your maximum client connections can be
used by guests
5 Click Save.
Creating a Login Greeting for Apple File Service
The login greeting is a message users see when they log in the server.
To create a login greeting:
1 In Server Settings, click the File & Print tab.
2 Click Apple and choose Configure Apple File Service.
3 Click the General tab and type your message in the Logon Greeting field.
4 Select “Do not send same message twice to the same user” if you want users to see your
greeting only the first time they log in to the server.File Services 235
If you change the message, users will see the new message the next time they connect to the
server.
5 Click Save.
Sending a Message to an Apple File Service User
You use the Connections pane of Server Status to send messages to clients using Apple file
service.
To send a user a message:
1 In Server Status, locate the name of the server in the Devices & Services list to which the
user is connected and select AppleFile in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click Connections and select the user’s name in the list.
3 Click Send Message.
4 Type the message you want to send and click Send.
Windows Services
Windows services in Mac OS X Server provide four native services to Windows clients. These
services are
m file service—allows Windows clients to connect to the Mac OS X Server using Server
Message Block (SMB) protocol over TCP/IP
m print service—uses SMB to allow Windows clients to print to PostScript printers on the
network
m Windows Internet Naming Service ( WINS)—allows clients across multiple subnets to
perform name/address resolution
m browsing—allows clients to browse for available servers across subnets
Windows services use the Windows code page setting to display the correct language for
the client.
Samba is public-domain software that provides file and print services to Windows clients. For
more information about Samba, refer to the Samba web site:
www.samba.org236 Chapter 5
Windows Services Specifications
Before You Set Up Windows Services
If you plan to provide Windows services on your Mac OS X Server, read the following
sections for issues you should keep in mind. You should also check the Microsoft
documentation for your version of Windows to find out more about the capabilities of the
client software. Although Mac OS X Server does not require any special software or
configuration on Windows client computers, you may want to read “Supporting Windows
Clients” on page 261.
Ensuring the Best Cross-Platform Experience
Mac OS and Windows computers store and maintain files differently. For the best crossplatform experience, you should set up at least one share point to be used only by your
Windows users. See “Creating Share Points and Setting Privileges” on page 211.
In addition, you can improve the user experience by following these guidelines:
m Use comparable versions of application software on both platforms.
m Modify files only with the application they were created in.
m Limit Windows file names to 31 characters (the limit for Mac OS 8 and Mac OS 9 clients).
m Don’t use symbols or characters with accents in the names of shared items.
Windows User Password Validation
Mac OS X Server supports several methods of validating Windows user passwords. Password
Server is the recommended method. It supports LDAP as well as NetInfo because the
directory does not store the password, just a pointer to the proper Password Server and user
ID. The Password Server database is a root readable file, and the contents are encrypted.
Passwords are not accessible over the network for reading—they can only be verified. See
“Using a Password Server” on page 195 and “Setting Up an Open Directory Domain and
Password Server” on page 92.
Maximum number of connected users,
depending on your license agreement
1000
Maximum volume size 2 terabytes
TCP port number 139
UDP port numbers 137, 138
Log file location /Library/Logs in the WindowsFileServices folderFile Services 237
Authentication Manager is supported for upgrades from earlier versions of Mac OS X Server
(10.1 and earlier). Existing users will continue to use Authentication Manager. (If you export
from Mac OS X Server and reimport, you do not get the tim_password set. You must
manually set the password for each user after import.) You can enable Authentication
Manager from the command line. Use Basic password validation. You should set
Authentication Manager passwords on the server which is hosting the domain you are
editing. See Understanding and Using NetInfo for information on how to use the command
line utilities for Authentication Manager. This document is available on the Mac OS X Server
Web site:
www.apple.com/macosx/server/
Note: Authentication Manager is only supported with NetInfo.
Setting Up Windows Services
You set up Windows services by configuring four groups of settings:
m General—set information that identifies your Windows server and enable automatic
startup
m Access—allow guest access and set the maximum number of client connections
m Logging—choose the level of detail you want in your log
m Idle Users—set up name resolution and enable browsing across subnets
Because the default settings will work well in most cases, it may be that all you need to do to
set up Windows services is to start it. Nonetheless, you should take a look at the settings and
change anything that isn’t appropriate for your network. Each of the settings is described in
the following sections on configuration. After the configuration tasks, other topics tell you
how to start up Windows services.
Configuring Windows Services General Settings
You use the General pane to set identifying information about your Windows server and to
enable automatic startup.
To configure Windows General settings:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the General tab.
4 In the Server Name field, type the server name you want users to see when they connect.
The default name is the NetBIOS name of the Windows file server. The name should contain
no more than 15 characters, and no special characters or punctuation.238 Chapter 5
If practical, make the server name match its unqualified DNS host name. For example, if
your DNS server has an entry for your server as “server.apple.com,” give your server the
name “server.”
5 In the Workgroup field, type the name of the workgroup that you want users to see in the
Network Neighborhood window.
If you have Windows domains on your subnet, use one of them as the workgroup name to
make it easier for clients to communicate across subnets. Otherwise, consult your Windows
network administrator for the correct group name.
The workgroup name cannot exceed 15 characters.
6 In the Description field, type a description that is meaningful to you or your users.
This description appears in the Network Neighborhood window on client computers, and it
is optional.
The Description cannot exceed 48 characters.
7 Use the Code Page pop-up menu to choose the code page for the language client computers
will use.
8 Select the “Start Windows Services on system startup” option if you want to ensure that the
server is restarted after a power failure or other unexpected event.
This option is automatically selected when you start the server and in most cases it’s best to
leave it selected.
Configuring Windows Services Access Settings
You use the Access pane to allow guest access and set the maximum client connections.
To configure Windows services Access settings:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the Access tab.
4 Select “Allow Guest access” only if you want to allow people who are not registered users to
use Windows file sharing.
This is a convenient way to provide occasional users with access to files and other items for
which the appropriate privileges have been set.
For better security, do not select this option.
5 Below “Maximum client connections” choose Unlimited if you do not want to limit the
number of users who can be connected to your server at one time.
6 If you want to limit the number of simultaneous users, click the button below Unlimited and
enter the number of connections.File Services 239
The maximum number of simultaneous users is also limited by the type of license you have. For
example, if you have a 10-user license, then a maximum of 10 users can connect at one time.
Limiting the number of connections can free resources to be used by other services and
applications.
Configuring Windows Services Logging Settings
You use the Logging pane to choose the level of detail you want in your logs.
To configure Windows services Logging settings:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the Logging tab.
4 Use the Detail Level pop-up menu to choose the level of detail you want logged: None,
Minimal, or Verbose.
The more detailed the logging, the larger the log file.
The table below shows the level of detail you get for each option.
You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used
by log files. See “Log Rolling Scripts” on page 555.
Configuring Windows Services Neighborhood Settings
You use the Neighborhood pane to set up name resolution and enable browsing across
subnets.
To configure Windows services Neighborhood settings:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
Events logged None Minimal Verbose
Starting and stopping the server No Yes Yes
When users try and fail to log in No Yes Yes
Warnings and errors Yes Yes Yes
When browser name registration
occurs
No Yes Yes
Access events (each time a file is
opened, modified, read, and so on)
No No Yes240 Chapter 5
3 Click the Neighborhood tab.
4 Under WINS Registration, choose whether you want to register with a WINS server, either
locally or externally:
Choose “Off ” to prevent your server from registering itself with any external WINS server or
local name resolution server.
Choose “Enable WINS server” to have the file server provide local name resolution services.
This allows clients across multiple subnets to perform name/address resolution.
Choose “Register with WINS server” if your Windows clients and Windows server are not all
on the same subnet, and your network has a WINS server. Then enter the IP address or DNS
name of the WINS server.
5 Under Workgroup/Domain Services, choose whether to enable domain browsing services:
“Master Browser” provides browsing and discovery of servers in a single subnet.
“Domain Master Browser” provides browsing and discovery of servers across subnets.
Starting Windows Services
Start Windows services to make the services available to your client users.
To start Windows services:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Start Windows Service.
A globe appears on the service icon when the service is turned on.
Managing Windows Services
This section tells you how to perform day-to-day management tasks for Windows services
once you have the services up and running.
Stopping Windows Services
To stop Windows services:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Stop Windows Services.
Setting Automatic Startup for Windows Services
You can set Windows services to start automatically each time your server starts up.
Important When you stop Windows services, connected users will lose any information
they haven’t saved.File Services 241
To set automatic startup:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the General tab, then click “Start Windows Services on system startup.”
4 Click Save.
Changing the Windows Server Name
The default server name is the NetBIOS name of the Windows file server. The name should
contain no more than 15 characters and no special characters or punctuation.
To change the file server name:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the General tab and enter a name in the Server Name field.
4 Click Save.
Finding the Server’s Workgroup Name
You can discover the server’s workgroup name in the General pane of Configure Windows
Services.
To find the server’s workgroup name:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
The Workgroup name is shown in the General pane.
Checking Windows Services Status
You use Server Status to check the status of all Mac OS X Server devices and services.
To view Windows services status:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select Windows in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Overview tab to see whether the services are running and when they started, the
number of connections, and whether guest access and logging are enabled.
3 Click the Logs tab to see the Windows file service and name service logs.
Use the Show pop-up menu to choose which log to view.
4 Click the Connections tab to see a list of the users currently connected to the Windows
services.242 Chapter 5
The list includes the users’ names, IP addresses, and duration of connections. A button at the
bottom of the pane lets you disconnect a user.
5 Click the Graphs tab to see graphs of connected users or throughput.
The connected users are shown as a column chart. Use the slider to adjust the time scale.
Registering with a WINS Server
Windows Internet Naming Service ( WINS) matches server names with IP addresses. You
can use your server as the local name resolution server, or you can register with an external
WINS server.
To register your server with a WINS server:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the Neighborhood tab and select one of the options under WINS Registration.
If you select “Register with WINS server,” enter the IP address or DNS name of the external
WINS server you want to use.
4 Click Save.
Enabling Domain Browsing for Windows Services
If there are no Microsoft servers on your subnet or network to control domain browsing,
use these options to restrict domain browsing to a single subnet or allow browsing across
your network.
To enable domain browsing:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the Neighborhood tab, then select Master Browser or Domain Master Browser.
Select Master Browser to let clients browse for and locate servers in a single subnet.
Select Domain Master Browser to let clients browse for and locate servers across your
network (subnets).
4 Click Save.
Setting Maximum Connections for Windows Services
You can limit the potential resources consumed by Windows services by limiting the
maximum number of connections.
To set the maximum number of connections:
1 In Server Settings, click the File & Print tab.File Services 243
2 Click Windows and choose Configure Windows Services.
3 Click the Access tab.
4 Click Unlimited, or type the maximum number of connections you want to allow.
5 Click Save.
Setting Up the Windows Services Log
When you set up logging for Windows services, you can choose the level of detail you want
to log.
To set up a log for Windows services:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the Logging tab, then use the Detail Level pop-up menu to choose the level of detail
you want to log: None, Minimal, or Verbose.
The more detailed the logging, the larger the log file.
4 Click Save.
Disconnecting a User From the Windows Server
To disconnect a user:
1 In Server Status, locate the name of the server the user is connected to in the Devices &
Services list.
2 Select Windows in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
3 Click the Connections tab and select the user you want to disconnect.
4 Click the Disconnect button.
Allowing Guest Access in Windows Services
Guests are users who can see information on your server without using a name or password
to log in. For better security, do not allow guest access.
To enable guest access to the server:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the Access tab and select “Allow Guest access.”
4 Click Save.
Important Users who are disconnected will lose any information they haven’t saved.244 Chapter 5
Assigning the Windows Server to a Workgroup
Users see the workgroup name in the Network Neighborhood window. If you have Windows
domains on your subnet, use one of them as the workgroup name to make it easier for
clients to communicate across subnets. Otherwise, consult your Windows network
administrator for the correct name.
To assign a workgroup name:
1 In Server Settings, click the File & Print tab.
2 Click Windows and choose Configure Windows Services.
3 Click the General tab and type a name in the Workgroup field.
4 Click Save.
File Transfer Protocol (FTP) Service
FTP allows computers to transfer files over the Internet. Clients using any operating system
that supports FTP can connect to your file server and download files, depending on the
permissions you set. Most Internet browsers and a number of freeware applications can be
used to access your FTP server.
FTP service in Mac OS X Server is based on the source code for Washington University’s FTP
server, known as “wu-FTPd.” However, modifications have been made to the original source
code to deliver a better user experience. Some of these differences are described in the
following sections.
Secure FTP Environment
Most FTP servers provide a restricted directory environment that confines FTP users to a
specific area within a server. Users can only see directories and data in this area, so the server
is kept quite secure. However, users cannot access volumes mounted outside this restricted
area. Symbolic links and aliases don’t reach across the boundaries set within the server.
FTP service in Mac OS X Server expands the restricted environment to allow access to
symbolic links and aliases while still providing a secure FTP environment. FTP users can
potentially access directories and their contents located anywhere on the server, as long as
the directories are share points configured for FTP. Access to the FTP root and FTP share
points for individual users is determined by the user environment you specify (as described
in the following section) and the access privileges set for the users. For information about
creating share points and setting access privileges, see Chapter 4, “Sharing.” See “Configuring
the FTP User Environment” on page 254.File Services 245
User Environments
Mac OS X Server provides three different user environments that determine how the FTP
root, share points, and home directories are made available to FTP users:
m FTP root and share points
m Home directory and FTP root
m Home directory only
You specify the user environment in the Advanced pane of Configure FTP Service. See
“Configuring FTP Advanced Settings” on page 252.
FTP Root and Share Points
The “FTP Root and Share Points” user environment gives access—for both real and
anonymous users—to the FTP root and any FTP share points to which the users have access
privileges, as shown in the following figure.
Users access FTP share points through symbolic links attached to the FTP Root directory.
The symbolic links are created automatically when you create the FTP share points.
bin etc Library system
Data
Volumes
FTP
server
FTP root
Looks like "/ "
FTP share point
incorporated
within virtual root
Bob Betty Data
Users
Photos
Photos
Share point
Symbolic link
Users246 Chapter 5
Note that in this example, /Users, /Volumes/Data, and /Volumes/Photos are FTP share points.
All users can see the home directories of other users because they are subdirectories of the
Users share point.
Home Directory and FTP Root
When the user environment option is set to “Home Directory and FTP Root,” real users are
logged into their home directories and have access to the FTP root by means of a symbolic
link automatically created in their home directories. Other FTP share points are accessible
through symbolic links in the FTP root. As always, access to the FTP share points is
controlled by the access privileges they are assigned.
In this scenario, the /Users folder is not an FTP share point and users are not able to see the
home directories of other users.
If you create a custom FTP root, then the symbolic link in users’ home directories will reflect
that custom name. For example, if you set a custom FTP root directory to be /Volumes/Extra/
NewRoot, the symbolic link created in the user’s home directory would be called NewRoot.
Important Regardless of the user environment setting, anonymous users and users without
home directories are always logged into the “FTP Root and Share Points” environment.
bin etc Library system
Data
Volumes
FTP
server
FTP root
FTP Root
Looks like "/ "
FTP share point
incorporated
within virtual root
Bob Betty Data
Users
Photos
Photos
Symbolic link
Share point
FTP RootFile Services 247
Home Directory Only
In the Restricted user environment, real users are confined to their home directories and do
not have access to the FTP root or other FTP share points, as shown in the following
illustration.
Anonymous users and users without home directories still have access to the FTP root and
FTP share points. So that these users cannot see the home directories of real users, the
/Users folder is not set up as an FTP share point.
On-the-Fly File Conversion
FTP service in Mac OS X Server allows users to request compressed or decompressed
versions of information on the server. A file-name suffix such as “.Z” or “.gz” indicates that the
file is compressed. If a user requests a file called “Hamlet.txt” and the server only has a file
named “Hamlet.txt.Z,” it knows that the user wants the decompressed version, and delivers it
to the user in that format.
In addition to standard file compression formats, Mac OS X Server has the ability to read files
from either HFS or non-HFS volumes and convert the files to MacBinary (.bin) format. This is
one of the most commonly used file compression formats for the Macintosh operating system.
bin etc Library system
Data
Volumes
FTP
server
FTP root
Looks like "/ "
Reports
Bob Betty
Users
Projects
Photos
FTP share point
incorporated
within virtual root
Data Photos
Share point
Symbolic link248 Chapter 5
The table below shows common file extensions and the type of compression they designate.
Custom FTP Root
For increased security, Mac OS X Server lets you create a custom FTP root. You specify the
directory path of the custom FTP root using the Advanced pane of Configure FTP Service.
See “Configuring FTP Advanced Settings” on page 252. The custom root takes the place of
the default FTP root directory.
Kerberos Authentication
FTP supports Kerberos authentication. You specify the authentication method using the
Advanced pane of Configure FTP Service. See “Configuring FTP Advanced Settings” on
page 252. For information about Kerberos, see “Kerberos Authentication” on page 224.
FTP service specifications
Before You Set Up FTP Service
Consider the type of information you need to share and who your clients are when
determining whether or not to offer FTP service. FTP works well when you want to transfer
large files such as applications and databases. In addition, if you want to allow guest
(anonymous) users to download files, FTP is a secure way to provide this service.
File extension What it means
.gz DEFLATE compression
.Z UNIX compress
.bin MacBinary encoding
.tar UNIX tar archive
.tZ UNIX compressed tar archive
.tar.Z UNIX compressed tar archive
.crc UNIX checksum file
.dmz Mac OS X disk image
Maximum number of connected users (the default
setting is 50 for real users and 50 for anonymous users)
1000
FTP port number 21
Number of failed login attempts before user is
disconnected
3File Services 249
Restrictions on Anonymous FTP Users (Guests)
Enabling anonymous FTP poses a security risk to your server and data because you open
your server to users that you do not know. The access privileges you set for the files and
folders on your server are the most important way you can keep information secure.
Anonymous FTP users are only allowed to upload files into a special directory named
“uploads” in the FTP root. If the uploads share point doesn’t exist, anonymous users will not
be able to upload files at all.
To ensure the security of your FTP server, by default anonymous users cannot
m delete files
m rename files
m overwrite files
m change permissions of files
Setup Overview
Here is an overview of the major steps for setting up FTP service.
Step 1: Before You Begin
Read “Before You Set Up FTP Service” on page 248 for issues you should keep in mind when
you set up FTP service.
Step 2: Configure FTP General settings
The General settings let you display banner and welcome messages, set the number of login
attempts, and provide an administrator email address. See “Configuring FTP General
Settings” on page 250.
Step 3: Configure FTP Access settings
The Access Settings let you specify the number of real and anonymous users. See
“Configuring FTP Access Settings” on page 251.
Step 4: Configure FTP Logging settings
The Logging settings let you specify the events you want to log for real and anonymous
users. See “Configuring FTP Logging Settings” on page 251.
Step 5: Configure FTP Advanced settings
The Advanced settings specify a custom FTP root to use. See “Configuring FTP Advanced
Settings” on page 252.250 Chapter 5
Step 6: Create an “uploads” folder for FTP users (optional)
If you enabled anonymous access in Step 2, you may want to create a folder for anonymous
users to upload files. The folder must be named “uploads.” It is not a share point, but must
have appropriate access privileges. See “Creating an Uploads Folder for Anonymous Users”
on page 253.
Step 7: Create share points and share them using FTP
Use the Sharing module of Workgroup Manager to specify the share points that you want to
make available through FTP. You must explicitly configure a share point to use FTP in order
for FTP users to be able to access the share point. See “Creating Share Points and Setting
Privileges” on page 211 and “Configuring File Transfer Protocol (FTP) Share Points” on
page 213.
Step 8: Start FTP service
After you have configured FTP, start the service to make it available. See “Starting FTP
Service” on page 252.
Setting Up File Transfer Protocol (FTP) Service
Configuring FTP General Settings
The General settings let you display banner and welcome messages, set the number of login
attempts, and provide an administrator email address.
To configure the FTP General settings:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the General tab.
4 Select the “Show Banner Message” option to display a message to users before they log in to
the server.
5 Click the Edit Banner button to create or revise a banner message.
6 Select the “Show Welcome Message” option to display a message to users after they have
logged in to the server.
7 Click the Edit Welcome button to create or revise a welcome message in the window that
appears.
8 Select the “Disconnect after __ failed login attempts” and type a number to limit the number
of failed login attempts users can make before they are automatically disconnected from the
server. File Services 251
9 In the “Administrator E-mail Address” field, enter an email address if you want to provide a
way for users to contact the administrator.
10 Click Save.
Configuring FTP Access Settings
The Access Settings let you specify the number of real and anonymous users.
To configure the FTP Access settings:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the Access tab.
4 Enter a value in the “Allow a maximum of __ real users” field to set the maximum number of
registered users who can connect to your server at the same time.
Real users are users who have been added in the Users & Groups module of Workgroup
Manager.
5 Select “Enable anonymous access” to allow anonymous users to connect to the server and
transfer files.
Anonymous users can log in using the name “ftp” or “anonymous.” They do not need a
password to log in, but they will be prompted to enter their email addresses.
Before selecting this option, you should review the privileges assigned to your share points
carefully to make sure there are no security holes.
For more information about keeping your information secure, read Chapter 4, “Sharing.”
6 Enter a value in the “Allow a maximum of __ anonymous users” field to set the maximum
number of anonymous users who can connect to your server at the same time.
7 Click Save.
Configuring FTP Logging Settings
The Logging settings let you specify the events you want to log for real and anonymous
users.
To configure the FTP Logging settings:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the Logging tab.
4 In the “Log Real Users” section, select the events you want to appear in the FTP log for real
users.
You can select FTP Commands, Rule Violation Attempts, Uploads, and Downloads.252 Chapter 5
5 In the “Log Anonymous Users” section, select the events you want to appear in the FTP log
for anonymous users.
You can select FTP Commands, Rule Violation Attempts, Uploads, and Downloads.
6 Click Save.
Configuring FTP Advanced Settings
The Advanced settings allow you to specify a custom FTP root. A custom FTP root creates a
higher level of security by isolating the files accessible through FTP from the main directory
of the server.
To configure the FTP Advanced settings:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the Advanced tab.
4 Select the “Use custom FTP root” and enter the pathname in the Path field if you want to
create a custom FTP root.
See “Custom FTP Root” on page 248.
5 Choose the type of authentication you want to use: Standard, Kerberos, or Any Method.
6 Choose the type of user (chroot) environment you want to use: FTP Root and Share Points,
Home Directory and FTP Root, or Home Directory Only.
See “User Environments” on page 245.
Starting FTP Service
Start FTP file service to make the service available to your client users.
To start FTP service:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Start FTP Service.
A globe appears on the service icon when the service is turned on.
Managing File Transfer Protocol (FTP) Service
This section tells you how to perform day-to-day management tasks for FTP service once you
have it up and running.
Stopping FTP Service
Important When you stop FTP service, connected users will be disconnected without
warning.File Services 253
To stop FTP service:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Stop FTP.
Setting Up Anonymous FTP Service
You can allow guests to log in to your FTP server with the user name “ftp” or “anonymous.”
They do not need a password to log in, but they will be prompted to enter their email
addresses.
For better security, do not enable anonymous access.
To set up anonymous FTP service:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP.
3 Click the Access tab.
4 Select “Anonymous access enabled.”
5 Click Save.
If the “Anonymous access enabled” box has a checkmark, anonymous access is already enabled.
Creating an Uploads Folder for Anonymous Users
The uploads folder provides a place for anonymous users to upload files to the FTP server. It
must exist at the top level of the FTP root directory and be named “uploads.” (If you have set
up a custom FTP root directory, then the uploads folder must be at the root of that
directory.) Use the Finder to create the folder and set write privileges for guest users.
Specifying a Custom FTP Root
The Advanced settings allow you to specify the path for a custom FTP root.
To specify a custom FTP root:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the Advanced tab.
4 Enter the pathname for the FTP root.
5 Select the “Use custom FTP root” and enter the pathname in the Path field if you want to
create a custom FTP root.
6 If it does not already exist, create the directory you’ve specified and configure it as an FTP
share point. 254 Chapter 5
Specifying the FTP Authentication Method
You use the Advanced pane of Configure FTP Service to specify the authentication method.
To specify the FTP authentication method:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the Advanced tab.
4 Choose the type of authentication you want to use: Standard, Kerberos, or Any Method.
See “Kerberos Authentication” on page 248.
Configuring the FTP User Environment
You use the Advanced pane of Configure FTP Service to specify the user environment.
To configure the FTP user environment:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the Advanced tab.
4 Choose the type of user environment you want to provide.
The “FTP Root and Share Points” environment sets up the Users directory as a share point.
Real users log in to their home directories, if they are available within the restricted
environment. Both real and anonymous users can see other users’ home directories in a share
point. (The directories are only accessible to users who have access privileges, however.)
The “Home Directory and FTP Root” environment logs real FTP users in to their home
directories. They have access to their home directories, to the FTP root, and to FTP share
points.
The “Home Directory Only” environment restricts real FTP to users’ home directories only.
Regardless of the user environment you choose, access to all data is controlled by access
privileges.
Anonymous users and real users who don’t have home directories (or whose home
directories are not located in a share point to which they have access) are always logged in at
the root level of the restricted FTP environment.
Viewing FTP Logs
You use Server Settings to view FTP logs.
To view FTP logs:
1 In Server Settings, click the File & Print tab.File Services 255
2 Click FTP and choose Configure FTP Service.
3 Click the Logging tab.
4 Select the log options for real users: FTP Commands, Rule Violation Attempts, Uploads, and
Downloads.
5 Select the log options for anonymous users: FTP Commands, Rule Violation Attempts,
Uploads, and Downloads.
Displaying Banner and Welcome Messages to Users
FTP service in Mac OS X Server allows you to create certain messages that you can send to
real users and to anonymous FTP users when they log in to your server. Some FTP clients may
not display the message in an obvious place, or they may not display it at all. For example, the
FTP client Fetch displays a banner message in the “RemoteHostname Messages” window.
To display banner and welcome messages to users:
1 In Server Settings, click the File & Print tab.
2 Click FTP and choose Configure FTP Service.
3 Click the General tab.
4 Select the “Show Banner Message” option to display a message to users before they log in to
the server.
5 Click the Edit Banner button to create or revise a banner message.
6 Select the “Show Welcome Message” option to display a message to users after they have
logged in to the server.
7 Click the Edit Welcome button to create or revise a welcome message in the window that
appears.
8 Click Save.
Displaying Messages Using message.txt files
When a user encounters a directory that contains a file named “message.txt,” the file content
is displayed as a message. The user only sees the message the first time he or she connects to
the directory during that FTP session. You can use the message to notify users of important
information or changes users need to be aware of.
Using README Message
You can also place a file called “README” in a directory. When users encounter a directory
that contains a README file, they receive a message letting them know that the file exists and
when it was last updated. Users can choose whether or not to open and read the file.256 Chapter 5
Network File System (NFS) Service
Network File System is the protocol used for file services on UNIX computers. Use NFS to
provide file service for your UNIX clients (other than Mac OS X clients). You can export a
shared item to a set of client computers or to “World.” Exporting an NFS volume to World
means that anyone who can access your server can also access that volume.
Note: The NFS term for sharing is export. This guide, therefore, uses that term to be
consistent with standard NFS terminology.
You use the NFS module of Server Settings to configure and manage NFS service. You also
use the Sharing module of Workgroup Manager to set privileges and access levels for the
share points or folders you want to export.
Before You Set Up NFS Service
Be sure to consider the security implications of exporting in NFS before you set up NFS service.
Security Implications
NFS was created for a secure networking environment, in which you can trust the client
computer users and the people who administer the clients. Whereas access to Apple file
service, Windows file sharing, and FTP service share points is controlled by authentication
(user name and password), access to NFS shared items is controlled by the client software
and file permissions.
NFS allows access to information based on the computer’s IP address. This means that a
particular client computer will have access to certain share points regardless of who is using the
computer. Whenever the computer is started up, some volumes or folders are automatically
mounted or made available, and anyone who uses the computer has access to them.
With NFS, it’s possible for a user to spoof ownership of another person’s files. For example, if
a file on the server is owned by a user with user ID 1234, and you export a folder that
contains that file, someone on a remote computer can create a local user on the remote
computer, give it a user ID of 1234, mount that folder, and have the same access to the
folder’s contents as the file’s original owner.
You can take some steps to prevent this by creating unique user IDs and by safeguarding user
information. If you have Internet access and plan to export to World, your server should be
behind a firewall.
Setup Overview
Here is an overview of the major steps for setting up NFS service. File Services 257
Step 1: Before You Begin
Read “Before You Set Up NFS Service” on page 256 for issues you should keep in mind when
you set up NFS service.
Step 2: Configure NFS settings
The NFS settings let you set the maximum number of daemons and choose how you want to
serve clients—via TCP, UDP, or both. See “Configuring NFS Settings” on page 257.
Step 3: Create share points and share them using NFS
Use the Sharing module of Workgroup Manager to specify the share points that you want to
export (share) using NFS. You must explicitly configure a share point to use NFS in order for
NFS users to be able to access the share point. See “Creating Share Points and Setting
Privileges” on page 211, “Sharing (Exporting) Items Using Network File System (NFS)” on
page 213, and “Automounting Share Points” on page 214.
You don’t need to start or stop NFS service; when you define a share point to export, the
service starts automatically. When you delete all exports, the service stops. You can tell if NFS
service is running by looking for the globe on the NFS icon in Server Settings.
Setting Up NFS Service
Configuring NFS Settings
The NFS settings let you set the maximum number of daemons and choose how you want to
serve clients—via TCP, UDP, or both.
To configure NFS settings:
1 In Server Settings, click the File & Print tab.
2 Click NFS and choose Configure NFS.
3 Enter a value in the “Allow a maximum of __ daemons” field to set the maximum number of
nfsd daemons you want to allow at one time.
An nfsd daemon is a server process that runs continuously behind the scenes and processes
reading and writing requests from clients. The more daemons that are available, the more
concurrent clients can be served. Typically, four to six daemons is adequate to handle the
level of concurrent requests.
4 Choose how you want to serve data to your client computers.
Transmission Control Protocol (TCP) separates data into packets (small bits of data sent over
the network using IP) and uses error correction to make sure information is transmitted
properly. 258 Chapter 5
User Datagram Protocol (UDP) doesn’t break data into packets, so it uses fewer system
resources. It’s more scalable than TCP, and a good choice for a heavily used server. Do not
use UDP, however, if remote clients are using the service.
Select both TCP and UDP unless you have a specific performance concern. TCP provides
better performance for clients, and UDP puts a smaller load on the server.
5 Click Save.
Managing NFS Service
This section tells you how to perform day-to-day management tasks for NFS service once you
have it up and running.
Stopping NFS Service
When the server starts up, a startup script checks to see if any NFS exports have been
defined; if so, NFS starts automatically.
If NFS is not running and you add exports, wait a few seconds for the service to launch.
When the service is running, a globe appears on the service icon.
To stop NFS service:
m Delete all exports.
The globe on the service icon disappears. However, the nsfd daemons continue to run until
the server is restarted.
Viewing NFS Service Status
You use Server Status to check the status of all Mac OS X Server devices and services.
To view NFS service status:
m In Server Status, locate the name of the server you want to monitor in the Devices &
Services list and select NFS in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
The Overview tab tells you whether or not the service is running and if mountd, nfsd, and
portmap process are running.
The mountd process handles mount requests from client computers (only one mountd
process will appear in the status window if you’ve defined any exports).
The nfsd process responds to read/write requests from client computers that have mounted
folders.
The portmap process allows client computers to find nfs daemons (always one process).
Viewing Current NFS Exports
You can use the Terminal application to view a list of the current NFS exports.File Services 259
To view current NFS exports:
m In Terminal, enter “showmount -e”.
If this command does not return results within a few seconds, there are no exports and the
process is blocked (hung). Press Control-C to exit the showmount command and return to
an active command line in your Terminal window.
Supporting Client Computers
This section describes the client computer requirements for using Mac OS X file services.
Supporting Mac OS X Clients
Apple file service requires the following Mac OS X system software:
m Mac OS X version 10.2
m TCP/IP connectivity
m AppleShare 3.7 or later
Go to the Apple support Web site at www.apple/support/ to find out the latest version of
AppleShare client software supported by Mac OS X.
Connecting to the Apple File Server in Mac OS X
You can connect to Apple file servers by entering the DNS name of the server or its IP
address in the Connect to Server window, or, if the server is registered with Network Service
Location, you can select its name in the list of servers there.
Note: Apple file service does not support AppleTalk connections, so clients need to use TCP/
IP to access file services. You can use AppleTalk to find Apple file servers, but the connection
must be made using TCP/IP.
To connect to the Apple file server in Mac OS X:
1 In the Finder, choose “Connect to Server” from the Go menu.
2 In the Connect to Server pane, do one of the following:
Select the name of the server in the list (if it appears there).
Type the DNS name of the server in the Address field. You can enter DNS names in any of the
following forms:
dns
afp://dns
afp://dns/sharepoint
Type the server’s IP address in the Address field.260 Chapter 5
3 Click Connect.
4 Enter your user name and password, then click Connect.
5 Select the server volume you want to use and click OK.
Setting Up a Mac OS X Client to Mount a Share Point Automatically
As an alternative to using the automount feature of Apple file service, FTP, or NFS, Mac OS X
clients can set their computers to mount server volumes automatically.
To set a Mac OS X client computer to mount a server volume automatically:
1 Choose Connect to Server from the Finder’s Go menu to mount the volume on the client
computer.
2 Open System Preferences and select the Login pane.
3 Click Add, then locate the Recent Servers folder and double-click the volume you want
automatically mounted.
The volume is added to the list of items in the Recent Servers folder in the user’s home
Library folder.
When the client user logs in the next time, the server—if available—will be mounted
automatically.
The client user can also add the server volume to Favorites and then use the item in the
Favorites folder in the home Library.
Changing the Priority of Network Connections
Mac OS X uses its multihoming capabilities to support multiple network connections. When
more than one connection is available, Mac OS X selects the best connection according to
the order you specify in the Network preferences.
To change the priority of network connections:
1 Open the Network pane of System Preferences.
2 Choose a configuration set from the Location menu if you have configurations set up, or use
Automatic.
3 Choose Active Network Ports from the Show pop-up menu.
4 Drag the connections in the Active Ports list into the desired order.
Mac OS X uses the first available connection from the top of the list.
Supporting Mac OS 8 and Mac OS 9 Clients
Apple file service requires the following Mac OS 8 or 9 system software:
m Mac OS 8 (version 8.6) or Mac OS 9 (version 9.2.2) File Services 261
m TCP/IP
m AppleShare 3.7 or later
Go to the Apple support Web site at www.apple/support/ to find out the latest version of
AppleShare client software supported by Mac OS 8 and Mac OS 9.
Connecting to the Apple File Server in Mac OS 8 or Mac OS 9
Apple file service does not support AppleTalk connections, so clients need to use TCP/IP to
access file services. You can use AppleTalk to find Apple file servers, but the connection must
be made using TCP/IP.
To connect to the Apple file server in Mac OS 8 or Mac OS 9:
1 Open the Chooser and click Server IP Address.
2 Enter the IP address or the name of the server in the window that appears and click Connect.
3 Enter your user name and password, then click Connect.
4 Select the volume you want to use and click OK.
Setting up a Mac OS 8 or Mac OS 9 Client to Mount a Share Point Automatically
As an alternative to using the automount feature of AFP, FTP, or NFS, clients can set their
computers to mount server volumes automatically.
To set a Mac OS 8 or Mac OS 9 client computer to mount a server volume
automatically:
1 Use the Chooser to mount the volume on the client computer.
2 In the select-item dialog that appears after you log in, check the server volume you want to
mount automatically.
Supporting Windows Clients
Mac OS X Server supports the native Windows file sharing protocol, Server Message Block
(SMB). SMB is also known as Common Internet File System (CIFS). Mac OS X Server comes
with built-in browsing and name resolution services for your Windows client computers. You
can enable Windows Internet Naming Service ( WINS) on your server, or you can register
with an existing WINS server.
Windows services in Mac OS X Server also provide Windows Master Browser and Domain
Master Browser services. You do not need a Windows server or a primary domain controller
on your network to allow Windows users to see your server listed in the Network
Neighborhood window. Also, your Windows clients can be located on a subnet outside of
your server’s subnet.262 Chapter 5
See “Ensuring the Best Cross-Platform Experience” on page 236 for information about setting
up a dedicated share point for Windows users, and “Windows User Password Validation” on
page 236 for information about different techniques of validating Windows user passwords.
TCP/IP
In order to have access to Windows services, Windows client computers must be properly
configured to connect over TCP/IP. See your Windows networking documentation for
information on TCP/IP configuration.
Using the Network Neighborhood to Connect to the Windows Server
Before trying to connect to the server from a Windows client computer, find out the
workgroup or domain of both the client computer and the file server.
You can find the workgroup name of a Windows client computer in the computer’s Network
Neighborhood window.
To find the server’s workgroup name, click the File & Print tab in Server Settings, then click
Windows and choose Configure Windows Services.
To connect to a Windows server using the Network Neighborhood:
1 On the Windows client computer, open the Network Neighborhood window. If you are in the
same workgroup or domain as the server, skip to step 4.
2 Double-click the Entire Network icon.
3 Double-click the icon of the workgroup or domain the server is located in.
4 Double-click the server’s icon.
5 Log in using your Windows login name.
Connecting to the Windows Server Without the Network Neighborhood
You can connect to the Windows server by double-clicking its name in the Network
Neighborhood. You can also connect without using the Network Neighborhood.
To connect to the Windows server without the Network Neighborhood:
1 On the Windows client computer, choose Find from the Start menu, then choose Computer
from the submenu.
2 Type the name or IP address of your Windows server.
3 Double-click the server to connect.
4 Log in using your Mac OS X Server login name.
Supporting NFS Clients
Consult your UNIX documentation or system administrator for information on managing
mounts.File Services 263
Solving Problems With File Services
Solving Problems With Apple File Service
User Can’t Find the Apple File Server
m Make sure the network settings are correct on the user’s computer and on the computer
that is running Apple file service. If you can’t connect to other network resources from
the user’s computer, the network connection may not be working.
m Make sure the file server is running. You can use a “pinging” utility to check whether the
server is operating.
m If the user is searching for the server via AppleTalk (in the Chooser), make sure you’ve
enabled browsing over AppleTalk in the Access pane of the Apple File Server Settings
window, and that AppleTalk is active on both the server and the user’s computer.
m Check the name you assigned to the file server and make sure users are looking for the
correct name.
User Can’t Connect to the Apple File Server
m Make sure the user has entered the correct user name and password. The user name is
not case-sensitive, but the password is.
m Verify that logging in is enabled for the user in the Users & Groups module of Workgroup
Manager.
m Check to see if the maximum number of client connections has been reached (in the
Apple File Service Status window). If it has, other users should try to connect later.
m Make sure the server that stores users and groups is running.
m Verify that the user has AppleShare 3.7 or later installed on his or her computer.
Administrators who want to use the admin password to log in as a user need at least
AppleShare 3.8.5.
m Make sure IP filter service is configured to allow access on port 548 if the user is trying to
connect to the server from a remote location. For more on IP filtering, see Chapter 15,
“Firewall Service.”
User Doesn’t See Login Greeting
m Upgrade the software on the user’s computer. Apple file service client computers must be
using Appleshare client software version 3.7 or later.
Solving Problems With Windows Services
User Can’t See the Windows Server in the Network Neighborhood
m Make sure users’ computers are properly configured for TCP/IP and have the appropriate
Windows networking software installed.
m Enable guest access for Windows users.264 Chapter 5
m Go to the DOS prompt on the client computer and type “ping [IP address],” where
“IP address” is your server’s address. If the ping fails, then there is a TCP/IP problem.
m If users’ computers are on a different subnet from the server, you need to have a WINS
server on your network.
Note: If Windows computers are properly configured for networking and connected to
the network, client users can connect to the file server even if they can’t see the server
icon in the Network Neighborhood window.
User Can’t Log in to the Windows Server
m If you are using Password Server to authenticate users, check to make sure that it is
configured correctly. See “Setting Up an Open Directory Domain and Password Server”
on page 92.
m If you have user accounts created in a previous version of Mac OS X Server (version 10.1
or earlier) that are still configured to use Authentication Manager, make sure that
Authentication Manager is enabled. Then reset the passwords of existing users who will be
using Windows services. Reset the user’s password and try again. See Understanding and
Using NetInfo for information on how to use the command line utilities to configure
Authentication Manager. This document is available on the Mac OS X Server Web site:
www.apple.com/macosx/server/
Solving Problems With File Transfer Protocol (FTP)
FTP Connections Are Refused
m Verify that the user is entering the correct DNS name or IP address for the server.
m Make sure FTP service is turned on.
m Make sure the user has appropriate access privileges to the shared volume.
m See if the maximum number of connections has been reached. To do this, click the
Networking tab in Server Settings, click FTP, then choose Configure FTP.
m Verify that the user’s computer is configured correctly for TCP/IP. If there doesn’t appear
to be a problem with the TCP/IP settings, use a “pinging” utility to check network
connections.
m See if there is a DNS problem by trying to connect using the IP address of the FTP server
instead of its DNS name. If the connection works with the IP address, there may be a
problem with the DNS server.
m Verify that the user is correctly entering his or her short name and typing the correct
password. User names and passwords with special characters or double-byte characters
will not work. To find the user’s short name, double-click the user’s name in the Users &
Groups list.File Services 265
m See if there are any problems with directory services, and if the directory services server is
operating and connected to the network. For help with directory services, see Chapter 2,
“Directory Services.”
m Verify that IP filter service is configured to allow access to the appropriate ports. If clients
still can’t connect, see if the client is using FTP passive mode and turn it off. Passive mode
causes the FTP server to open a connection to the client on a dynamically determined
port, which could conflict with port filters set up in IP filter service. For a list of common
TCP and UDP ports, see “Port Reference” on page 540.
Clients Can’t Connect to the FTP Server
m See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP
server to open a connection on a dynamically determined port to the client, which could
conflict with port filters set up in IP filter service.
Anonymous FTP Users Can’t Connect
m Verify that anonymous access is turned on.
m See if the maximum number of anonymous user connections has been reached. To do
this, click the Networking tab in Server Admin, click FTP, then choose Configure FTP.
Where to Find More Information About File Services
For more information about the protocols used in Mac OS X Server file services, see these
resources:
m Apple Filing Protocol (AFP): www.apple.com/developer/
m Server Message Block (SMB) protocol ( for Windows file services): www.samba.org
m FTP: You can find a Request for Comments (RFC) document about FTP at the following
Web site: www.faqs.org/rfcs/rfc959.html
RFC documents provide an overview of a protocol or service that can be helpful for
novice administrators, as well as more detailed technical information for experts. You can
search for RFC documents by number at this Web site: www.faqs.org/rfcs
To obtain the UNIX manual pages for FTP, open the Terminal application in Mac OS X. At
the prompt, type “man ftp” and press the Return key.
m NFS: To obtain the UNIX manual pages for NFS, open the Terminal application in
Mac OS X. At the prompt, type “man nfs” and press the Return key.267
C H A P T E R
6
6 Client Management: Mac OS X
Workgroup Manager provides network administrators with a centralized method of managing
Mac OS X workstations, controlling access to software and removable media, and providing a
consistent, personalized experience for users at different levels, whether they are beginners
in a classroom or advanced users in an office. Mac OS X Server saves user documents and
preferences in a home directory, so your users can access their files from any Mac on your
network. Using Workgroup Manager, you can create user accounts, and then set up groups to
provide convenient and efficient access to resources. You can also use account settings and
managed preferences to allow more or less flexibility to suit the level of administrative
control you want or need.
User management is the result of combining a user’s individual settings and preferences,
plus settings and preferences for the workgroup and computer he or she is using. The term
managed client refers to a user, group, or computer whose access privileges and/or
preferences are under administrative control. Managing clients gives you control over user
access to applications, removable media, printers, computers, and system resources.
Computers
and
desktops
Client Management
Applications,
folders
and files
Printers
and
volumes
Users & Groups268 Chapter 6
This chapter summarizes certain aspects of Mac OS X client management, describes how to
set up Mac OS X computer accounts using Workgroup Manager, and gives details about using
managed preferences to customize and control the Mac OS X user experience. You’ll learn
how to
m use Workgroup Manager to control user settings and privileges
m set up and manage computer accounts
m manage preference settings for users, groups, and computer accounts
m set up and manage mobile computers
Transition Strategies for Mac OS X Client Management
If you currently manage your Mac OS 9 or Mac OS 8 clients using Macintosh Manager and
you want to upgrade to Mac OS X, download “Upgrading to Mac OS X Server” from the Web
site listed below:
www.apple.com/macosx/server/
The User Experience
This section describes both the actual user experience and the server processes for Mac OS X
managed clients.
Logging In
When a managed client computer starts up, a login dialog box appears. Depending on the
login settings selected, a user either types his or her user name or chooses it from a list. The
user name and password are verified by directory services, and then the server returns a list
of workgroups for that user and the user selects a workgroup. The user’s environment,
privileges, and preferences are determined by the settings chosen for that user, the selected
workgroup, and the computer he or she uses.
When you create user accounts, the login settings determine the user experience. If you
allow simultaneous login, the user can log in to more than one computer.
Note: Simultaneous login is not recommended for most users. You may want to reserve
simultaneous login privileges only for technical staff, teachers, or other users with
administrator privileges.
Locating the Home Directory
User documents are stored in a user’s home directory, which users can access by clicking the
Home icon in a Finder window’s toolbar. For more about home directories see Chapter 3,
“Users and Groups.”
Important If you need to manage Mac OS 9 or Mac OS 8 clients, read Chapter 10, “Client
Management: Mac OS 9 and OS 8.”Client Management: Mac OS X 269
Before You Begin
You should consider taking advantage of client management if
m you want to provide users with a consistent, controlled interface while allowing them to
access their documents from any computer
m you want to control privileges on mobile computers
m you want to reserve certain resources for only specific groups or individuals
m you need to secure computer usage in key areas such as administrative offices,
classrooms, or open labs
Before you set up computer accounts or managed preferences for users, groups, or
computers, be sure you follow these preliminary steps.
Step 1: Make sure your computers meet minimum requirements
Client Computer Software Requirements
m Mac OS X v. 10.2 as the primary operating system
Note: Workgroup Manager is not used to manage Mac OS 9 or Mac OS 8 clients.
Client Computer Hardware Requirements
m Macintosh computer with a G3 processor or better (except original PowerBook G3 or
upgraded PowerPC processors)
m 128 megabytes (MB) of physical random access memory (RAM)
m 1.5 gigabytes (GB) of disk space available
Administrator Computer Software Requirements
m Mac OS X Server v. 10.2 installed
Administrator Computer Hardware Requirements
m Macintosh computer with a G3 processor or better (except original PowerBook G3 or
upgraded PowerPC processors)
m 128 MB of RAM
m 4 GB of available disk space
Step 2: Create a shared domain to store account information
Use Open Directory Assistant to set up a shared domain where you can store user, group,
and computer account information. For more information about domain hierarchies and
how to use Open Directory Assistant, see Chapter 2, “Directory Services.”270 Chapter 6
Step 3: Make sure users and their home directories exist
Use Workgroup Manager to set up user accounts and home directories. Once users are
created in Workgroup Manager, they are ready to be managed on Mac OS X clients. You can
set up various privileges (such as print or mail quotas) for users as you create them.
Home directories can be stored on an Apple Filing Protocol (AFP) server. You can set up
group volumes as AFP share points and add additional share points if you need them. Each
user you want to manage must have a home directory. If no home directory exists for a user,
he or she cannot log in.
See Chapter 3, “Users and Groups,” for information about how to create users, define user
privileges, and set up home directories.
Designating Administrators
For Mac OS X clients, the server administrator has the greatest amount of control over other
users and their privileges. The server administrator can create users, groups, and computer
accounts and assign settings, privileges, and managed preferences for them. He or she can
also create other server administrator accounts, or give some users (for example, teachers or
technical staff ) administrative privileges within certain directory domains. These “directory
domain administrators” can manage users, groups, and computer accounts within the limits
assigned to them by the server administrator.
For more information about assigning administrative privileges to users with network
accounts, see Chapter 3, “Users and Groups.”
Setting Up User Accounts
If you use Workgroup Manager to manage your OS X clients, you can set some privileges
when you set up accounts. You can use “presets” like templates and apply various settings
automatically when you create an account. See Chapter 3, “Users and Groups,” for more
information about how to set up user accounts.
Depending on your needs, you may want to set up local user accounts in addition to network
user accounts. A network user has a user account associated with Mac OS X Server and you
can allow that user to log in from various computers on your network. A local user has an
account associated with a specific client computer, and his or her local account is
independent from any network user account and other local accounts on other computers.
An individual user may have both a network account that provides access to network services
and a separate local account on a specific computer. You can set up managed preferences for
any user with a network account, but the most convenient way to manage network users is
by managing preferences for groups to which they belong. This makes it easier to manage
users regardless of which computer they use.Client Management: Mac OS X 271
If users have local accounts on specific computers, you can still manage their user
preferences on the client computer without using Workgroup Manager. However, it may be
more useful to manage local users indirectly by using Workgroup Manager to manage
preferences for the client computer and group that can access that computer. These group
and computer preferences are cached for offline use, making this preference configuration
especially useful for mobile computers. If a user on a mobile computer disconnects from the
network, he or she is still managed.
You can set up managed preferences for users after you create the user accounts. For more
information about managed preferences and how to use them, see “Managing Preferences”
on page 282.
Setting Up Group Accounts
Although Mac OS X users are not required to be added to group accounts in order to be
managed, groups are still very important for efficient and effective client management. For
example, you can use groups to provide users with the same access privileges to media,
printers, and volumes.
For more information about how to create group accounts using Workgroup Manager, see
“Administering Group Accounts” on page 165.
Managed preferences assigned to a particular group apply to all users in that group. However,
managed user preferences may take precedence over group preferences. You can set up
managed preferences for groups after you create the group account. For more information
about how to manage preferences, see “Managing Preferences” on page 282.
Setting Up Computer Accounts
A computer account is a list of computers that have the same preference settings and are
available to the same users and groups. You can create and modify computer accounts in
Workgroup Manager. Computer accounts that you set up appear in the list on the left side of
the window. The list of computer accounts is searchable. Settings appear on the List, Access,
and Cache panes on the right side of the window.
When you set up a computer account, make sure you have already determined how
computers will be identified. Use descriptions that are logical and easy to remember (for
instance, the description might be the computer name). You must use the “on board” or
built-in Ethernet address for a computer’s Address information. This information is unique to
each computer. The client computer uses this data to find preference information when a
user logs in. You can browse for a computer and Workgroup Manager will enter the
computer’s Ethernet address and name for you.272 Chapter 6
When a computer starts up, it checks directory services for a computer account record that
contains its Ethernet address and uses settings for that computer account. If no record is
found, the computer uses settings for the Guest Computers computer account.
You can set up managed preferences for users after you create the user account. For more
information about managed preferences and how to use them, see “Managing Preferences”
on page 282.
If you want a directory domain administrator to edit computer accounts, add or delete
computers from a list, or edit computer account preferences, you must give that
administrator those privileges. You can assign an administrator privileges for all computer
accounts or for a set of specific computer accounts. For more information about assigning
administrative privileges, see Chapter 3, “Users and Groups.”
Creating a Computer Account
You can use a computer account to assign the same privileges and preferences to multiple
computers. You can add up to 2000 computers to a computer account.
To set up a computer list:
1 Open Workgroup Manager.
2 Use the At pop-up menu to open the directory domain where you want to store the new
account, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Click New Record, then type in a list name.
6 To add a computer to the list, click Add and type the computer’s Ethernet address in the
Address field.
Alternatively, you can click Browse, and Workgroup Manager will enter the computer’s
Ethernet address and name for you.
7 Type a description, such as the computer name.
8 Type a comment.
Comments are useful for providing additional information about a computer’s location,
configuration (for example, a computer set up for individuals with special needs), or
attached peripherals. You could also use the comment for additional identification
information, such as the computer’s model or serial number.
9 Continue adding computers until your computer list is complete.
10 Save the account.Client Management: Mac OS X 273
Note: Computers cannot belong to more than one list, and you cannot add computers to
the Guest Computers account.
Creating a Preset for Computer Accounts
You can select settings for a computer account and save them as a “preset.” Presets work like
templates, allowing you to apply preselected settings and information to a new account.
Using presets, you can easily set up multiple computer accounts with similar settings. You
can use presets only during account creation. You cannot use a preset to modify an existing
computer account.
To set up a preset for computer accounts:
1 Open Workgroup Manager.
2 Use the At pop-up menu to open the directory domain where you want to create computer
accounts using presets, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 To create a new preset from a blank account, first create a new computer account. To create a
preset using data in an existing computer account, open the account.
6 In each settings pane, fill in the information you want to use in the preset.
7 Choose Save Preset from the Presets pop-up menu.
After you create a preset, you can no longer change its settings, but you can delete it or
change its name.
To change a preset’s name, choose the preset from the Presets pop-up menu, then choose
Rename Preset.
To delete a preset, choose a preset from the Presets pop-up menu, then choose Delete
Preset.
Using a Computer Accounts Preset
When you create a new computer account, you can choose any preset from the Presets popup menu to apply initial settings, but you can still change the account settings to meet your
needs. Until you save account information, changing to a different preset overwrites earlier
information. Once the account is saved, the Preset menu dims and cannot be used again for
that account.
To use a preset for computer accounts:
1 Open Workgroup Manager.
2 Use the At pop-up menu to open the directory domain where you want to store the new
account, then click Accounts.274 Chapter 6
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Choose the preset you want to use from the Presets pop-up menu.
6 Create a new account.
7 Add or update settings as needed, then save the account.
Adding Computers to an Existing Computer Account
You can easily add more computers to an existing list. However, you cannot add computers
to the Guest Computers list.
To add additional computers to a list:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Select the account to which you want to add computers.
6 If you are using presets, select the one from the Presets pop-up menu.
7 Click Add, then type the computer’s Ethernet address in the Address field.
Alternatively, you can click Browse, and Workgroup Manager will enter the computer’s
Ethernet address and name for you.
8 Type a description, such as the computer name.
9 Type a comment.
Comments are useful for providing additional information about a computer’s location,
configuration (for example, a computer set up for individuals with special needs), or
attached peripherals. You could also use the comment for additional identification
information, such as the computer’s model or serial number.
10 Click Save.
11 Continue adding computers and information until your list is complete.
Editing Information About a Computer
After you add a computer to a computer account, you can edit information when necessary.
To change computer information:
1 Open Workgroup Manager.Client Management: Mac OS X 275
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Select a computer account.
6 In the List pane, select the computer whose information you want to edit, and click Edit.
7 Change information in the information fields as needed.
Moving a Computer to a Different Computer Account
Occasionally, you may want to group computers differently. Workgroup Manager lets you
conveniently move computers from one list to another.
Computers cannot belong to more than one list, and you cannot move computers to the
Guest Computers account.
To move a computer from one list to another:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Select a computer account.
6 In the List pane, select the computer you want to move, and click Edit.
7 Select a new computer account in the “Move to list” pop-up menu, and click OK.
Deleting Computers From a Computer List
When you delete a computer from a computer account, that computer is no longer
managed.
To delete a computer from a list:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Select a computer account.276 Chapter 6
6 In the List pane, select one or more computers in that account’s computer list.
7 Click Remove.
Deleting a Computer Account
If you no longer need an entire computer account, you can delete it. You cannot delete the
Guest Computers account.
To delete a computer account:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab, then click List.
5 Select a computer account.
6 Choose “Delete Selected Computer List” from the Server menu.
Searching for Computer Accounts
Workgroup Manager has a search feature that allows you to find specific computer accounts
quickly. You can search within a selected domain and filter search results.
To search for computer accounts:
1 Open Workgroup Manager.
2 Click the lock and enter your user name and password.
3 Click Accounts, then click the Computers tab.
4 Using the At pop-up menu below the computer accounts list, limit your search to one of the
following locations:
Local Directory: Search for account records on local volumes only.
Search Path: Search for account records using the path defined in Directory Setup for the
computer where you are logged in (for example, myserver.mydomain.com).
Other: Browse and select an available directory domain to search for account records.
5 Select an additional filter from the filter pop-up menu next to the search field, if you wish.
6 Type search terms in the search field, then press Return.Client Management: Mac OS X 277
Managing Guest Computers
If an unknown computer (one that isn’t already in a computer account) connects to your
network and attempts to access services, that computer is treated as a “guest.” Settings
chosen for the Guest Computers account apply to these unknown or “guest” computers.
Using the Guest Computers account is not recommended for large numbers of computers.
Most of your computers should belong to regular computer lists.
During server software installation, a guest computer record is automatically created only in
the original directory domain. Afterward, a server administrator can create additional guest
computer accounts in other directory domains. After the account is created, “Guest
Computers” appears in the list of computer accounts.
Each directory domain can have only one guest computer account. Depending on network
organization and setup, you may not be able to create a guest computer account in certain
directory domains.
Note: You cannot add or move computers to the Guest Computers account, and you cannot
change the list name.
To set up the Guest Computers account:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the guest computer
account you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab.
5 Select Guest Computers in the account list.
6 Click List, then select a Preferences settings.
Select Enable if you want to set up managed preferences. If you select this option, you
should click Cache, and then set how often you want to update preferences.
Select Inherit if you want guest computers to have the same managed preference settings as
the parent server.
7 Click Access and select the settings you want to use.
8 Click Cache and set an interval for clearing the preferences cache, then click Save.
After you set up the Guest Computers account, you can manage preferences for it if you
wish. For more information about using managed preferences, see “Managing Preferences”
on page 282.278 Chapter 6
If you do not select settings or preferences for the Guest Computers account, guest
computers are not managed. However, if the person using the computer has a Mac OS X
Server user account with managed user or group preferences, those settings still apply when
the user connects to your network and logs in.
If the user has an administrator account on the computer, he or she can choose not to be
managed at login. Unmanaged users can still use the “Go to Folder” command to access a
home directory on the network.
To delete the Guest Computers account, select the account in the list of computer accounts,
then choose Delete from the Edit menu.
Working With Access Settings
Settings in the Access pane let you make computers in a list available to users in groups. You
can allow only certain groups to access computers in a list, or you can allow all groups (and
therefore, all users) to access the computers in a list. You can also control certain aspects of
local user access.
Restricting Access to Computers
You can reserve computers so that only certain users have access to them. This can make it
easier to provide access to limited resources. For example, if you have two computers set up
with the appropriate hardware and software needed to import and edit video, you can
reserve those computers for users who need to do video production. First, make sure the
user accounts exist, then add the users to a “video production” group, then give only that
group access to your video production computers.
Note: A user with a local administrator account may always log in.
To reserve computers for specific groups:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab.
5 Select a computer account, then click Access.
6 Select “Restrict to groups below.”
7 Click Add, then select one or more groups and drag them to the list.
To remove an allowed group, select it and click Remove.Client Management: Mac OS X 279
Making Computers Available to All Users
If you want, you can make computers in a list available to any user in any group account you
set up.
To make computers available to all users:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab.
5 Select a computer account, then click Access.
6 Select “All groups can use the computer.”
Using Local User Accounts
Local accounts are useful for both stationary and mobile computers with either single or
multiple users. Anyone with a local administrator account on a client computer can create
local user accounts using the Accounts pane of System Preferences. Local users authenticate
locally.
If you plan to supply individuals with their own portable computers (iBooks, for example),
you may want to make the user a local administrator for the computer. A local administrator
has more privileges than a local or network user. For example, a local administrator can add
printers, change network settings, or select not to be managed.
The easiest way to manage preferences for local user accounts is to manage preferences for
the computer that has those local accounts and for the workgroups assigned to the computer.
To provide access for users with local accounts:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Accounts.
3 Click the lock and enter your user name and password.
4 Click the Computers tab.
5 Select a computer account that contains computers with local users, then click Access.
6 The account you select must allow local users to log in. Make sure “Allow users with localonly accounts” is selected.
7 If you want local users to see a list of all available workgroups during login, select “All groups
can use the computer.” 280 Chapter 6
8 If you want to show only certain workgroups to users during login, select “Restrict to groups
below,” and add groups to the list.
9 Click Save.
Managing Portable Computers
It is important to plan how you want to manage portable computers that have access to your
network. This section gives suggestions for managing portable computers used by either
multiple users or an individual user.
Unknown Portable Computers
To manage users who have their own personal portable computers running Mac OS X system
software, you can use the Guest Computers account to apply computer-level management
for unknown or “guest” computers on your network. If these users log in using a Mac OS X
Server user account, user and group managed preferences and account settings also apply.
For more information about setting up the Guest Computers account for Mac OS X users,
see “Managing Guest Computers” on page 277. For information about managing unknown
portable computers that use Mac OS 9 or OS 8 system software, see “Providing Quick Access
to Unimported Users” on page 429.
Portable Computers With Multiple Local Users
One example of shared portable computers is an iBook Wireless Mobile Lab. An iBook
Wireless Mobile Lab contains either 10 or 15 student iBooks (plus an additional iBook for an
instructor), an Airport base station, and a printer, all on a mobile cart. The cart lets you take
the computers to your users (for example, from one classroom to another).
To manage the iBooks on your cart, create identical generic local user accounts on each
computer (for example, all the accounts could use “Math” as the user name and “student” as
the password). You might want to create different generic local accounts for different
purposes, such as one for a History class, one for a Biology class, and so on. Each account
should have a local home directory and should not have administrative privileges. Use a
separate local administrator account on each computer to allow server administrators (or
other individuals) to perform maintenance tasks and upgrades, install software, and
administer the local user accounts.
After creating the local user accounts, add each of the computers to a computer list, then
manage preferences for that list. Because multiple users can store items in the local home
directory for the generic account, you may want to periodically clean out that folder as part
of your maintenance routine.
Portable Computers With One Primary Local User
There are two ways set up portable computers for a single user.Client Management: Mac OS X 281
m The user does not have administrator privileges, but has a local account.
Set up a local administrator account on the computer (do not give the user information
about this account), then set up a local account for the user. Users with local accounts
that do not have administrator privileges cannot install software and can only add or
delete items in their own home directories. A local user can share items with other local
users by using the Public folder in his or her local home directory.
m The user is the administrator for the computer.
If the user is the local administrator, he or she can choose during login whether or not to
be managed. For example, in order to access servers at school, the user should choose to
be managed at login, but at home he or she may prefer not to be managed since access to
the school servers may not be available.
If the user also has a Mac OS X Server user account and network access is available, it may
still be preferable to log in using the local account in order to reduce network traffic. The
user can connect to his or her network home directory (to store or retrieve documents,
for example) via the “Go to Folder” command in the Finder’s Go menu.
Using Wireless Services
You can provide wireless network service to managed clients using AirPort, for example.
When a user with a portable computer leaves the wireless area or changes to a different
network directory server (by moving out of one wireless area and into another), client
management settings may be different. Users may notice that some network services, such as
file servers, printers, shared group volumes, and so forth, are unavailable from the new
location. Users can purge these unavailable resources by logging out and logging in again.
If you need more information about using Airport, consult Airport documentation or visit the
Web site:
www.apple.com/airport/
How Workgroup Manager Works With System Preferences
Workgroup Manager allows administrators to set and lock certain system settings for users on
their network. You can set preferences once and allow users to change them, you can keep
preferences under administrative control at all times and allow no user changes, or you can
choose not to impose any settings at all.282 Chapter 6
In addition to various settings for users, groups, and computer accounts, Workgroup
Manager provides control over these preferences:
Managing Preferences
In Workgroup Manager, information about users, groups, and computer accounts is
integrated with directory services. Once you’ve set up users, groups, and computer accounts,
you do not have to import them into a separate tool in order to manage them on Mac OS X
client computers.
Managing preferences means you can control settings for certain system preferences in
addition to controlling user access to system preferences, applications, printers, and
removable media. Workgroup Manager stores information about settings and preferences in
user, group, or computer records on the Mac OS X server. Group preferences are stored on
the group volume. User preferences are stored in the user’s home directory (the Home
folder on Mac OS X clients).
After user, group, and computer accounts are created, you can start managing preferences
for them using the Preferences pane in Workgroup Manager. To manage preferences for
Mac OS X clients, you must make sure each user you want to manage has a home directory. If
a user doesn’t have a home directory, he or she will not be able to log in. For information
about how to set up a group volume or how to set up home directories for users, see
Chapter 3, “Users and Groups.”
Preference pane What you can manage
Applications Applications and system preferences available to users
Classic Classic startup settings, sleep settings, and the availability of
Classic items such as Control Panels
Dock Dock location, behavior, and items
Finder Finder behavior, desktop appearance and items, and availability
of Finder menu commands
Internet Email account preferences and Web browser preferences
Login Login window appearance and items that open automatically
when a user logs in
Media Access Settings for CDs, DVDs, and recordable discs, plus settings for
internal and external disks such as hard drives or floppy disks
Printer Available printers and printer accessClient Management: Mac OS X 283
About the Preferences Cache
Only local user accounts use a preference cache. The preference cache is created on the local
hard drive when a user logs in. The cache stores only preferences for the computer account
to which that computer belongs and preferences for groups associated with that computer,
but this can influence how a user is managed offline.
The cached preferences can help you manage local user accounts on portable computers
even when they are not connected to a network. For example, you can create an account for
the set of computers you want to manage, and then manage preferences for the computer
accounts. Next, make these computers available to groups, then manage preferences for the
groups. Finally, set up local user accounts on the computers, and associate those users with
the groups you already manage. Now, if a user goes offline or disconnects from your
network, he or she is still managed by the computer and group preferences in the cache.
Updating the Managed Preferences Cache
You can update a user’s managed preference cache regularly. This setting applies only to
computer accounts. The computer checks the server for updated preferences according to
the schedule you set.
To set an update interval for the managed preferences cache:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want to modify, then click Preferences.
3 Click the lock and enter your user name and password.
4 Click the Computers tab and select a computer account in the list.
5 Click Cache.
6 Type in a number representing how frequently you want to update the cache, then choose an
update interval (seconds, minutes, hours, days, or weeks) from the pop-up menu. For
example, you could update the cache every 5 days.
Updating Cached Preferences Manually
When you need to, you can manually update the managed preferences cache for every
computer in a selected computer list. When the cache is updated manually, it will not be
updated again automatically until the set interval has passed.
To update the managed preferences cache:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the computer account
you want, then click Preferences.284 Chapter 6
3 Click the lock and enter your user name and password.
4 Click the Computers tab and select a computer account from the list.
5 Click Cache, then click “Update the Cache.”
How Preference Management Works
Managed preference settings can be applied to user, group, or computer accounts. The final
set of preferences a user has is a combination of preference settings for his or her own user
account, preferences for the workgroup chosen at login, and preferences for the computer
he or she is currently using.
For some preferences, such as Finder preferences, user settings override group settings and
group settings override computer settings. Other preferences, such as printer preferences,
have an additive result. For example, the final list of printers available to a user is a
combination of the computer printer list, the group printer list, and the user’s printer list.
Preferences for applications, Dock items, and login items behave in a similar manner.
In some cases, you may find it easier and more useful to set certain preferences for only one
type of record. For example, you could set printer preferences only for computers, set
application preferences only for workgroups, and set Dock preferences only for users. In
such a case, no override or addition occurs for these preferences because the user inherits
them without competition.
Preference Management Options
When you manage preferences for a user, group, or computer account, you can choose to set
the preferences once, always, or never using radio buttons in the management bar.
Preferences
Computer (C)
Group (G)
User (U)
C+G+U
Added Overridden InheritedClient Management: Mac OS X 285
Managing a Preference Once
If you want to manage a preference initially for users, but allow them to make changes if they
have that privilege, select Once in the management bar. When a user logs in, preference files
in his or her home directory are updated with any preferences that are managed “once.”
These preference files are time stamped. If you update settings for a preference that is
managed once, Workgroup Manager applies the most recent version to the user’s preference
files the next time he or she logs in.
For some preferences, such as Classic preferences or Media Access preferences, Once is not
available. You can only select Never or Always.
Always Managing a Preference
You can force preference settings for a user by selecting Always in the management bar. The
next time the user logs in, the preference reverts to the original settings chosen by the
administrator even if the user is allowed to change the settings. Preferences that are “always”
managed are stored in the /Library/Managed Preferences folder.
Never Managing a Preference
If you don’t want to manage settings for a preference at all, select Never in the management
bar. If you provide users with access to an unmanaged preference, they can change settings
as they wish.
“Never” is the default setting for all preferences.
Managing User Preferences
You can manage preferences for individual users as needed. However, if you have large
numbers of users, it may be more efficient to manage most preferences by group and
computer instead. You might want to manage preferences at the user level only for specific
individuals, such as directory domain administrators, teachers, or technical staff.
You should also consider which preferences you want to leave under user control. For
example, if you aren’t concerned about where a user places the Dock, you might want to set
Dock Display management to Never.
To manage user preferences:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the user account you
want, then click Preferences.
3 Click the lock and enter your user name and password.
4 Click the Users tab and select a user account in the account list.
5 Click the icon for the preference you want to manage.286 Chapter 6
6 In each tab for that preference, choose a management setting. Then select preference
settings or fill in information you want to use.
Some management settings are not available for some settings, and some preferences are not
available to some types of accounts. Two preferences (Printing and Media Access) allow only
one management setting that applies to all options for that preference.
7 When you are finished, click Apply Now.
Managing Group Preferences
Group preferences are shared among all users in the group. Setting some preferences only
for groups instead of for each individual user can save space, especially when you have large
numbers of managed users.
Because users can select a workgroup at login, they have the opportunity to choose a group
with managed settings appropriate to the current task, location, or environment. It can be
more efficient to set preferences once for a single group instead of setting preferences
individually for each member of the group.
To manage group preferences:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the group account you
want, then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a group account in the account list.
5 Click the icon for the preference you want to manage.
6 In each tab for that preference, choose a management setting. Then select preference
settings or fill in information you want to use.
Some management settings are not available for some settings, and some preferences are not
available to some types of accounts. Two preferences (Printing and Media Access) allow only
one management setting that applies to all options for that preference.
7 Click Apply Now.
Managing Computer Preferences
Computer preferences are shared among all computers in a list. In some cases, it may be
more useful to manage preferences for computers instead of for users or groups.
To manage computer preferences:
1 Open Workgroup Manager.Client Management: Mac OS X 287
2 Use the At pop-up menu to find the directory domain that contains the user account you
want, then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a computer account in the account list.
5 In each tab for that preference, choose a management setting. Then select preference
settings or fill in information you want to use.
Some management settings are not available for some settings, and some preferences are not
available to some types of accounts.Two preferences (Printing and Media Access) allow only
one management setting that applies to all options for that preference.
6 In each tab for that preference, select the settings you want to use.
7 Click Apply Now.
Editing Preferences for Multiple Records
You can edit preference for more than one user, group, or computer account at a time. If some
settings are not the same for two or more accounts, you may see a “mixed-state” slider, radio
button, checkbox, text field, or list. For sliders, radio buttons, and checkboxes, a dash is used
to indicate that the setting is not the same for all selected accounts. For text fields, the term
“Varies...” indicates a mixed state. Lists show a combination of items for all selected accounts.
If you adjust a mixed-state setting, every account will have the new setting you choose. For
example, suppose you select three group accounts that each have different settings for the
Dock size. When you look at the Dock Display preference pane for these accounts, the Dock
Size slider is centered and has a dash on it. If you change the position of the Dock Size slider
to Large, all selected accounts will have a large-size Dock.
Disabling Management for Specific Preferences
After you set up managed preferences for any account, you can turn off management for
specific preference panes by setting the management setting to Never.
To selectively disable preference management:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.
5 Click the icon for a preference that is currently being managed.
6 Click the tab containing the preference settings you no longer want to manage.288 Chapter 6
Two preferences (Printing and Media Access) do not have a management settings bar for
each tab. Instead, a management bar is displayed above the tabs.
7 Select Never in the management settings bar.
8 Click Apply Now.
When you change the preference management settings, the new setting applies to all items
in the active preference pane. If you want to disable all preference management for an
individual preference (for example, Dock), make sure the management setting is set to Never
in each pane of that preference.
Managing Applications Preferences
Use Applications settings to provide access to applications and to select which items appear
in System Preferences.
Applications Items Preferences
Applications Items settings let you create lists of “approved” applications users are allowed to
open, and you can allow users to open items on local volumes.
Creating a List of Approved Applications
You need to provide access to the applications you want users to open. To do this, use Items
settings for the Applications preference and create a list of “approved” applications. If an
application is not on the list, a user cannot open it. You can, however, allow applications to
open “helper applications” that are not listed.
You can make applications available to multiple users by managing Items settings for the
Applications preference for groups or computer accounts. You can also set this preference
for individual users.
To add applications to a user’s list:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.
5 Click the Applications preference icon, then click Items.
6 Set the management setting to Always.
7 Click Add to browse for the application you want, then add it to the list.
To select multiple items, hold down the Command key.Client Management: Mac OS X 289
8 When you have finished adding applications to the list, click Apply Now.
Preventing Users From Opening Applications on Local Volumes
When users have access to local volumes, they can access applications on the computer’s
local hard drive, in addition to approved applications on CDs, DVDs, or other external disks.
If you don’t want to allow this, you can disable local volume access.
To prevent access to local applications:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.
5 Click the Applications preference icon, then click Items.
6 Set the management setting to Always.
7 Deselect “User can open items on local volumes.”
8 Click Apply Now.
Managing Application Access to Helper Applications
Sometimes, applications need to use “helper applications” for tasks they cannot complete
themselves. For example, if a user tries to open a Web link in an email message, the email
application might need to open a Web browser application to display the Web page.
When you make an application list available for users, groups, or computer accounts, you
may want to include common helper applications in that list. For example, if you give users
access to an email application, you might also want to add a Web browser, a PDF viewer, and
a picture viewer to avoid problems opening and viewing email contents or attached files.
When you set up a list of “approved” items in the Applications preference settings, you can
choose whether to allow applications to use helper applications that aren’t in the “approved”
items list.
To manage access to helper applications:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.290 Chapter 6
5 Click the Applications preference icon, then click Items.
6 Set the management setting to Always.
7 If you have not already created a list of approved applications, do so now.
Click Add to browse for the application you want to add to the list.To remove an application
from the list, select it and click Remove. If you want to allow helper applications, be sure
those applications are added to the list.
8 Select “Allow approved applications to open non-approved applications” to allow access to
helper applications. Deselect this option to disable it.
9 Click Apply Now.
Applications System Preferences
You can choose which system preferences users see when they open System Preferences.
Managing Access to System Preferences
When you show an item in System Preferences, a user can open the preference, but may or
may not be able to change its settings. For example, if you set preference management for
the Dock to Always and you make Dock preferences available in System Preferences, a user
can view the settings but cannot make any changes.
Some System Preferences may not be available on your administrator computer. You should
either install the missing preferences on the administrator computer you are using, or you
should use Workgroup Manager on an administrator computer that has those preferences
installed.
To manage access to System Preferences:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Applications
preference icon.
5 Click System Preferences.
6 Set the management setting to Always.
7 Deselect the Show checkbox for each item you do not want to display in a user’s System
Preferences.
Click Show None to deselect every item in the list.
Click Show All to select every item in the list.Client Management: Mac OS X 291
8 Click Apply Now.
Managing Classic Preferences
Classic Preferences are used to set Classic startup options, select the Classic System Folder
and set sleep options for Classic, and make certain Apple menu items available to users.
Classic Startup Preferences
Startup settings affect what happens when Classic starts.
Making Classic Start Up After a User Logs In
If users often need to work with applications that run in Classic, it is convenient to have
Classic start up immediately after a user logs in.
To start Classic after login:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.
5 Click the Classic preference icon, then click Startup.
6 Set the management setting to Always.
7 Select “Start up Classic on login to this computer.”
8 If you don’t want users to see the Classic startup screens, select “Hide Classic while starting.”
9 Select “Warn at Classic startup” to show an alert when Classic starts.
10 Select “Show Classic in the menu bar” to place a Classic icon in the menu bar.
11 Click Apply Now.
Choosing a Classic System Folder
If the name of the hard disk or volume containing the Mac OS 9 System Folder is Macintosh
HD, you do not have to specify a Classic System Folder. If you want to use a specific Mac OS 9
System Folder when Classic starts up, you can specify it in the Classic preference pane in
Workgroup Manager.
To choose a specific Classic System Folder:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.292 Chapter 6
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.
5 Click the Classic preference icon, then click Startup.
6 Set the management setting to Always.
7 Type in the path to the Classic System Folder you want to use (make certain the path you
specify does not contain errors), or use Choose to browse for the folder you want.
8 Click Apply Now.
Classic Advanced Preferences
Advanced preference settings for Classic let you control items in the Apple menu, Classic
sleep settings, and the user’s ability to turn off extensions or rebuild Classic’s desktop file
during startup.
Allowing Special Actions During Restart
You can allow users to perform special actions, such as turning off extensions or rebuilding
Classic’s desktop file, when they restart computers. You may want to allow this privilege for
specific users, such as members of your technical staff.
To allow special actions during restart:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list.
5 Click the Classic preference icon, then click Advanced.
6 Set the management setting to Always.
7 Select “Allow special startup modes.”
8 Click Apply Now.
Keeping Control Panels Secure
If you don’t want users to have access to Mac OS 9 control panels, you can remove the
Control Panels item from the Apple menu.
To prevent access to Control Panels:
1 Open Workgroup Manager.Client Management: Mac OS X 293
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Classic
preference icon.
5 Click Advanced, and set the management setting to Always.
6 Select “Hide Control Panels.”
7 Click Apply Now.
Preventing Access to the Chooser and Network Browser
If you don’t want users to have access to the Chooser or Network Browser in Classic, you can
remove these items from the Apple menu.
To remove the Chooser and Network Browser from the Apple menu:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Classic
preference icon.
5 Click Advanced and set the management setting to Always.
6 Select “Hide Chooser and Network Browser.”
7 Click Apply Now.
Making Apple Menu Items Available in Classic
You can hide or reveal Apple menu items (other than the Chooser, Network Browser, or
Control Panels) as a group. This group includes items such as Calculator, Key Caps, and
Recent Applications.
To show other Apple menu items:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Classic
preference icon.294 Chapter 6
5 Click Advanced and set the management setting to Always.
6 Deselect “Hide other Apple menu items.”
7 Click Apply Now.
Adjusting Classic Sleep Settings
When no Classic applications are open, Classic will go to sleep to reduce its use of system
resources. You can adjust the amount of time Classic waits before going to sleep after a user
quits the last Classic application.
If Classic is in sleep mode, opening a Classic application may take a little longer.
To adjust Classic sleep settings:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Classic
preference icon.
5 Click Advanced and set the management setting to Always.
6 Drag the slider to set how long Classic waits before going to sleep.
If you don’t want Classic to go to sleep at all, drag the slider to Never.
7 Click Apply Now.
Managing Dock Preferences
Dock settings allow you to adjust the behavior of the user’s Dock and specify what items
appear in it.
Dock Display Preferences
Dock Display preferences control the Dock’s position and behavior.
Controlling the User’s Dock
Dock settings allow you to adjust the position of the Dock on the desktop and change the
Dock’s size. You can also control animated Dock behaviors.
To set how the Dock looks and behaves:
1 Open Workgroup Manager.Client Management: Mac OS X 295
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Dock preference
icon.
5 Click Dock Display.
6 Select a management setting (Once or Always).
7 Drag the Dock Size slider to make the Dock smaller or larger.
8 If you want items in the Dock to be magnified when a user moves the pointer over them,
select the Magnification checkbox, then adjust the slider. Magnification is useful if you have
many items in the Dock.
9 If you don’t want the Dock to be visible all the time, select “Automatically hide and show the
Dock.” When the user moves the pointer to the edge of the screen where the Dock is
located, the Dock pops up automatically.
10 Select whether to place the Dock on the left, right, or bottom of the desktop.
11 Select a minimizing effect.
12 If you don’t want to use animated icons in the Dock when an application opens, deselect
“Animate opening applications.”
13 Click Apply Now.
Dock Items Preferences
Dock Items settings allow you to add and arrange items in a user’s Dock.
Adding Items to a User’s Dock
You can add applications, folders, or documents to a user’s Dock for easy access.
To add items to the Dock:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Dock preference
icon.
5 Click Dock Items.
6 Select a management setting (Once or Always).296 Chapter 6
7 To add individual applications, regular folders, and documents to the Dock, click Add to
browse and select the item you want.
To remove a Dock item, select it and click Remove.
You can rearrange Dock items in the list by dragging them into the order in which you want
them to appear. Applications are always grouped at one end; folders and files are grouped at
the other.
8 When you have finished adding regular and special Dock items, click Apply Now.
Preventing Users From Adding Additional Dock Items
Ordinarily, users can add additional items to their own Docks, but you can prevent this.
Users cannot remove Dock items added by the administrator.
To prevent users from adding items to their Docks:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Dock preference
icon.
5 Click Dock Items, then set the management setting to Always.
6 Deselect “Users may add and remove additional Dock items.”
7 Click Apply Now.
Managing Finder Preferences
Finder Preferences allow you to control various aspects of Finder menus and windows.
Finder Preferences
Use the Finder Preferences settings in Workgroup Manager to select a Finder type for the
user, show or hide items mounted on the desktop, and control Finder window behaviors.
You can also make file extensions visible and show users a warning if they attempt to empty
the Trash.
Keeping Disks and Servers From Appearing on the User’s Desktop
Normally when a user inserts a disk, that disk’s icon appears on the desktop. Icons for local
hard disks or disk partitions and mounted server volumes are also visible. If you don’t want
users to see these items on the desktop, you can hide them.Client Management: Mac OS X 297
These items still appear in the top-level directory when a user clicks the Computer icon in a
Finder window toolbar.
To hide disk and server icons on the desktop:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click the Preferences tab and select a management setting (Once or Always).
6 Under “Show these items on the Desktop,” deselect the items you want to hide.
7 Click Apply Now.
Controlling the Behavior of Finder Windows
You can select what directory appears when a user opens a new Finder window. You can also
define how contents are displayed when a user opens folders.
To set Finder window preferences:
1 Open Workgroup Manager and click Preferences.
2 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
3 Click the Preferences tab and select a management setting (Once or Always).
4 Under “New Finder window shows,” specify the items you want to display.
Select Home to show items in the user’s home directory
Select Computer to show the top-level directory, which includes local disks and mounted
volumes.
5 Select “Always open folders in a new window” to display folder contents in a separate window
when a user opens a folder. Normally, Mac OS X users can browse through a series of folders
using a single Finder window.
6 Select “Always open windows in Column View” to maintain a consistent view among
windows.
7 Click Apply Now.298 Chapter 6
Making File Extensions Visible
A file extension usually appears at the end of a file name (for example, “.txt” or “.jpg”).
Applications use the file extension to identify the file type.
To make file extensions visible:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click the Preferences tab and select a management setting (Once or Always).
6 Select “Always show file extensions.”
7 Click Apply Now.
Selecting the User Environment
You can select either the regular Finder or the Simplified Finder as the user environment.
The regular Finder looks and acts like the standard Mac OS X desktop. The Simplified Finder
uses panels and large icons to provide users with an easy-to-navigate interface.
To set the user environment:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click the Preferences tab and select a management setting (Once or Always).
6 Select either “Use normal Finder” or “Use Simplified Finder to limit access to the computer.”
7 Click Apply Now.
Hiding the Alert Message When a User Empties the Trash
Normally, a warning message appears when a user empties the Trash. If you do not want
users to see this message, you can turn it off.
To hide the Trash warning message:
1 Open Workgroup Manager.Client Management: Mac OS X 299
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click the Preferences tab and select a management setting (Once or Always).
6 Deselect “Show warning before emptying the Trash.”
7 Click Apply Now.
Finder Commands Preferences
Commands in Finder menus and the Apple menu allow users to easily connect to servers or
restart the computer, for example. In some situations, you may want to limit user access to
these commands. Workgroup Manager lets you control whether or not certain commands are
available to users.
Controlling User Access to an iDisk
If users want to connect to an iDisk, they can use the “Go to iDisk” command in the Finder’s
Go menu. If you don’t want users to see this menu item, you can hide the command.
To hide the “Go to iDisk” command:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click Commands and set the management setting to Always.
6 Deselect “Go to iDisk.”
7 Click Apply Now.
Controlling User Access to Remote Servers
Users can connect to a remote server by using the “Connect to Server” command in the
Finder’s Go menu and providing the server’s name or IP address. If you don’t want users to
have this menu item, you can hide the command.
To hide the “Connect to Server” command:
1 Open Workgroup Manager.300 Chapter 6
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click Commands and set the management setting to Always.
6 Deselect “Connect to Server.”
7 Click Apply Now.
Controlling User Access to Folders
Users can open a specific folder by using the “Go to Folder” command in the Finder’s Go
menu and providing the folder’s path name. If you don’t want users to have this privilege,
you can hide the command.
To hide the “Go to Folder” command:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click Commands and set the management setting to Always.
6 Deselect “Go to Folder.”
7 Click Apply Now.
Preventing Users From Ejecting Disks
If you don’t want users to be able to eject disks (for example, CDs, DVDs, floppy disks, or
FireWire drives), you can hide the Eject command in the Finder’s File menu.
To hide the Eject command:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.Client Management: Mac OS X 301
5 Click Commands and set the management setting to Always.
6 Deselect Eject.
7 Click Apply Now.
Hiding the Burn Disc Command in the Finder
On computers with appropriate hardware, users can “burn discs” (write information to
recordable CDs or DVDs). If you don’t want users to have this privilege, you can hide the
Burn Disc command in the Finder’s File menu.
To hide the Burn Disc command:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click Commands and set the management setting to Always.
6 Deselect “Burn Disc.”
7 Click Apply Now.
To prevent users from using or burning recordable CDs or DVDs, use settings in the Media
Access panes.
Only computers with a CD-RW drive, Combo drive, or Superdrive can burn CDs. The Burn
Disc command will work only with CD-R, CD-RW, or DVD-R disks. Only a Superdrive can
burn DVDs.
Removing Restart and Shut Down Commands From the Apple Menu
If you don’t want to allow users to restart or shut down the computers they are using, you
can remove the Restart and Shut Down commands from the Apple menu.
To hide the Restart and Shut Down commands:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.302 Chapter 6
5 Click Commands and set the management setting to Always.
6 Deselect “Restart/Shut Down.”
7 Click Apply Now.
As an additional preventive measure, you can also remove the Restart and Shut Down
buttons from the login window using settings for Login preferences. See “Managing Login
Preferences” on page 305 for instructions.
Finder Views Preferences
Finder Views allow you to adjust the arrangement and appearance of items on a user’s
desktop, in Finder windows, and in the top-level directory of the computer.
Adjusting the Appearance and Arrangement of Desktop Items
Items on a user’s desktop appear as icons. You can control the size of desktop icons and how
they are arranged.
To set preferences for the desktop view:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click Views, then select a management setting (Once or Always). This setting applies to
options in all three view tabs.
6 Click Desktop View.
7 Drag the slider to adjust icon size.
8 Select how you want to arrange icons on the user’s desktop.
Select “None” to allow users to place items anywhere on the desktop.
Select “Always snap to grid” to keep items aligned in rows and columns.
Select “Keep arranged by,” then choose a method from the arrangement pop-up menu. You
can arrange items by name, creation or modification date, size, or kind (for example, all
folders grouped together).
9 Click Apply Now.Client Management: Mac OS X 303
Adjusting the Appearance of Finder Window Contents
Items in Finder windows can be viewed in a list or as icons. You can control aspects of
how these items look, and you can also control whether or not to show the toolbar in a
Finder window.
Default View settings control the overall appearance of all Finder windows. Computer View
settings control the view for the top-level computer directory showing hard disks and disk
partition, external hard disks, mounted volumes, and removable media (such as CDs or
floppy disks).
To set preferences for the default and computer views:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Finder
preference icon.
5 Click Views, then select a management setting (Once or Always). This setting applies to
options in all three view tabs.
6 Click Default View.
7 Drag the Icon View slider to adjust icon size.
8 Select how you want to arrange icons.
Select None to allow users to place items anywhere on the desktop.
Select “Always snap to grid” to keep items aligned in rows and columns.
Select “Keep arranged by,” then choose a method from the arrangement pop-up menu. You
can arrange items by name, creation or modification date, size, or kind (for example, all
folders grouped together).
9 Adjust List View settings for the default view.
If you select “Use relative dates,” an item’s creation or modification date is displayed as
“Today” instead of “4/12/02,” for example.
If you select “Calculate folder sizes,” the computer calculates the total size of each folder
shown in a Finder window. This can take some time if a folder is very large.
Select a size for icons in a list.
10 Select “Show toolbar in Finder windows” if you want the user to see the toolbar.304 Chapter 6
11 Click Computer View and adjust Icon View and List View settings for the computer view.
Available settings are similar to those available for the default view described in steps 5
through 9.
12 Click Apply Now.
Managing Internet Preferences
Internet preferences let you set email and Web browser options.
Setting Email Preferences
Email settings let you specify a preferred email application and supply information for the
email address, incoming mail server, and outgoing mail server.
To set email preferences:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Internet
preference icon.
5 Click Email and select a management setting (Once or Always).
6 To set the default email reader, click Set and choose the email application you prefer.
7 Type information for the email address, incoming mail server, and outgoing mail server.
8 Select an email account type (either POP or IMAP).
9 Click Apply Now.
Setting Web Browser Preferences
Use Web settings in Internet preferences to specify a preferred Web browser and a place to
store downloaded files. You can also specify a starting point URL for your browser using the
Home Page location. Use the Search Page location to specify a search engine URL.
To set Web preferences:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.Client Management: Mac OS X 305
4 Select a user, group, or computer account in the account list, then click the Internet
preference icon.
5 Click Web and select a management setting (Once or Always).
6 To set the Default Web Browser, click Set and choose a preferred Web browser application.
7 Type a URL for the Home Page. This is the page a user sees when a browser opens.
8 Type a URL for the Search Page.
9 Type a folder location for storing downloaded files, or click Set to browse for a folder.
10 Click Apply Now.
Managing Login Preferences
Use Login preferences to set user login options, provide password hints, and control the
user’s ability to restart and shut down the computer from the login screen. You can also
mount the group volume or make applications open automatically after a user logs in.
Login Window Preferences
Login Window settings affect the appearance and function of items in the login window.
Deciding How a User Logs In
Depending on the settings you choose, a user will see either a name and password text field
or a list of users in the login window. These settings apply only to computer accounts.
To set up how a user logs in:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a computer account in the account list, then click the Login preference icon.
5 Click Login Window and set the management setting to Always.
6 Select how the user logs in.
To require the user to type his or her username and password, select “Name and password
entry fields.”
To allow a user to select his or her name from a list, select “List of users able to access this
computer.”
7 If you decide to use a list of users, select categories of users you want to display in the list.306 Chapter 6
Select “Show local users” to include local user accounts in the list.
Select “Show network users” to include network users in the list.
Select “Show administrators” to include users with administrator privileges in the list.
If you allow unknown users, you can select “Show other users.”
8 Click Apply Now.
Helping Users Remember Passwords
You can use a “hint” to help users remember their passwords. After three consecutive
attempts to log in with an incorrect password, a dialog box displays the hint you created.
To show a password hint:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Login preference
icon.
5 Click Login Window and set the management setting to Always.
6 Select “Show password hint after 3 attempts to enter a password.”
7 Click Apply Now.
Preventing Restarting or Shutting Down the Computer at Login
Normally, the Restart and Shut Down buttons appear in the login window. If you don’t want
the user to restart or shut down the computer, you should hide these buttons.
You may also want to hide the Restart and Shut Down commands in the Finder menu. See
“Managing Finder Preferences” on page 296 for instructions. Check the Commands pane of
Finder preferences and make sure “Restart/Shut Down” is not selected.
To hide the Restart and Shut Down buttons:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Login preference
icon.
5 Click Login Window and set the management setting to Always.Client Management: Mac OS X 307
6 Select “Hide Restart and Shut Down buttons in the Login Window.”
7 Click Apply Now.
Login Items Preferences
Settings for Login Items allow you to open applications or mount the group volume
automatically for the user.
Opening Applications Automatically After a User Logs In
You can have frequently used applications ready for use shortly after a user logs in. If you
open several items, you can hide them after they open. This prevents excess clutter on the
user’s screen, but the applications remain open and accessible.
As the listed applications open, they “stack” on top of each other in the Finder. The last item
in the list is closest to the front of the Finder. For example, if you have three items in the list
and none of them are hidden, the user sees the menu bar for the last item opened. If an
application has open windows, they may overlap windows from other applications.
To make applications open automatically:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Login preference
icon.
5 Click Login Items and select a management setting (Once or Always).
6 To add an item to the list, click Add.
7 Select the Hide checkbox for any item you don’t want the user to see right away.
The application remains open, but its windows and menu bar remain hidden until the user
activates the application (for example, by clicking its icon in the Dock).
8 Deselect “User may add and remove additional login items” if you do not want users to have
this privilege.
Users cannot remove items added to this list by an administrator, but users can remove items
they’ve added themselves.
9 To prevent users from stopping applications that open automatically at login, deselect “User
may press Shift to keep applications from opening.”
10 Click Apply Now.308 Chapter 6
Managing Media Access Preferences
Media Access preferences let you control settings for and access to CDs, DVDs, the local hard
drive, and external disks (for example, floppy disks and FireWire drives).
Media Access Disc Media Preferences
Disc Media settings affect only CDs, DVDs, and recordable discs (for example, a CD-R, CDRW, or DVD-R). Computers that do not have appropriate hardware to use CDs, DVDs, or
recordable discs are not affected by these settings.
Controlling Access to CDs and DVDs
If a computer can play or record CDs or DVDs, you can control what type of media users can
access. You cannot restrict access to individual CDs or DVDs or specific items on them. You
can, however, choose not to allow any CDs or DVDs. You can also limit access by requiring an
administrator’s user name and password.
To control access CDs and DVDs:
1 Open Workgroup Manager and click Preferences.
2 Select a user, group, or computer account in the account list, then click the Media Access
preference icon.
3 Set the management setting to Always. This setting applies to all Media Access preference
options.
4 Click Disc Media.
5 Choose settings for CDs and CD-ROMs.
Select the Allow checkbox next to CDs & CD-ROMs to let users access music, data, or
applications on compact discs.
To restrict access to compact discs, select Require Authentication to require an administrator
user name and password.
To prevent access to all compact discs, deselect Allow.
6 Choose settings for DVDs.
Select the Allow checkbox next to DVDs to let users access movies and other information on
digital video discs.
To restrict access to DVDs, select Require Authentication to require an administrator user
name and password.
To prevent access to all DVDs, deselect Allow.
7 Click Apply Now.Client Management: Mac OS X 309
Controlling the Use of Recordable Discs
If a computer has the appropriate hardware, users can “burn discs” or write information to a
recordable disc such as a CD-R, CD-RW, or DVD-R. Users can burn CDs on computers with a
CD-RW drive, Combo drive, or Superdrive. Users can burn DVDs only on computers with a
Superdrive.
If you want to limit the ability to use recordable media, you can require an administrator’s
user name and password. Alternatively, you could allow users to read information on a
recordable disc, but not allow them to burn a disc themselves.
To control the use of recordable discs:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Media Access
preference icon.
5 Set the management setting to Always. This setting applies to all Media Access preference
options.
6 Click Disc Media.
7 Select options for recordable media.
Select the Allow checkbox next to Recordable Discs to let users use a CD-R, CD-RW, or
DVD-R disc.
Select the Authentication checkbox to require an administrator password to use the disc.
To prevent users from recording information to compact discs or DVD-R discs, deselect Allow.
8 Click Apply Now.
Media Access Other Media Preferences
Settings in the Other Media pane affect internal hard disks and external disks other than CDs
or DVDs.
Controlling Access to Hard Drives and Disks
Media Access settings selected in the Other Media pane let you control access to both a
computer’s hard disk and any external disks other than CDs and DVDs. If you don’t allow
access to external disks, users cannot use floppy disks, Zip disks, FireWire hard drives, or
other external storage devices.310 Chapter 6
To restrict access to internal and external disks:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Media Access
preference icon.
5 Set the management setting to Always. This setting applies to all Media Access preference
options.
6 Click Other Media.
7 Select options for Internal Disks (the computer’s hard disk and disk partitions).
Select the Authentication checkbox to require a password to access the hard disk.
Deselect the Allow checkbox to prevent users access to the hard disk.
If you select the Read-Only checkbox, users can view the contents of the hard disk but
cannot modify them or save files on the hard disk.
8 Select options for External Disks (other than CDs or DVDs).
Select the Authentication checkbox to require a password to access external disks.
Deselect the Allow checkbox to prevent access to external disks.
If you select the Read-Only checkbox, users can view the contents of external disks but
cannot modify them or save files on external disks.
9 Click Apply Now.
Ejecting Items Automatically When a User Logs Out
On computers used by more than one person, such as in a computer lab, users may
sometimes forget to take their personal media with them when they leave. If they do not
eject disks, CDs, or DVDs when they log out, these items may be available to the next user
who logs in.
If you allow users to access CDs, DVDs, or external disks, such as Zip disks or FireWire drives,
on shared computers, you may want to make computers eject removable media
automatically when a user logs out.
To eject removable media automatically:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.Client Management: Mac OS X 311
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Media Access
preference icon.
5 Set the management setting to Always. This setting applies to all Media Access preference
options.
6 Click Other Media.
7 Select “Eject all removable media at logout.”
8 Click Apply Now.
Managing Printing Preferences
Use Printing preferences to create printer lists and manage access to printers.
Printer List Preferences
Printer List settings let you create a list of available printers and control the user’s ability to
add additional printers or access a printer connected directly to a computer.
Making Printers Available to Users
To give users access to printers, you first need to set up a printer list. Then, you can allow
specific users or groups to use printers in that list. You can also make printers available to
computers. A user’s final list of printers is a combination of printers available to the user, the
group selected at login, and the computer being used.
To create a printer list for users:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Printing
preference icon.
5 Select a management setting (Once or Always). This setting applies to all Printing preference
options.
6 Click Printer List.
7 The Available Printers list is created from the list of available network printers in the Print
Center application.312 Chapter 6
Select a printer in the Available Printers list, then click “Add to List” to make that printer
available in the User’s Printer List.
If the printer you want doesn’t appear in the Available Printers list, click Open Print Center
and add the printer to Print Center’s printer list.
8 Click Apply Now.
Preventing Users From Modifying the Printer List
If you want to limit a user’s ability to modify a printer list, you can require an administrator’s
user name and password in order to add new printers. You can also remove this privilege
outright.
To restrict access to the printer list:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Printing
preference icon.
5 Select a management setting (Once or Always). This setting applies to all Printing preference
options.
6 Click Printer List.
7 If you want only administrators to modify the printer list, select “Require an administrator
password.”
8 If don’t want any user to modify the printer list, deselect “Allow users to add printers to the
Printer list.”
9 Click Apply Now.
Restricting Access to Printers Connected to a Computer
In some situations, you want only certain users to print to a printer connected directly to
their computers. For example, if you have a computer in a classroom with a printer attached,
you can reserve that printer for teachers only by making the teacher an administrator and
requiring an administrator’s user name and password to access the printer.
To restrict access to a printer connected to a specific computer:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.Client Management: Mac OS X 313
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Printing
preference icon.
5 Select a management setting (Once or Always). This setting applies to all Printing preference
options.
6 Click Printer List.
7 If you want only administrators to use the printer, select “Require an administrator
password.”
8 If don’t want any user to access the printer, deselect “Allow printers that connect directly to
the user’s computer.”
9 Click Apply Now.
Printer Access Preferences
Access settings let you specify a default printer and restrict access to specific printers.
Setting a Default Printer
Once you have set up a printer list, you can specify one printer as the default printer. Any
time a user tries to print a document, this printer is the preferred selection in an application’s
printer dialog box.
To set the default printer:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Printing
preference icon.
5 Select a management setting (Once or Always). This setting applies to all Printing preference
options.
6 Click Access.
7 Select a printer in the user’s printer list, then click Make Default.
8 Click Apply Now.
Restricting Access to Printers
You can require an administrator’s user name and password in order to print to certain printers.314 Chapter 6
To restrict access to a specific printer:
1 Open Workgroup Manager.
2 Use the At pop-up menu to find the directory domain that contains the account you want,
then click Preferences.
3 Click the lock and enter your user name and password.
4 Select a user, group, or computer account in the account list, then click the Printing
preference icon.
5 Select a management setting (Once or Always). This setting applies to all Printing preference
options.
6 Click Access.
7 Select a printer in the user’s printer list, then select “Require administrator password.”
8 Click Apply Now.315
C H A P T E R
7
7 Print Service
Print service lets you share network printers for clients of the Mac OS X Server. You share
printers by setting up print queues for them. When users submit print jobs to a shared
printer, the jobs are automatically sent to the printer’s queue, where they are held until the
printer becomes available or criteria you set up have been met. For example, you can
m set the priority of print jobs in a queue
m hold the printing of a job for a particular time of day
m place a job on hold indefinitely
The following applications help you administer print service:
m The Print module of Server Settings lets you configure general print service settings, set
up how print queues are shared, and manage print jobs submitted to shared printers.
m Server Status lets you monitor the status of print jobs.
m The Accounts module of Workgroup Manager lets you set print quotas for users.316 Chapter 7
What Printers Can Be Shared?
Mac OS X Server supports PostScript-compatible printers connected to your network using
AppleTalk or the Line Printer Remote (LPR) protocol. Mac OS X Server also supports
PostScript-compatible printers connected directly to your server by means of a Universal
Serial Bus (USB) connection.
Mac OS X Server
Ethernet USB
AppleTalk
PostScript printer
LPR PostScript
printer
PostScript
printerPrint Service 317
Who Can Use Shared Printers?
Shared printers can be used over the network by users who submit print jobs using
AppleTalk, LPR, or Server Message Block (SMB) protocols:
Macintosh computers support AppleTalk and LPR. Windows computers use LPR and SMB.
UNIX computers use LPR. See “Setting Up Printing on Client Computers” on page 323.
Setup Overview
Here is an overview of the basic steps for setting up print service:
Step 1: Read “Before You Begin”
Read “Before You Begin” on page 319 for issues that you should consider before setting up
print service.
Mac OS X user
(printers selected
using Print Center)
Mac OS 9 user
(printers selected
using Desktop
Printer Utility)
UNIX user
user
(printers selected
using Print Center)
Mac OS 8 and
Mac OS 9 users
(printers selected
using Desktop
Printer Utility)
UNIX user Windows NT
and Windows
2000 users
Windows NT
and Windows
2000 users
Windows 95,
98, and
ME users
Mac OS X Server
LPR
AppleTalk SMB318 Chapter 7
Step 2: Start up and configure print service
Use Server Settings to start up and configure the print service. Print service configuration lets
you set options that apply to all print queues that you are sharing—for example, starting print
service automatically when the server starts up. See “Starting Up and Configuring Print
Service” on page 319.
Step 3: Add printers and configure their print queues
You make printers available to users by adding them to the server using the Print module of
Server Settings. When you add a printer, a print queue is created automatically. Users see
these print queues as printers from their desktops.
You then configure the print queues, also using the Print module of Server Settings. See
“Adding Printers” on page 320 and “Configuring Print Queues” on page 320.
Step 4: (Optional) Add print queues to a shared Open Directory domain
You can add print queues to a shared Open Directory domain for users of Mac OS X
computers that have access to the domain. This makes it easier for Mac OS X client users to
locate shared printers because these print queues show up automatically in Print Center
Directory Services lists. See “Adding Print Queues to Shared Open Directory Domains” on
page 321.
Step 5: (Optional) Set print quotas for users
If you want to limit the number of pages users can print, set print quotas for user accounts
and enforce quotas on print queues. See “Setting Up Print Quotas” on page 322.
Step 6: Set up printing on client computers
Mac OS X clients: Add one or more print queues to users’ printer lists using Print Center.
Mac OS 9 and Mac OS 8 clients: Use the Chooser to add AppleTalk printers or use Desktop
Printer Utility to add LPR printers to the clients’ desktops.
Windows clients: If you have Windows clients using SMB, you need to make sure Windows
services are running and that at least one print queue is available for SMB users.
UNIX clients: Most UNIX systems support LPR. Some configuration may be required. Refer
to the manufacturer’s documentation on setting up LPR printers or consult your UNIX
administrator.
See “Setting Up Printing on Client Computers” on page 323.Print Service 319
Before You Begin
Before you set up print service, determine which protocols are used for printing by client
computers. When you configure a print queue, you will need to enable each of the required
protocols. Print service supports the following protocols:
m AppleTalk
m Line Printer Remote (LPR)
m Server Message Block (SMB)
See “Setting Up Printing on Client Computers” on page 323.
Security Issues
In general, AppleTalk and LPR printers do not have any provisions for security. Windows
services require that users log in by providing a user name and password before using SMB
printers. See “Windows User Password Validation” on page 236.
Setting Up Print Service
The following sections tell you how to configure your server’s print service, and how to
create and configure print queues for the server.
Starting Up and Configuring Print Service
Use the Print module of Server Settings to start up and configure print service.
To start up and configure print service:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Start Print Service.
3 Click Print again and choose Configure Print Service.
4 Select “Start print service at system startup” if you want print service to start automatically
when the server starts up.
5 Select “Automatically share new queues for Windows printing” if you want Windows users
who print using the SMB protocol to be able to automatically use new print queues that you
create using Print Center.
If you select this option, make sure that Windows services are running. See “Starting
Windows Services” on page 240.
6 Choose the default queue for LPR print jobs.
Using a default queue simplifies the setup for printing from client computers. See “Selecting
a Default Print Queue” on page 329.320 Chapter 7
If you choose None, print jobs sent to the default queue will not be accepted by the server
(and therefore will not be printed).
7 Select “Server log” if you want to archive the print service log file. Specify how often (by
entering the number of days) you want to archive the current log and start a new one.
8 Select “Queue logs” if you want to archive the print queues’ log files. Specify how often (by
entering the number of days) you want to archive the current log and start a new one.
Adding Printers
You can share any PostScript-compatible printer that has a queue defined for it on the server.
You use the Print module of Server Settings to “add” printers to the server. When you add a
printer, the print queue is created automatically.
Note: You do not need to “add” USB printers connected directly to the server. Queues for
USB printers are created automatically without that step.
To add a printer and create a print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Click New Queue.
4 Choose the protocol used by the printer you want to add from the pop-up menu.
5 For “AppleTalk” or “Directory Services” printers, select a printer in the list and click Add. For
“LPR Printers using IP,” enter the printer Internet address or DNS name, select whether to
use the default queue on the server, enter the queue name, and click Add.
If you want to print from the server, set up a print queue on the server using Print Center.
Configuring Print Queues
You configure a print queue to specify which protocols to use to share the queue and to
specify the default settings for new print jobs. You can also change the name of the queue.
To configure a print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the print queue you want to configure and click Edit.
4 If you want users to see a name other than the Print Center queue name, enter a name in the
Queue Name field.
Entering a queue name does not change the Print Center queue name. Print Service 321
You’ll probably need to change the queue name if users who print to your queues have
restrictions on printer names they can use. For example, some LPR clients do not support
names that contain spaces, and some Windows clients restrict names to 12 characters.
Queue names shared via LPR or SMB should not contain characters other than A – Z, a – z,
0 – 9, and “_” (underscore).
AppleTalk queue names cannot be longer than 32 bytes (which may be fewer than 32 typed
characters). Note that the queue name is encoded according to the language used on the
server and may not be readable on client computers using another language.
5 Select the protocols used for printing by your client computers.
If you select “Windows printing (SMB),” make sure Windows services are running.
See “Starting Windows Services” on page 240.
6 If you want to add the queue to a shared Open Directory domain, choose a shared domain
from the pop-up menu, then enter the user name and password for the administrator of the
server on which the domain resides.
This allows users of Mac OS X computers configured to access the domain to print to the
queue by choosing it from the Directory Services printer list in Print Center (rather than
having to manually enter the LPR print host and queue name).
Note: After sharing a print queue in an Open Directory domain, do not try to add the queue
from the Directory Services list to your server.
7 Choose the default job priority for new print jobs in this queue.
8 Select Hold to postpone printing all new jobs that arrive in the queue. Specify a time of day
to print the jobs, or choose to postpone printing indefinitely.
9 Select “Enforce print quotas” if you want to enforce the user print quotas for the printer.
Adding Print Queues to Shared Open Directory Domains
If you add a print queue to a shared Open Directory domain, users of Mac OS X computers
that are configured to access the domain can print to the queue by choosing it from the
Directory Services printer list in Print Center (rather than having to manually enter the LPR
print host and screen name).
To add a print queue to a shared Open Directory domain:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue you want to add and click Edit.
4 Choose a shared domain from the “Share LPR Queue in Domain” pop-up menu. Enter the
user name and password for the administrator of the server on which the domain resides.322 Chapter 7
The Open Directory printer is named using the queue name defined in the Print module of
Server Settings.
LPR clients do not support names that contain spaces, and some Windows clients restrict
names to 12 characters. Queue names shared via LPR or SMB should not contain characters
other than A – Z, a – z, 0 – 9, and “_” (underscore).
AppleTalk queue names cannot be longer than 32 bytes (which may be fewer than 32 typed
characters). Note that the queue name is encoded according to the language used on the
server and may not be readable on client computers using another language.
Note: After sharing a print queue in an Open Directory domain, do not try to add the queue
from the Directory Services list to your server.
Setting Up Print Quotas
There are two parts to setting up print quotas—specifying the quotas in users’ accounts and
enforcing the quotas for the print service. You use the Users & Groups module of Workgroup
Manager to set up print quotas for a user. You can set specific quotas for each print queue or
you can define a single quota that applies to all print queues (that are enforcing quotas) to
which a user has access. See “Working With Print Settings for Users” on page 151.
You use Server Settings to “turn on” the enforcement of users’ print quotas that you’ve
defined for a print queue. If you do not enforce print quotas, users can print an unlimited
number of pages to the queue.
Enforcing Quotas for a Print Queue
Unless you enforce quotas for a print queue, users will have unlimited printing capabilities
even if print quotas are defined for the users’ accounts.
To enforce quotas for a print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the print queue and click Edit.
4 Select “Enforce print quotas” to enforce the user print quotas for the print queue. Print Service 323
Setting Up Printing on Client Computers
Mac OS X Clients
Mac OS X users must add shared print queues to their Print Center printer lists before they
can use the queues. Mac OS X supports both AppleTalk and LPR printers. Users can also add
print queues in Open Directory domains accessible from the Mac OS X computer.
If a Mac OS X client is having trouble printing, see “Solving Problems” on page 334.
Adding a Print Queue in Mac OS X Using AppleTalk
You use the Print Center to add print queues to a computer’s printer lists. Print Center is
usually located in the Utilities folder of the Applications folder.
To add a print queue using AppleTalk:
1 Open the Print Center and click Add Printer.
2 Choose AppleTalk from the pop-up menu.
3 Select a printer from the list and click Add.
Adding a Print Queue in Mac OS X Using LPR
You use the Print Center to add print queues to a computer’s printer lists. Print Center is
usually located in the Utilities folder of the Applications folder.
To add a print queue using LPR:
1 Open the Print Center and click Add Printer.
2 Choose “LPR Printers using IP” from the pop-up menu.
3 Enter the server’s DNS name or IP address in the LPR Printer’s Address field.
To use the default queue, select the “Use Default Queue on Server” option.
If the server does not have a default LPR queue defined or you do not want to use the default
queue, remove the checkmark and enter a queue name in the Queue Name field.
4 Choose a description of the printer from the Printer Model pop-up menu, then click Add.
Adding a Print Queue From an Open Directory Domain
You use the Print Center to add print queues to a computer’s printer lists. Print Center is
usually located in the Utilities folder of the Applications folder.
To add a print queue from an Open Directory domain:
1 Open the Print Center and click Add Printer.
2 Choose Directory Services from the pop-up menu.
3 Select a queue, then click Add.324 Chapter 7
Mac OS 8 and Mac OS 9 Clients
Mac OS 8 and 9 support both AppleTalk and LPR printers. Users can set up printing to a
server print queue by using the Chooser for AppleTalk printers or Desktop Printer Utility for
LPR printers. (The Desktop Printer Utility is usually located in the LaserWriter Software folder
in the Apple Extras folder or in the Utilities folder in the Applications folder.)
If a Mac OS 8 or 9 client is having trouble printing, see “Solving Problems” on page 334.
Setting Up Printing on Mac OS 8 or 9 Client for an AppleTalk Printer
You use the Chooser to set up AppleTalk printers.
To set up printing for an AppleTalk printer:
1 Open the Chooser.
2 Select the LaserWriter 8 icon or the icon for your printer’s model.
The LaserWriter 8 icon works well in most cases. Use a printer-specific icon, if available, to
take advantage of special features that might be offered by that printer.
3 Select the print queue from the list on the right.
4 Close the Chooser.
Setting Up Printing on Mac OS 8 or 9 Clients for an LPR Printer
You use the Desktop Printer Utility to set up LPR printers.
To set up printing for an LPR printer:
1 Open the Desktop Printer Utility and select Printer (LPR). Click OK.
2 In the PostScript printer Description (PPD) File section, click Change and select the PPD file
for the printer. Choose Generic if you do not know the printer type.
3 In the LPR Printer Selection section, click Change and enter the server’s IP address or
domain name in the Printer Address field.
4 Enter the name of a print queue on the server that is configured for sharing via LPR.
Leave the field blank if you want to print to the default LPR queue.
5 Click Verify to confirm that print service is accepting jobs via LPR.
6 Click OK, then Create.
7 Enter a name and location for the desktop printer icon, and click Save.
The default name is the printer’s IP address, and the default location is the Desktop.Print Service 325
Windows Clients
To enable printing by Windows users who submit jobs using SMB, make sure Windows
services are running and that one or more print queues are available for SMB use. See
“Starting Windows Services” on page 240 and “Adding Printers” on page 320.
All Windows computers—including Windows 95, Windows 98, Windows Millennium Edition
(ME), and Windows XP—support SMB for using printers on the network. Windows 2000 and
Windows NT also support LPR.
Note: Third-party LPR drivers are available for Windows computers that do not have built-in
LPR support.
If a Windows client is having trouble printing, see “Solving Problems” on page 334.
UNIX Clients
UNIX computers support LPR for connecting to networked printers without the installation
of additional software.
If a UNIX client is having trouble printing, see “Solving Problems” on page 334.
Managing Print Service
This section tells you how to perform day-to-day management tasks for print service once
you have it up and running.
Monitoring Print Service
Server Status lets you monitor all services on a Mac OS X server.
If you want to make changes to print service, use Server Settings.
To monitor print service:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select Print in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Overview tab to see if print service is running, the time it started if it is running, and
the number of queues.
3 Click the Logs tab to see print service logs for the system and for individual print queues.
Use the Show pop-up menu to choose which log to view.
4 Click Queues to see the status of print queues.
The table includes the name of the printer, type of print queue, number of jobs, sharing, and
status for each queue.326 Chapter 7
Stopping Print Service
You use the File & Print pane in Server Settings to stop print service.
To stop print service:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Stop Print Service.
Setting Print Service to Start Automatically
You can set print service to start automatically when the server starts up.
To start print service automatically when the server starts up:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Configure Print Service.
3 Select “Start Print Service at system startup.”
Managing Print Queues
This section tells you how to perform day-to-day management of print queues.
Monitoring a Print Queue
Server Status lets you monitor all services on a Mac OS X server. The Queues pane lists the
queues for the print service and tells you the name or kind of printer, how many jobs are
pending, how the printer is shared, whether a job is printing, and, if so, the status of that job.
If you want to make changes to a print queue, use Server Settings.
To monitor a print queue:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select Print in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Queues tab to see the status of the print queues.
The table includes the name of the printer, type of print queue, number of jobs, sharing, and
status for each queue.Print Service 327
Putting a Print Queue on Hold (Stopping a Print Queue)
To prevent jobs in a queue from printing, put the print queue on hold. Printing of all jobs
waiting to print is postponed. New jobs are still accepted but won’t be printed until the queue
is started up again and the jobs ahead of it (of the same or higher priority) are printed. If a job
is printing, it is canceled and reprinted from the beginning when the queue is restarted.
To put a print queue on hold:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the print queue you want to hold and click Hold.
Restarting a Print Queue
If you put a print queue on hold, restart the print queue to resume printing for all jobs that
have not been put on hold individually.
If a job was in the middle of printing when you put the print queue on hold, that job will be
printed again from the beginning.
To restart a print queue that’s been put on hold:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue and click Release in the Print Monitor window.
Changing a Print Queue’s Configuration
Use the Server Settings Print Monitor to view and change a print queue’s configuration.
Note: When you change a print queue’s configuration, the queue may become unavailable
to users. You may need to alert users to set up client computers to use the queue again.
To change a print queue’s configuration:
1 In Server Settings, click the File & Print tab.
2 Click Print, and choose Show Print Monitor.
3 Select the print queue you want to change and click Edit.
4 If you want users to see a name other than the Print Center queue name, enter a name in the
Queue Name field.
Entering a queue name does not change the Print Center queue name. You’ll probably need
to change the queue name if users who print to your queues have restrictions on printer
names they can use. For example, some LPR clients do not support names that contain
spaces, and some Windows clients restrict names to 12 characters. 328 Chapter 7
Note: If you change the name of a print queue that has already been shared, print jobs sent
by users to the old queue name will not be printed. Users will need to set up their computers
again to use the queue with its new name.
5 Select the protocols used for printing by your client computers.
If you select “Windows printing (SMB),” make sure Windows services are running.
See “Starting Windows Services” on page 240.
6 If you want to add the queue to a shared Open Directory domain, choose a shared domain
from the pop-up menu, then enter the user name and password for the administrator of the
server on which the domain resides.
This allows users of Mac OS X computers configured to access the domain to print to the
queue by choosing it from the Directory Services printer list in Print Center (rather than
having to manually enter the LPR print host and queue name).
Note: After sharing a print queue in an Open Directory domain, do not try to add the queue
from the Directory Services list to your server.
7 Choose the default job priority for new print jobs in this queue.
8 Select Hold to postpone printing all new jobs that arrive in the queue. Specify a time of day
to print the jobs, or choose to postpone printing indefinitely.
9 Select “Enforce print quotas” if you want to enforce the user print quotas for the printer.
Renaming a Print Queue
When you add a printer in Print Center, the default name of the queue created for it is the
same as the printer name.
Note: If you change the name of a print queue that has already been shared, print jobs sent
by users to the old queue name will not be printed. Users will need to set up their computers
again to use the queue with its new name.
To rename a print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the print queue you want to rename and click Edit.
4 Enter a new name in the Queue Name field.
Entering a queue name does not change the Print Center queue name. Print Service 329
Selecting a Default Print Queue
Specifying a default print queue simplifies setup for printing from client computers to LPR
print queues. Users can choose to print to the default queue rather than having to enter the
IP address of a specific queue.
To select a default print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Configure Print Service.
3 Choose the queue you want to make the default queue from the “Default Queue for LPR”
pop-up menu.
Deleting a Print Queue
When you delete a print queue, any jobs in the queue that are waiting to print are also
deleted.
Note: If a job is printing, it is canceled immediately. To avoid abruptly canceling users’
print jobs, you can turn off sharing a queue until all jobs have finished printing and then
delete the queue.
To delete a print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the print queue you want to delete and click Delete.
Managing Print Jobs
This section tells you how to perform day-to-day management of print jobs.
Monitoring a Print Job
You monitor individual print jobs using the Queue Monitor window of Server Settings.
To monitor a print job:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue and click Show Queue Monitor.330 Chapter 7
The Queue Monitor window displays all the current print jobs in priority order. It also
indicates the current status of the active (printing) job, the name of the user who submitted
each job, and the number of pages and sheets in each job. The number of pages is the
number of pages in the document. The number of sheets is the physical number of pages in
the queue, which reflects the number of copies or the number of pages printed on one sheet
of paper. For example, a Page/Sheets value of 4/20 appears if a user prints five copies of a
four-page document.
Stopping a Print Job
You can stop a job from printing by putting it or the queue in which it resides on hold.
To put a single print job on hold, see the following section. To put a print queue on hold to
stop jobs from printing, see “Putting a Print Queue on Hold (Stopping a Print Queue)” on
page 327.
Putting a Print Job on Hold
When you put a print job on hold, it is not printed until you take it off hold or until the date
and time you set it to be printed has been reached. If the job has already started to print,
printing stops and the job remains in the queue. When you take the job off hold, printing
starts from the beginning of the job.
Use Shift-click or Command-click to select multiple jobs and put them all on hold at the
same time.
To put a print job on hold:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue containing the job, then click Show Queue Monitor.
4 Select the job and click Hold.
5 If you want to take the job off hold automatically at a certain time, click Set Priority, then
specify the date and time to release the job for printing.
If there are other jobs of equal or higher priority in the print queue when the print job is
released, the actual print time will be later.
Restarting a Print Job
When a print job has been placed on hold, it is not printed until you restart the job or until
the time you set it to be printed has been reached.
Note: If you put the print queue on hold, restart the print queue to print the job.Print Service 331
To restart a print job:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue containing the job, then click Show Queue Monitor.
4 Select the job and click Release.
The job is returned to the print queue and is printed after all other jobs in the queue with
the same priority.
Holding All New Print Jobs
You can automatically postpone printing all new jobs that arrive in a print queue.
To hold new print jobs:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue and click Edit.
4 Select the Hold checkbox. Choose Until to specify a time of day at which to print new jobs.
Choose Indefinitely to postpone printing new jobs indefinitely.
Setting the Default Priority for New Print Jobs
When a new print job is sent to a print queue, it is assigned the priority defined for the print
queue. Jobs are printed in order of priority. Urgent jobs are printed first, then Normal jobs,
and finally Low jobs.
To set the default priority for new print jobs in a queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue and click Edit.
4 Under the “Default Settings for New Jobs” section, choose a job priority of Urgent, Normal,
or Low.
Changing a Print Job’s Priority
When a print job arrives in a queue, it is assigned the default priority for that queue. You can
override the default by changing the priority for the individual print job.
To change a print job’s priority:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.332 Chapter 7
3 Select the queue containing the job, then click Show Queue Monitor.
4 Select the job and click Set Priority.
5 Select the priority you want to assign to the job.
Urgent jobs are printed first, then Normal jobs, and finally Low jobs. The job is printed after
any other job in the queue with the same priority.
Deleting a Print Job
If a job is printing at the time you delete it, the job will stop printing after the pages in the
printer’s hardware buffer have been printed.
To delete a print job:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Show Print Monitor.
3 Select the queue containing the job, then click Show Queue Monitor.
4 Select the job and click Delete.
Managing Print Quotas
This section tells you how to perform day-to-day management of print quotas.
Suspending Quotas for a Print Queue
You use the Print module of Server Settings to enforce and suspend print quotas. Suspending
quotas for a print queue allows all users unlimited printing to the queue.
To enforce or suspend quotas for a print queue:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Configure Print Service.
3 Select the print queue and click Edit.
4 Deselect the “Enforce print quotas” option.
To enforce print quotas again, select the “Enforce print quotas” option again.
Managing Print Logs
This section tells you how to view and archive print logs.Print Service 333
Viewing Print Logs
Print service has two kinds of logs: print service and print queue. Print service logs record
such events as when print service was started and stopped and when a print queue was put
on hold. Separate logs for each print queue record individual print jobs, including such
information as which users submitted jobs for particular printers and the size of the jobs.
You can view the print service logs using Server Status.
To view print service logs using Server Status:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select Print in the list of services under the server name. If the services aren’t visible,
click the arrow to the left of the server name.
2 Click the Logs tab to see print service logs for the system and for individual print queues.
Use the Show pop-up menu to choose which log to view.
Archiving Print Logs
As noted, print service maintains two kinds of logs: a print service log and a log for each
print queue. You can specify how often you want to archive the logs and start new ones. All
logs, both current and archived, are kept in the /Library/Logs/PrintService folder. Archived
files are kept until they are manually deleted by the server administrator.
To specify how often to archive print logs:
1 In Server Settings, click the File & Print tab.
2 Click Print and choose Configure Print Service.
3 Select “Server log” and enter a number of days to specify how often you want to archive the
print service log and start a new log.
The current log file name is PrintService.server.log. Archived print service log files have the
archive date appended (for example, PrintService.server.log.20021231).
4 Select “Queue logs” and enter a number of days to specify how often you want to archive
each print queue log and start a new one.
The log files are stored in /Library/Logs/PrintService. Individual log files are named after the
print queues (for example, PrintService.myqueue.job.log). Archived print queue log files
have the archive date appended (for example, PrintService.myqueue.job.log.20021231).
You can view current log files using Server Status.
You can use the log rolling scripts supplied with Mac OS X Server to reclaim disk space used
by log files. See “Log Rolling Scripts” on page 555.334 Chapter 7
Deleting Print Log Archives
The log files are stored in /Library/Logs/PrintService. You can clear out unwanted archive files
by deleting them from this directory using the Finder.
You can also use the log rolling scripts supplied with Mac OS X Server to reclaim disk space
used by log files. See “Log Rolling Scripts” on page 555.
Solving Problems
Try these suggestions to solve or avoid printing problems.
Print Service Doesn’t Start
m If you expect print service to start automatically when the server starts up, make sure
the “Start print service at system startup” option is selected in the Configure Print Service
window.
m To verify that the server’s serial number is entered correctly and has not expired, click the
General tab, click Server Info, and choose Change Product Serial Number.
m Use Server Status to review the print service log for additional information.
Users Can’t Print
m Check to see that print service is running. Open Server Settings and select the File & Print
tab. If the print service is not running, select Print and choose Start Print Service.
m Make sure that the queue users are printing to exists by opening the Print Monitor
window. On Mac OS 8 or Mac OS 9 computers, use the Chooser (for AppleTalk print
queues) or Desktop Printer Utility (for LPR print queues) to make sure the printer setup is
correct. On Mac OS X, use the Print Center to add print queues to the printer list.
m Verify that the queue users are printing to is shared correctly. SMB is for Windows users
only. LPR is a standard protocol that users on (some) Windows computers, as well as on
Macintosh, UNIX, and other computers, can use for printing.
m Verify that Mac OS clients have TCP/IP set up correctly.
m If Windows NT 4.x clients can’t print to the server, make sure that the queue name is
not the TCP/IP address of the printer or server. Use the DNS host name instead of the
printer or server address or, if there is none, enter a queue name containing only letters
and numbers.
Print Jobs Don’t Print
m Check the Print Monitor window to make sure that the queue is not on hold. Open Server
Settings, click the File & Print tab, click Print, and choose Show Print Monitor.
m Make sure that the printer is connected to the server or to the network to which the
server is connected. Print Service 335
m Make sure the printer is turned on and that there are no problems with the printer itself
(out of paper, paper jams, and so on).
m Review the print logs for additional information. Open Server Status, select Print under
the server name in the Devices & Services list, and click the Logs tab.
Print Queue Becomes Unavailable
m If you changed a print queue’s name that has already been shared, print jobs sent by users
to the old queue name will not be printed. Users need to set up their computers again to
use the queue with its new name.
See “Setting Up Printing on Client Computers” on page 323.337
C H A P T E R
8
8 Web Service
Web service in Mac OS X Server offers an integrated Internet server solution. Web service is
easy to set up and manage, so you don’t need to be an experienced Web administrator to set
up multiple Web sites and configure and monitor your Web server.
Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web
server responds to requests for HTML Web pages stored on your site. Open-source software
allows anyone to view and modify the source code to make changes and improvements. This
has led to Apache’s widespread use, making it the most popular Web server on the Internet
today.
Web administrators can use Server Settings to administer Web service without knowing anything
about advanced settings or configuration files. Web administrators proficient with Apache can
choose to administer Web service using Apache’s advanced features.
In addition, Web service in Mac OS X Server includes a high-performance, front-end cache
that improves performance for Web sites that use static HTML pages. With this cache, static
data doesn’t need to be accessed by the server each time it is requested.
Web service also includes support for Web-based Distributed Authoring and Versioning,
known as WebDAV. With WebDAV capability, your client users can check out Web pages, make
changes, and then check the pages back in while the site is running. In addition, the WebDAV
command set is rich enough that client computers with Mac OS X installed can use a
WebDAV-enabled Web server as if it were a file server.
Since Web service is based on Apache, you can add advanced features with plug-in modules.
Apache modules allow you to add support for Simple Object Access Protocol (SOAP), Java,
and CGI languages such as Python.338 Chapter 8
Before You Begin
This section provides information you need to know before you set up Web service for the
first time. You should read this section even if you are an experienced Web administrator, as
some features and behaviors may be different from what you expect.
Configuring Web Service
You can use Server Settings to set up and configure the most frequently used features of Web
service. If you are an experienced Apache administrator and need to work with features of
the Apache Web server that aren’t included in Server Settings, you can modify the
appropriate configuration files. However, Apple does not provide technical support for
modifying Apache configuration files. If you choose to modify a file, be sure to make a
backup copy first. Then you can revert to the copy should you have problems.
For more information about Apache modules, see the Apache Software Foundation Web site at
www.apache.org
Providing Secure Transactions
If you want to provide secure transactions on your server, you should set up Secure Sockets
Layer (SSL) protection. SSL lets you send encrypted, authenticated information across the
Internet. If you want to allow credit card transactions through your Web site, for example,
you can use SSL to protect the information that’s passed to and from your site.
For instructions on how to set up secure transactions, see “Setting Up Secure Sockets Layer
(SSL) Service” on page 361.
Setting Up Web Sites
Before you can host a Web site, you must
m register your domain name with a domain name authority
m create a folder for your Web site on the server
m create a default page in the folder for users to see when they connect
m verify that DNS is properly configured if you want clients to access your Web site by name
When you are ready to publish, or enable, your site, you can do this using Server Settings. The
Sites pane in the Configure Web Service window lets you add a new site and select a variety of
settings for each site you host. See “Managing Web Sites” on page 349 for more information.Web Service 339
Hosting More Than One Web Site
You can host more than one Web site simultaneously on your Web server. Depending on how
you configure your sites, they may share the same domain name, IP address, or port. The
unique combination of domain name, IP address, and port identifies each separate site. Your
domain names must be registered with the domain name authority (InterNIC). Otherwise,
the Web site associated with the domain won’t be visible on the Internet. (There is a fee for
each additional name you register.)
If you configure Web sites using multiple domain names and one IP address, older browsers
that do not support HTTP 1.1 or later (that don’t include the “Host” request header), will not
be able to access your sites. This is an issue only with software released prior to 1997 and
does not affect modern browsers. If you think your users will be using very old browser
software, you’ll need to configure your sites with one domain name per IP address.
Understanding WebDAV
If you use WebDAV to provide live authoring on your Web site, you should create realms and
set access privileges for users. Each site you host can be divided into a number of realms,
each with its own set of users and groups that have either browsing or authoring privileges. If
your Web site is on an intranet, you may not want to create realms.
Defining Realms
When you define a realm, which is typically a folder (or directory), the access privileges you
set for the realm apply to all the contents of that directory. If a new realm is defined for one
of the folders within the existing realm, only the new realm privileges apply to that folder and
its contents. For information about creating realms and setting access privileges, see “Setting
Access for WebDAV-Enabled Sites” on page 354.
Setting WebDAV Privileges
The Apache process running on the server needs to have access to the Web site’s files and
folders. To do this, Mac OS X Server installs a user named “www” and a group named “www”
in the server’s Users & Groups List. The Apache processes that serve Web pages run as the
www user and as members of the www group. You need to give the www group read access
to files within Web sites so that the server can transfer the files to browsers when users
connect to the sites. If you’re using WebDAV, the www user and www group both need write
access to the files and folders in the Web sites. In addition, the www user and group need
write access to the /var/run/davlocks directory.
Understanding WebDAV Security
WebDAV lets users update files in a Web site while the site is running. When WebDAV is
enabled, the Web server must have write access to the files and folders within the site users
are updating. This has significant security implications when other services are running on
the server, because individuals responsible for one site may be able to modify other sites.340 Chapter 8
You can avoid this problem by carefully setting access privileges for the site files using the
Sharing module of Server Settings. Mac OS X Server uses a predefined group named “www,”
which contains the Apache processes. You need to give the www group read and write access
to files within the Web site. You also need to assign read and write access to the Web site
administrator (owner) and None (no access) to Everyone.
If you are concerned about Web site security, you may choose to leave WebDAV disabled and
use Apple file service or FTP service to modify the contents of a Web site instead.
Understanding Multipurpose Internet Mail Extension (MIME)
Multipurpose Internet Mail Extension (MIME) is an Internet standard for specifying what
happens when a Web browser requests a file with certain characteristics. You can choose the
response you want the Web server to make based on the file’s suffix. Your choices will
depend partly on what modules you have installed on your Web server. Each combination of
a file suffix and its associated response is called a MIME type mapping.
MIME Suffixes
A suffix describes the type of data in a file. Here are some examples:
m txt for text files
m cgi for Common Gateway Interface files
m gif for GIF (graphics) files
m php for “PHP: Hypertext Preprocessor” (embedded HTML scripts) used for WebMail, etc.
m tiff for TIFF (graphics) files
Mac OS X Server includes a default set of MIME type suffixes. This set includes all the suffixes
in the mime.types file distributed with Apache, with a few additions. If a suffix you need is
not listed, or does not have the behavior you want, use Server Settings to add the suffix to
the set or to change its behavior.
Note: Do not add or change MIME suffixes by editing configuration files.
Web Server Responses
When a file is requested, the Web server handles the file using the response specified for the
file’s suffix. Responses can be either an action or a MIME type. Possible responses include
m return file as MIME type (you enter the mapping you want to return)
m send-as-is (send the file exactly as it exists)
m cgi-script (run a CGI script you designate)
m imap-file (generate an IMAP mail message)
m mac-binary (download a compressed file in MacBinary format)Web Service 341
MIME type mappings are divided into two subfields separated by a forward slash, such as
“text/plain.” Mac OS X Server includes a list of default MIME type mappings. You can edit
these and add others.
When you specify a MIME type as a response, the server identifies the type of data requested
and sends the response you specify. For example, if the browser requests a file with the suffix
“jpg,” and its associated MIME type mapping is “image/jpeg,” the server knows it needs to
send an image file and that its format is JPEG. The server doesn’t have to do anything except
serve the data requested.
Actions are handled differently. If you’ve mapped an action to a suffix, your server runs a
program or script, and the result is served to the requesting browser. For example, if a browser
requests a file with the suffix “cgi,” and its associated response is the action “cgi-script,” your
server will run the script and send the resulting data back to the requesting browser.
Setting Up Web Service for the First Time
Follow the steps below to set up Web service for the first time. If you need more information
to perform any of these tasks, see “Managing Web Service” on page 342 and “Managing Web
Sites” on page 349.
Step 1: Set up the Documents folder
When your server software is installed, a folder named Documents is set up automatically.
Put any items you want to make available through a Web site in the Documents folder. You
can create folders within the Documents folder to organize the information. The folder is
located in this directory:
/Library/WebServer/Documents
In addition, each registered user has a Sites folder in the user’s own home directory. Any
graphics or HTML pages stored in the user’s Sites folder will be served from this URL:
server.example.com/~username/
Step 2: Create a default page
Whenever users connect to your Web site, they see the default page. When you first install
the software, the file “index.html” in the Documents folder is the default page. You’ll need to
replace this file with the first page of your Web site and name it “index.html.” If you want to
call the file something else, make sure you change the default document name in the
General pane of the site settings window.
For more information about Web site settings, see “Managing Web Sites” on page 349.342 Chapter 8
Step 3: Assign privileges for your Web site
The Apache process running on the server must have access to the Web site’s files and
folders. To allow this access, Mac OS X Server creates a group named “www,” made up of the
Apache processes. You need to give the www group read-only access to files within your Web
site so that it can transfer those files to browsers when users connect to the site. For
information about assigning privileges, see Chapter 4, “Sharing.”
Step 4: Configure Web service
The default configuration works for most Web servers that host a single Web site, but you can
configure all the basic features of Web service and Web sites using Server Settings.
To host user Web sites, you must configure at least one Web site. To access the configuration
settings, click Web and choose Configure Web Service. Choose the settings you want for your
server and your Web site. For information about these settings, see “Managing Web Service”
on page 342.
Step 5: Start Web service
In Server Settings, click the Internet tab. Click Web and choose Start Web Service.
When the service is running, you see a globe on the Web icon.
Step 6: Connect to your Web site
To make sure the Web site is working properly, open your browser and try to connect to your
Web site over the Internet. If your site isn’t working correctly, see “Solving Problems” on
page 364.
Managing Web Service
The Configure Web Service window lets you set and modify most options for your Web
service and Web sites.
To access the Configure Web Service window:
1 In Server Settings, click Web and choose Configure Web Service.
2 Click one of the four tabs to see the settings in that pane.
Important Always use Server Settings to start and stop the Web server. You can start the
Web server from the command line, but Server Settings won’t show the change in status for
several seconds. Server Settings is the preferred method to start, stop, and modify Web
service settings.Web Service 343
Starting or Stopping Web Service
You start and stop Web service from the Server Settings application.
To start or stop Web service:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Start Web Service or Stop Web Service.
If you stop Web service, users connected to any Web site hosted on your server are
disconnected immediately.
Starting Web Service Automatically
You can set Web service to start automatically whenever the server starts up. This will ensure
that your Web sites are available if there’s been a power failure or the server shuts down for
any reason.
To have Web service start automatically:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Select “Start Web service on system startup.”
Modifying MIME Mappings
Multipurpose Internet Mail Extension (MIME) is an Internet standard for describing the
contents of a file. The MIME Types pane lets you set up how your Web server responds when
a browser requests certain file types. For more information about MIME types and MIME type
mappings, see “Understanding Multipurpose Internet Mail Extension (MIME)” on page 340.
The Web server is set up to handle the most common MIME types. You can add, edit, or
delete MIME type mappings.
To add or modify a MIME type mapping:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the MIME Types tab.
4 Click Add to add a new mapping, or select a mapping and click Edit, Duplicate, or Delete. (If
you choose Delete, you’ve finished.)
Important Always use Server Settings to start and stop the Web server. You can start the
Web server from the command line, but Server Settings won’t show the change in status for
several seconds. Server Settings is the preferred method to start, stop, and modify Web
service settings.344 Chapter 8
5 Type the file suffix that describes the type of data in files handled by this mapping.
6 Choose a Web server response from the Response pop-up menu. If you choose “Return file
as MIME type,” enter the MIME type you want to return.
7 Click Save.
If you choose a response that is a Common Gateway Interface (CGI) script, make sure you
have enabled CGI execution for your site in the Options pane of the site settings window.
Setting Up Persistent Connections for Web Service
You can set up Web service to respond to multiple requests from a client computer without
closing the connection each time. Repeatedly opening and closing connections isn’t very
efficient and decreases performance.
To set up persistent connections:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 In the General pane, enter a number in the Maximum Persistent Connections field.
If you set the number to zero, there is no limit to the number of requests allowed per
connection. However, the default setting of 500 provides better performance.
4 Enter a number in the Connection Timeout field if you want to specify the amount of time
that can pass between requests before the session is disconnected by the Web server.
5 Click Save, then restart Web service.
Limiting Simultaneous Connections for Web Service
You can limit the number of simultaneous connections to your Web server. When the
maximum number of connections is reached, new requests receive a message that the server
is busy.
To set the maximum number of connections to your Web server:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 In the General pane, enter a number in the Maximum Simultaneous Requests field.
The default maximum is 500, but you can set the number as high or as low as you want to,
taking into consideration the desired performance of your server.
4 Click Save, then restart Web service.Web Service 345
Setting Up Proxy Caching for Web Service
A proxy lets users check a local server for frequently used files. You can use a proxy to speed
up response times and reduce network traffic. The proxy stores recently accessed files in a
cache on your Web server. Browsers on your network check the cache before retrieving files
from more distant servers.
To take advantage of this feature, client computers must specify your Web server as their
proxy server in their browser preferences.
To set up a proxy:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Proxy tab and select Enable Proxy.
4 Set the maximum cache size.
When the cache reaches this size, the oldest files are deleted from the cache folder.
5 Type the path name for the folder in the Cache Folder field.
You can also click the Select button and browse for the folder you want to use.
If you are administering a remote server, file service must be running on the local machine to
use the Select button.
If you change the folder location from the default, you will have to select the new folder in
the Finder, select Get Info and change the owner and group to www.
6 Click Save, then restart Web service.
Blocking Web Sites From Your Web Server Cache
If your Web server is set up to act as a proxy, you can prevent the server from caching
objectionable Web sites.
You can import a list of Web sites you want to block. The list must be a text file with the host
names separated by white space (lines, spaces, or tabs).
To block Web sites:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Proxy tab and select Enable Proxy.
Important To take advantage of this feature, client computers must specify your Web server
as their proxy server in their browser preferences.346 Chapter 8
4 Type the URL of the Web site you want to block in the field and click Add. Or click Import to
import a list of Web sites.
5 Click Save, then restart Web service.
Enabling SSL for Web Service
If you plan to set up Secure Sockets Layer (SSL) service and enable it for Web sites, you need
to enable it for the entire Web service. Once you enable SSL service you can configure SSL
for each site hosted on your server.
For more information about configuring SSL for a specific Web site, see “Enabling SSL” on
page 357.
To enable SSL for Web service:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click “Enable SSL support.”
4 Click Save, then restart Web service.
Setting Up the SSL Log for a Web Server
If you are using Secure Sockets Layer (SSL) on your Web server, you can set up a file to log
SSL transactions and errors.
To set up an SSL log:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab, select a site to edit, then click Edit.
4 Click the Security tab, select Enable Secure Sockets Layer (SSL), then enter the path name for
the folder where you want to keep the SSL log in the SSL Log File field.
5 Click Save, then restart Web service.
Setting Up WebDAV for a Web Server
Web-based Distributed Authoring and Versioning (WebDAV ) allows you or your users to make
changes to Web sites while the sites are running. If you enable WebDAV, you also need to
assign access privileges for the sites and for the Web folders.
To enable WebDAV:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.Web Service 347
3 In the General pane, select “Enable WebDAV support,” then click the Sites tab.
4 Select a Web site and click Edit, click the Options tab, then select Enable WebDAV.
5 Click the Access tab. Select a realm and click Edit, or click Add to create a new realm.
The realm is the part of the Web site users can access.
6 Type the name you want users to see when they log in.
The default realm name is the name of the Web site.
7 Type the path to the location in the Web site to which you want to limit access.
You can also click the Select button and browse for the folder you want to use.
If you are administering a remote server, file service must be running on the local machine to
use the Select button.
8 Click Save.
Starting Tomcat
Tomcat adds Java servlet and JavaServer Pages ( JSP) capabilities to Mac OS X Server. Java
servlets are Java-based applications that run on your server, in contrast to Java applets which
run on the user’s computer. JavaServer Pages allows you to embed Java servlets in your
HTML pages.
For more information on Tomcat see “Installing and Viewing Web Modules” on page 365.
You can set Tomcat to start automatically whenever the server starts up. This will ensure that
the Tomcat module starts up after a power failure or after the server shuts down for any reason.
Note: Tomcat is not started by a Startup Item, nor is it started directly by the watchdog
process. It is started and stopped by the Server Settings application in conjunction with the
serversettingsd process, which uses the /Library/Tomcat/bin/tomcatctl script.
To start Tomcat on server startup:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click “Start Tomcat at system startup.”
4 Click Save, then restart the server.
To verify that Tomcat is running, use a Web browser to access port 9006 of your Web site by
entering the URL for your site followed by :9006 (see the URL below).
http://example.com:9006
If Tomcat is running, accessing port 9006 will display the default Tomcat home page.348 Chapter 8
Checking Web Service Status
In the Server Settings application, you can check to see the current state of the server and
the performance cache, and which Web modules are active. The Start/Stop Status Messages
field displays messages about the server status. If you are not sure what the messages mean,
you can find explanations on the Apache Web site:
www.apache.org
If Web service is not running, the window shows only the date and time the server stopped.
To view Web service status:
1 In Server Settings, click Internet.
2 Click Web and select Show Web Service Status.
Current requests and current throughput include both Apache and performance cache data.
Performance cache requests and throughput include performance cache data only.
Viewing Logs of Web Service Activity
Web service in Mac OS X Server uses the standard Apache log format, so you can use any
third-party log analysis tool to interpret the log data.
To view the log files:
1 In Server Status, click Web under your server.
2 Click the Logs tab.
3 Click the log you want to view.
Setting Up Multiple IP Addresses for a Port
When you first set up your server, the Setup Assistant lets you configure one IP address for
each Ethernet port available on the server.
On some occasions, you may want to configure multiple IP addresses for a particular port.
For example, if you use the server to host multiple Web sites, you may want to accept
requests for different domain names (URLs) over the same port. To do so, you need to set up
the port to have multiple configurations, one for each domain name, and then use the Web
module of Server Settings to map each site to a particular configuration.
To set up multiple IP addresses for a port:
1 Open System Preferences and click Network.
2 Choose Advanced from the Configure pop-up menu.
3 Click New.Web Service 349
4 Enter a name for the new port configuration and choose the port you are configuring from
the Port pop-up menu. Click OK.
5 Choose the port configuration you just added from the Configure pop-up menu.
6 Click the TCP tab, then choose Manually from the Configure pop-up menu. Enter the new IP
address and other information describing the port. Click Save.
Managing Web Sites
The Sites pane lists your Web sites and provides some basic information about each site. You
use the Sites pane to add new sites or change settings for existing sites.
To access the Sites pane:
m In Server Settings, click Web and choose Configure Web Service, then click the Sites tab.
Setting Up the Documents Folder for Your Web Site
To make files available through a Web site, you put the files in the Documents folder for the
site. To organize the information, you can create folders inside the Documents folder. The
folder is located in this directory:
/Library/WebServer/Documents
In addition, each registered user has a Sites folder in the user’s own home directory. Any
graphics or HTML pages stored here will be served from this URL:
http://server.example.com/~username/
To set up the Documents folder for your Web site:
1 Open the Documents folder on your Web server.
If you have not changed the location of the Documents folder, it’s in this directory:
/Library/WebServer/Documents/
2 Replace the index.html file with the main page for your Web site.
Make sure the name of your main page matches the default document name you set in the
General pane of the site settings window.
3 Copy files you want to be available on your Web site to the Documents folder.
Changing the Default Web Folder for a Site
A site’s default Web folder is used as the root for the site. In other words, the default folder is
the top level of the directory structure for the site.
To change the default Web folder for a site hosted on your server:
1 Log in to the server you want to administer.350 Chapter 8
2 Drag the contents of your previous Web folder to your new Web folder.
3 In Server Settings, log in to the server where the Web site is located.
4 Click the Internet tab, then click Web and choose Configure Web Service.
5 Click the Sites tab.
6 Select a site in the list, then click Edit.
7 Type the path to the Web folder in the Website Folder field, or click the Select button and
navigate to the new Web folder location (if accessing this server remotely, file service must be
turned on to do this; see Chapter 5, “File Services,” for more information).
8 Click Save, then restart Web service.
Enabling a Web Site on a Server
Before you can enable a Web site, you must create the content for the site and set up your
site folders.
To enable the Web site:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab, then click Add.
4 Type the fully qualified DNS name of your Web site in the Name field.
5 Enter the IP address and port number (any number up to 8999) for the site.
The default port number is 80. Make sure that the number you choose is not already in use
by another service on the server.
6 Enter the path to the folder you set up for this Web site.
You can also click the Select button and browse for the folder you want to use.
If you are administering a remote server, file service must be running on the local machine to
use the Select button.
7 Enter the file name of your default document (the first page users see when they access
your site).
8 Make any other settings you want for this site, then click Save.
9 Click the Enabled box next to the site name in the Sites pane of the Configure Web Service
window.
Important In order to enable your Web site on the server, the Web site must have a unique
IP address and port number combination. See “Hosting More Than One Web Site” on
page 339 and “Setting Up Multiple IP Addresses for a Port” on page 348 for more information.Web Service 351
10 Click Save, then restart Web service.
Setting the Default Page for a Web Site
The default page appears when a user connects to your Web site by specifying a directory or
host name instead of a file name.
To set the default Web page:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a site in the list, then click Edit.
5 In the General pane, type a name in the Default Document Name field.
A file with this name must be in the Web site folder.
6 Click Save, then restart Web service.
Note: The Default Document Name field can have more than one entry. Any file name
containing a space must be enclosed in quotes. Each entry must be separated by a space.
Changing the Access Port for a Web Site
By default, the server uses port 80 for connections to Web sites on your server. You may need
to change the port used for an individual Web site, for instance, if you want to set up a
streaming server on port 80. Make sure that the number you choose does not conflict with
ports already being used on the server (for FTP, Apple file service, SMTP, and others). If you
change the port number for a Web site you must change all URLs that point to the Web server
to include the new port number you choose.
To set the port for a Web site:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a site, then click Edit.
5 Type the port number in the Port field, then click Save.
Improving Performance of Static Web Sites
If your Web sites contain static HTML files, and you expect high usage of the pages, you can
enable the performance cache to improve server performance.
You should disable the performance cache if352 Chapter 8
m you do not anticipate heavy usage of your Web site
m most of the pages on your Web site are generated dynamically
The performance cache is enabled by default.
To enable or disable the performance cache for your Web server:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a site in the list, then click Edit.
5 In the Options pane, select or deselect “Enable performance cache.”
6 Click Save, then restart Web service.
You can also improve server performance by disabling the access and error logs.
Enabling Access and Error Logs for a Web Site
You can set up error and access logs for individual Web sites that you host on your server.
However, enabling the logs can slow server performance.
To enable access and error logs for a Web site:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a site in the list, then click Edit.
5 Click the Logging tab and select the logs you want to enable.
6 Set how often you want the logs to be archived.
7 Type the path to the file where you want to store the logs.
You can also click the Select button and browse for the folder you want to use.
If you are administering a remote server, file service must be running on the local machine to
use the Select button.
8 Click Save, then restart Web service.
Setting Up Directory Listing for a Web Site
When users specify the URL for a directory, you can display either a default Web page (such
as index.html) or a list of the directory contents. You can display either a simple list or a
detailed folder list. To set up directory listing, you need to enable indexing for the Web site.
Note: Folder listings are displayed only if no default document is found.Web Service 353
To enable indexing for a Web site:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a site, then click Edit.
5 Select “Enable indexing of folders” in the Options pane.
If you want a simple list, skip to step 8. If you want a detailed folder list, continue with the
next step.
6 Click Save, then click the General tab of the Configure Web Service window.
7 Select “Enable detailed folder listings.”
8 Click Save, then restart Web service.
Connecting to Your Web Site
Once you configure your Web site, it’s a good idea to view the site with a Web browser to
verify that everything appears as intended.
To make sure a Web site is working properly:
1 Open a Web browser and type the Web address of your server.
You can use either the IP address or the DNS name of the server.
2 Type the port number, if you are not using the default port.
3 If you’ve restricted access to specific users, enter a valid user name and password.
Enabling WebDAV
Web-based Distributed Authoring and Versioning ( WebDAV ) allows you or your users to
make changes to Web sites while the sites are running. If you enable WebDAV, you also need
to assign access privileges for the sites and for the Web folders.
To enable WebDAV:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 In the General pane, select “Enable WebDAV support,” then click the Sites tab.
4 Select a Web site and click Edit, click the Options tab, then select Enable WebDAV.
5 Click the Access tab. Select a realm and click Edit, or click Add to create a new realm.
The realm is the part of the Web site users can access.
6 Type the name you want users to see when they log in.354 Chapter 8
The default realm name is the name of the Web site.
7 Type the path to the location in the Web site to which you want to limit access.
If file service is running, or if you are using Server Settings on the Mac OS X server, you can
click Select and browse to find the location.
8 Click Save.
Setting Access for WebDAV-Enabled Sites
You create realms to provide security for Web sites. Realms are locations within a site that
users can view or make changes to when WebDAV is enabled. When you define a realm, you
can assign browsing and authoring privileges to users for the realm.
To add users and groups to a realm:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service, then click the Sites tab.
3 Select a site name and click Edit, then click the Access tab.
4 Select a realm and click Edit, or click Add to create a new realm.
The default name for a new realm is the name of the Web site.
5 Select the “Everyone” checkbox and choose “can Browse” from the pop-up menu.
6 Drag users and groups from the list of users and groups in Workgroup Manager to the realm
window.
7 Select Allow Authoring if you want a user or group to be able to author.
If you don’t select Everyone, you can fully restrict access and add only the users you want to
browse and author for this realm. When you select privileges for Everyone, you have these
options:
“Browse” allows everyone who can access this realm to see it. You can add additional users
and groups to the User or Group list to enable authoring for them.
“Browse and Author” allows everyone who has access to this realm to see and make changes
to it.
Enabling a Common Gateway Interface (CGI) script
Common Gateway Interface (CGI) scripts (or programs) send information back and forth
between your Web site and applications that provide different services for the site.
m If a CGI is to be used by only one site, install the CGI in the Documents folder for the site.
The CGI name must end with the suffix “.cgi.”Web Service 355
m If a CGI is to be used by all sites, install it in the /Library/WebServer/CGI-Executables
folder. In this case, clients must include /cgi-bin/ in the URL for the site. For example,
http://www.example.com/cgi-bin/test-cgi
m Make sure the file permissions on the CGI allow it to be executed by the user named
“www.” Since the CGI typically isn’t owned by www, the file should be executable by
everyone.
To enable a CGI for a Web site:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a Web site in the list and click Edit.
5 Select Enable CGI Execution under Site Options.
6 Click Save, then restart Web service.
Note: Note that for security reasons, the printenv and test-cgi scripts that are pre-installed in
the /Library/WebServer/CGI-Executables folder are not executable by default. You may want
to make them executable to verify correct operation of CGIs. Use either the Finder or the
Terminal application to set their permissions to be executable.
Apple also supports CGIs written in AppleScript, referred to as ACGIs. To run an ACGI, use
the Mac OS X Script Editor to save the AppleScript as an Application with the Stay Open
option. Then start Classic and the ACGI Enabler (in /Applications/Utilities) before you
request the file from a browser.
Enabling Server Side Includes (SSI)
Enabling Server Side Includes (SSI) allows a chunk of HTML code or other information to be
shared by different Web pages on your site. SSIs can also function like CGIs and execute
commands or scripts on the server.
Note: Enabling SSI requires making changes to UNIX configuration files in the Terminal
application. To enable SSI, you must be comfortable with typing UNIX commands and using a
UNIX text editor.
To enable SSI:
1 In the Terminal application, use a text editor to edit
/etc/httpd/httpd_macosxserver.conf
2 Add the following line to each virtual host for which you want SSI enabled:
Options Includes
To enable SSI for all virtual hosts, add the line outside any virtual host block.356 Chapter 8
3 In Server Settings, click Web and add “index.shtml” to the set of default index files for each
virtual host.
By default, the mime_macosxserver.conf file maintained by server settings contains the
following two lines:
AddHandler server-parsed shtml
AddType text/html shtml
If your SSI files use a file extension other than .shtml you should add that type to the
mime_macosxserver.conf file. You can add MIME types in Server Settings from the MIME
Types tab.
The changes take effect when you restart the Web service.
Monitoring Web Sites
You can use the Sites pane to check the status of your Web sites. The Sites pane shows
m whether a site is enabled
m the site’s DNS name and IP address
m the port being used for the site
Double-clicking a site in the Sites pane opens the site settings window, where you can view
or change the settings for the site.
To access the Sites pane:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
Setting Server Responses to MIME Types
Multipurpose Internet Mail Extension (MIME) is an Internet standard for specifying what
happens when a Web browser requests a file with certain characteristics. A file’s suffix
describes the type of data in the file. Each suffix and its associated response together are
called a “MIME type mapping.” See “Understanding Multipurpose Internet Mail Extension
(MIME)” on page 340 for more information.
To set the server response for a MIME type:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the MIME Types tab and then click Add, or select a MIME type and click Edit.
4 Type the file suffix associated with this mapping in the File Suffix field.Web Service 357
5 Choose the server response from the pop-up menu, or type the file type in the Return MIME
Type field.
If you return a CGI, make sure you’ve enabled CGI execution for the Web site.
6 Click Save, then restart Web service.
Enabling SSL
Before you can enable Secure Sockets Layer (SSL) protection for a Web site, you have to
obtain the proper certificates.
For more information see “Setting Up Secure Sockets Layer (SSL) Service” on page 361.
To set up SSL for a Web site:
1 In Server Settings, click the Internet tab.
2 Click Web and choose Configure Web Service.
3 Click the Sites tab.
4 Select a site and click Edit.
5 Click the Security tab, then select Enable Secure Sockets Layer (SSL).
6 Click each button in the Security pane and paste the contents of the appropriate certificate
or key in the text field for each. Click Save before going on to the next button.
7 Type the location of the SSL log file in the SSL Log File field.
You can also click the Select button and browse for the folder you want to use.
If you are administering a remote server, file service must be running on the local machine to
use the Select button.
8 Click Save, then restart Web service.
Enabling PHP
PHP (PHP: Hypertext Preprocessor) is a scripting language embedded in HTML that is used to
create dynamic Web pages. PHP provides functions similar to those of CGI scripts, but supports
a variety of database formats and can communicate across networks via many different
protocols. The PHP libraries are included in Mac OS X Server, but are disabled by default.
See “Installing and Viewing Web Modules” on page 365 for more information on PHP.
Note: Enabling PHP requires making changes to UNIX configuration files in the Terminal
application. To enable PHP, you must be comfortable with typing UNIX commands and using
a UNIX text editor.358 Chapter 8
To enable PHP:
1 In the Terminal application, use a text editor to edit /etc/httpd/httpd.conf
2 Enable PHP by removing the comment character, #, from the following lines, which are
located in various places in the file:
#LoadModule php4_module /usr/libexec/httpd/libphp4.so
#AddModule mod_php4.c
3 Save the changes and close the file.
The changes take effect when you restart the Web service.
WebMail
WebMail adds basic email functions to your Web site. If your Web service hosts more than
one Web site, WebMail can provide access to mail service on any or all of the sites. The mail
service looks the same on all sites.
The WebMail software is included in Mac OS X Server, but is disabled by default.
Note: Enabling WebMail requires making changes to UNIX configuration files in the
Terminal application. To enable WebMail, you must be comfortable with typing UNIX
commands and using a UNIX text editor.
The WebMail software is based on SquirrelMail, which is a collection of open-source scripts
run by the Apache server. For more information on SquirrelMail, see this Web site:
www.squirrelmail.org
WebMail Users
If you enable WebMail, a Web browser user can
m compose messages and send them
m receive messages
m forward or reply to received messages
m maintain a signature that is automatically appended to each sent message
m create, delete, and rename folders and move messages between folders
m attach files to outgoing messages
m retrieve attached files from incoming messages
m manage a private address book
m set WebMail preferences, including the color scheme displayed in the Web browser
To use your WebMail service, a user must have an account on your mail server. Therefore,
you must have a mail server set up if you want to offer WebMail on your Web sites.Web Service 359
Users access your Web site’s WebMail page by appending /WebMail to the URL of your site.
For example,
http://mysite.example.com/WebMail
Users log into WebMail with the name and password they use for logging in to regular mail
service. WebMail does not provide its own authentication. For more information on mail
service users, see “Supporting Mail Users” on page 405 in Chapter 9, “Mail Service.”
When users log in to WebMail, their passwords are sent over the Internet in clear text (not
encrypted) unless the Web site is configured to use SSL. For instructions on configuring SSL,
see “Enabling SSL for Web Service” on page 346.
WebMail users can consult the user manual for SquirrelMail at the following Web page:
www.squirrelmail.org/wiki/UserManual
WebMail and Your Mail Server
WebMail relies on your mail server to provide the actual mail service. WebMail merely
provides access to the mail service through a Web browser. WebMail cannot provide mail
service independent of a mail server.
WebMail uses the mail service of your Mac OS X Server by default. You can designate a
different mail server if you are comfortable using the Terminal application and UNIX
command-line tools. For instructions, see “Configuring WebMail” on page 360.
WebMail Protocols
WebMail uses standard email protocols and requires your mail server to support them:
m Internet Message Access Protocol (IMAP) for retrieving incoming mail
m Simple Mail Transfer Protocol (SMTP) for exchanging mail with other mail servers
(sending outgoing mail and receiving incoming mail)
WebMail does not support retrieving incoming mail via Post Office Protocol (POP). Even if
your mail server supports POP, WebMail does not.
Enabling WebMail
You can enable WebMail for the Web site (or sites) hosted by your Web service. Changes take
effect when you restart Web service.
1 Make sure your mail service is started and configured to provide IMAP and SMTP service.
The mail service of Mac OS X Server provides IMAP and SMTP service by default. For details
on mail service configuration, see Chapter 9, “Mail Service.”
2 Make sure IMAP mail service is enabled in the user accounts of the users you want to have
WebMail access. 360 Chapter 8
For details on mail settings in user accounts, see “Working With Mail Settings for Users” on
page 150 in Chapter 3, “Users and Groups.”
3 Enable PHP according to the instructions on page 357.
4 In the Terminal application, use a text editor to edit /etc/httpd/httpd_macosxserver.conf and
add the following line:
Include /etc/httpd/httpd_squirrelmail.conf
Where you add this line depends on whether your server hosts multiple Web sites and
whether you want all or some hosted Web sites to have WebMail.
If your server hosts only one Web site or you want all Web sites to have WebMail, add the
“Include” line outside all blocks.
If you want only some Web sites hosted by your server to have WebMail, add the “Include”
line at or near the top of the block for each of your Web sites that you want
to have WebMail service.
Here is an example of the beginning of a block for a Web site at 192.0.32.72
with the “Include” line added:
ServerName www.example.com
Include /etc/httpd/httpd_squirrelmail.conf
5 Add the default document name “index.php” to the default documents for the site.
This allows the server to display the default WebMail page if a client requests a URL for a
folder without including a document name. See “Setting the Default Page for a Web Site” on
page 351 for more information on adding a default document name.
Configuring WebMail
WebMail is based on SquirrelMail, an open-source module for the Apache Web server that
provides Web service for Mac OS X Server. SquirrelMail has several options that you can
configure to integrate WebMail with your site. The options and their default settings are
as follows:
m Organization Name is displayed on the main WebMail page when a user logs in. The
default is Mac OS X Server WebMail.
m Organization Logo specifies the relative or absolute path to an image file.
m Organization Title is displayed as the title of the Web browser window while viewing a
WebMail page. The default is Mac OS X Server WebMail.
m Trash Folder is the name of the IMAP folder where mail service puts messages when the
user deletes them. The default is Deleted Messages.Web Service 361
m Sent Folder is the name of the IMAP folder where mail service puts messages after
sending them. The default is Sent Messages.
m Draft Folder is the name of the IMAP folder where mail service puts the user’s draft
messages. The default is Drafts.
You can configure these and other settings—such as which mail server provides mail service
for WebMail—by running an interactive Perl script in a Terminal window, with root privileges.
These configuration settings apply to all Web sites hosted by your Web service.
To configure basic WebMail options:
1 In the Terminal application, type
cd /opt/squirrelmail/configure
sudo ./conf.pl
2 Follow the instructions displayed in the Terminal window.
WebMail configuration changes do not require restarting Web service unless users are logged
in to WebMail.
To further customize the appearance (for example, to provide a specific appearance for each
of your Web sites), you need to know how to write PHP scripts. In addition, you need to
become familiar with the SquirrelMail plug-in architecture and write your own SquirrelMail
plug-ins.
Setting Up Secure Sockets Layer (SSL) Service
If you want to provide secure transactions on your server, such as allowing users to purchase
items from a Web site, you should set up Secure Sockets Layer (SSL) protection. SSL lets you
send encrypted, authenticated information across the Internet. If you want to allow credit
card transactions through a Web site, for example, you can protect the information that’s
passed to and from that site.
When you generate a certificate signing request (CSR), the certificate authority sends you a
certificate that you install on your server. They may also send you a CA certificate (ca.crt).
Installing this file is optional. Normally, CA certificates reside in client applications such as
Internet Explorer and allow those applications to verify that the server certificate originated
from the right authority. However, CA certificates expire or evolve, so some client
applications may not be up to date.
Generating a Certificate Signing Request (CSR) for Your Server
The CSR is a file that provides information needed to set up your server certificate.362 Chapter 8
To generate a CSR for your server:
1 Log in to your server using the root password and open the Terminal application.
2 At the prompt, type these commands and press Return at the end of each one.
cd
openssl md5 * > rand.dat
openssl genrsa -rand rand.dat -des 1024 > key.pem
3 At the next prompt, type a passphrase, then press Return.
The passphrase you create unlocks the server’s certificate key. You will use this passphrase
when you enable SSL on your Web server.
4 If it doesn’t already exist on your server, create a directory at the following location:
/etc/httpd/ssl.key
Make a copy of the key.pem file (created in step 2) and rename it server.key. Then copy
server.key to the ssl.key directory.
5 At the prompt, type the following command and press Return.
openssl req -new -key key.pem -out csr.pem
This generates a file named csr.pem in your home directory.
6 When prompted, enter the following information:
m Country: The country in which your organization is located.
m State: The full name of your state.
m Locality: The city in which your organization is located.
m Organizational name: The organization to which your domain name is registered.
m Organizational unit: Usually something similar to a department name.
m Common name of your Web server: The DNS name, such as server.apple.com.
m Email address: The email address to which you want the certificate sent.
The file “csr.pem” is generated from the information you provided.
7 At the prompt, type the following, then press Return.
cat csr.pem
The cat command lists the contents of the file you created in step 5 (csr.pem). You should
see the phrase “Begin Certificate Request” followed by a cryptic message. The message ends
with the phrase “End Certificate Request.” This is your certificate signing request (CSR).
Obtaining a Web Site Certificate
You must purchase a certificate for each Web site from an issuing authority.Web Service 363
Keep these important points in mind when purchasing your certificate:
m You must provide an InterNIC-registered domain name that’s registered to your organization.
m If you are prompted to choose a software vendor, choose Apache Freeware with SSLeay.
m You have already generated a CSR, so when prompted, open your CSR file using a text
editor. Then copy and paste the contents of the CSR file into the appropriate text field on
the issuing authority’s Web site.
After you’ve completed the process, you’ll receive an email message that contains a Secure
Server ID. This is your server certificate. When you receive the certificate, save it to your Web
server’s hard disk as a file named server.crt.
Installing the Certificate on Your Server
1 Log in to your server as the administrator or super user (also known as root).
2 If it doesn’t already exist on your server, create a directory with this name:
/etc/httpd/ssl.crt
3 Copy server.crt (the file that contains your Secure Server ID) to the ssl.crt directory.
Enabling SSL for the Site
1 In Server Settings, click Web and choose Configure Web Service.
2 Make sure Enable SSL support is selected for the entire site.
3 Click Sites, then select the site where you plan to use the certificate, and click Edit.
4 Click the Security tab.
5 Select Enable Secure Socket Layer (SSL).
6 Click Edit Certificate File and paste the text from your certificate file (the certificate you
obtained from the issuing authority) in the text field, then click Save.
7 Click Edit Key File and paste the text from your key file (the file key.pem, which you set up
earlier) in the text field, then click Save.
8 Click Edit CA Certificate File and paste the text from the ca.crt file in the text field. (This is an
optional file that you may have received from the certificate authority.) Click Save.
9 Click in the Pass Phrase field and type the passphrase from your CSR in the text field, then
click Save.
10 Set the location of the log file that will record SSL transactions and click Save.
11 Stop and then start Web service.364 Chapter 8
Solving Problems
Users Can’t Connect to a Web Site on Your Server
m Make sure that Web service is turned on and the site is enabled.
m Check the Start/Stop Status Messages field in the Web Service Status window for
messages. If you are not sure what the messages mean, you’ll find explanations on the
Apache Web site at:
www.apache.org
m Check the Apache access and error logs.
m Make sure users are entering the correct URL to connect to the Web server.
m Make sure that the correct folder is selected as the default Web folder. Make sure that the
correct HTML file is selected as the default document page.
m If your Web site is restricted to specific users, make sure those users have access
privileges to your Web site.
m Verify that users’ computers are configured correctly for TCP/IP. If the TCP/IP settings
appear correct, use a “pinging” utility that allows you to check network connections.
m Verify that the problem is not a DNS problem. Try to connect with the IP address of the
server instead of its DNS name.
m Make sure your DNS server’s entry for the Web site’s IP address and domain name
are correct.
A Web Module Is Not Working as Expected
m Check the error log in Server Status for information about why the module might not be
working correctly.
m If the module came with your Web server, check the Apache documentation for that
module and make sure the module is intended to work the way you expected.
m If you installed the module, check the documentation that came with the Web module to
make sure it is installed correctly and is compatible with your server software.
For more information on supported Apache modules for Mac OS X Server, see this Web site:
www.apache.org/docs/mod/
A CGI Will Not Run
m Check the CGI’s file permissions to make sure the CGI is executable by www. If not, the
CGI won’t run on your server even if you enable CGI execution in Server Settings.Web Service 365
Installing and Viewing Web Modules
Modules “plug in” to the Apache Web server software and add functionality to your Web site.
Apache comes with some standard modules, and you can purchase modules from software
vendors or download them from the Internet. You can find information about available
Apache modules at this Web site:
www.apache.org/docs/mod
m To view a list of Web modules installed on your server, click Web in Server Settings, click
Internet, click Web then select Show Web Service Status.
m To install a module, follow the instructions that came with the module software. The Web
server loads modules from this directory:
/usr/libexec/httpd/
In addition, you must change the httpd.conf file to load and then add new modules.
Macintosh-Specific Modules
Web service in Mac OS X Server installs some modules specific to the Macintosh. These
modules are described in this section.
mod_macbinary_apple
This module packages files in the MacBinary format, which allows Macintosh files to be
downloaded directly from your Web site. A user can download a MacBinary file using a
regular Web browser by adding “.bin” to the URL used to access the file.
mod_sherlock_apple
This module lets Apache perform relevance-ranked searches of the Web site using Sherlock.
Once you index your site using the Finder, you can provide a search field for users to search
your Web site.
m Choose Get Info in the Finder to index a folder’s contents.
Note: You must be logged in as root for the index to be copied to the Web directory in
order to be searchable by a browser.
Clients must add .sherlock to your Web site’s URL to access a page that allows them to search
your site. For example:
http://www.example.com/.sherlock
mod_auth_apple
This module allows a Web site to authenticate users by looking for them in directory service
domains within the server’s search policy. When authentication is enabled, Web site visitors
are prompted for a user name and password before they can access information on the site.366 Chapter 8
mod_redirectacgi_apple
This module works in conjunction with the ACGI Enabler Application to allow users to
execute ACGI programs (Mac OS CGIs). To enable an ACGI, log in as the administrator and
open the ACGI Enabler Application. Do not log out of the application—it must be running for
ACGIs to work.
mod_hfs_apple
This module requires users to enter URLs for HFS volumes using the correct case (lowercase
or uppercase). This module adds security for case-insensitive volumes. If a restriction exists
for a volume, users receive a message that the URL is not found.
Open-Source Modules
Mac OS X Server includes these popular open-source modules: Tomcat, PHP: Hypertext
Preprocessor, and mod_perl.
Tomcat
The Tomcat module, which uses Java-like scripting, is the official reference implementation
for two complementary technologies developed under the Java Community Process:
m Java Servlet 2.2. For the Java Servlet API specifications, see the following site:
java.sun.com/products/servlets
m JavaServer Pages 1.1. For these API specifications, see
java.sun.com/products/jsp
If you want to use Tomcat, you must activate it first. See “Starting Tomcat” on page 347 for
instructions.
PHP: Hypertext Preprocessor
PHP lets you handle dynamic Web content by using a server-side HTML-embedded scripting
language resembling C. Web developers embed PHP code within HTML code, allowing
programmers to integrate dynamic logic directly into an HTML script rather than write a
program that generates HTML.
PHP provides CGI capability and supports a wide range of databases. Unlike client-side
JavaScript, PHP code is executed on the server. PHP is also used to implement WebMail on
Mac OS X Server. For more information about this module, see
www.php.net
mod_perl
This module integrates the complete Perl interpreter into the Web server, letting existing Perl
CGI scripts run without modification. This integration means that the scripts run faster and
consume fewer system resources. For more information about this module, seeWeb Service 367
perl.apache.org
MySQL
MySQL provides a relational database management solution for your Web server. With this
open-source software, you can link data in different tables or databases and provide the
information on your Web site.
The MySQL Manager application simplifies setting up the MySQL database on Mac OS X
Server. You can use MySQL Manager to initialize the MySQL database, and to start and stop
the MySQL service.
MySQL is pre-installed on Mac OS X Server, with its various files already in the appropriate
locations. At some point you may wish to upgrade to a newer version of MySQL. You may
install the new version in /usr/local/mysql, however, MySQL Manager will not be aware of the
new version of MySQL and will continue to control the pre-installed version. If you do install
a newer version of MySQL, use MySQL Manager to stop the pre-installed version, then start
the newer version via the config file.
For more information on MySQL, see
www.mysql.com
Where to Find More Information
For information about configuration files and other aspects of Apache Web service, see these
resources:
m Apache: The Definitive Guide, 2nd Edition, by Ben Laurie and Peter Laurie (O’Reilly and
Associates, 1999)
m Writing Apache Modules with Perl and C, by Lincoln Stein and Doug MacEachern
(O’Reilly and Associates, 1999)
m Web Performance Tuning, by Patrick Killelea (O’Reilly and Associates, 1998)
m Web Security & Commerce, by Simson Garfinkel and Gene Spafford (O’Reilly and
Associates, 1997)
m For more information about Apache, see the Apache Web site:
www.apache.org
m For an inclusive list of methods used by WebDAV clients, see RFC 2518. RFC documents
provide an overview of a protocol or service that can be helpful for novice administrators,
as well as more detailed technical information for experts. You can search for RFC
documents by number at this Web site:
www.faqs.org/rfcs369
C H A P T E R
9
9 Mail Service
Mail service in Mac OS X Server allows network users to send and receive email over your
network or across the Internet. The mail service sends and receives email using the standard
Internet mail protocols: Internet Message Access Protocol (IMAP), Post Office Protocol
(POP), and Simple Mail Transfer Protocol (SMTP). The mail service also uses a Domain Name
System (DNS) service to determine the address of outgoing mail.
This chapter begins with a look at the standard protocols used for sending and receiving
email. It goes on to explain how mail service works, summarize the aspects of mail service
management, and tell you how to
m manage mail service
m manage incoming and outgoing mail
m manage the mail database
m monitor and log mail activity
m limit junk mail
m handle undeliverable mail
m support mail users
m improve mail service performance
m back up and restore mail files370 Chapter 9
Mail Service Protocols
A standard mail setup uses SMTP to send outgoing email and POP and IMAP to receive
incoming email. Mac OS X Server includes an SMTP service and a combined POP and IMAP
service. You may find it helpful to take a closer look at the three email protocols.
Post Office Protocol (POP)
The Post Office Protocol (POP) is used only for receiving mail, not for sending mail. The mail
service of Mac OS X Server stores incoming POP mail until users have their computers connect
to the mail service and download their waiting mail. After a user’s computer downloads POP
mail, the mail is stored only on the user’s computer. The user’s computer disconnects from
the mail service, and the user can read, organize, and reply to the received POP mail. The POP
service is like a post office, storing mail and delivering it to a specific address.
One advantage of POP is that your server doesn’t need to store mail that users have
downloaded. Therefore, your server doesn’t need as much storage space as it would using
the IMAP protocol. However, because the mail is removed from the server, if any client
computers sustain hard disk damage and lose their mail files, there is no way you can recover
these files without using data backups.
POP is not the best choice for client users who access mail from more than one computer,
such as a home computer, an office computer, or a laptop while on the road. When a user
reads mail via the POP protocol, the mail is downloaded to the user’s computer and
completely removed from the server. If the user logs in later from a different computer, he or
she won’t be able to see previously read mail.
In
Out Out
The Internet
ron@example.edu
In
Mail server for school.com Mail server for example.comMail Service 371
Internet Message Access Protocol (IMAP)
Internet Message Access Protocol (IMAP) is the solution for people who need to receive mail
from more than one computer. IMAP is a client-server mail protocol that allows users to
access their mail from anywhere on the Internet. Users can send and read mail with a
number of IMAP-compliant email clients.
With IMAP, client users’ mail is stored in a remote mailbox on the server; mail appears to
users just as if it were on the local computer. IMAP delivers mail to the server, as with POP,
but the mail is not removed from the server until the user deletes it.
IMAP follows the typical client-server model. The user’s computer can ask the server for
message headers, ask for the bodies of specified messages, or search for messages that meet
certain criteria. These messages are downloaded as the user opens them.
Simple Mail Transfer Protocol (SMTP)
Simple Mail Transfer Protocol (SMTP) is a protocol that is used to send and transfer mail.
Since SMTP’s ability to queue incoming messages is limited, it is usually used only to send
mail, while POP or IMAP is used to receive mail.
SMTP Alternatives: Sendmail and Postfix
Instead of the SMTP mail service of Mac OS X Server, you can use another mail transfer
agent (MTA), such as the UNIX programs Sendmail and Postfix. If you choose to use another
mail transfer agent, it handles all incoming and outgoing SMTP mail. In this case, mail sent to
local email users is delivered to the other mail transfer agent. Then Mac OS X Server transfers
incoming mail from the other mail transfer agent for final delivery to email users using the
POP and IMAP protocols. POP and IMAP continue to function as usual, but SMTP mail is now
subject to the rules and settings of the other mail transfer agent.
The UNIX Sendmail program is included with Mac OS X Server and is configured to work
correctly with Mac OS X Server mail service. To use Sendmail, you must set Mac OS X Server
mail service to use an alternate mail transfer agent and you must start Sendmail. For more
information about Sendmail, see this Web site:
www.sendmail.org
If you want to use the Postfix program instead of Sendmail, you must install and configure
Postfix. Then you must set Mac OS X Server mail service to use an alternate mail transfer
agent and you must start Postfix. For more information about Postfix, see this Web site:
www.postfix.org372 Chapter 9
How Mail Service Uses SSL
The mail service supports secure IMAP connections with mail client software that requests
them. If a mail client requests a Secure Sockets Layer (SSL) connection, the mail service
automatically complies. The mail service still provides non-SSL (unencrypted) connections to
clients that do not request SSL. The mail service does not require any configuration to use
SSL in this manner. The configuration of each mail client determines whether it connects
with SSL or not.
How Mail Service Uses DNS
Before sending an email, your mail service will probably have a Domain Name System (DNS)
service determine the Internet Protocol (IP) address of the destination. The DNS service is
necessary because people typically address their outgoing mail by using a domain name,
such as example.com, rather than an IP address, such as 198.162.12.12. To send an outgoing
message, your mail service must know the IP address of the destination. The mail service
relies on a DNS service to look up domain names and determine the corresponding IP
addresses. The DNS service may be provided by your Internet service provider (ISP) or by
Mac OS X Server, as explained in Chapter 14, “DNS Service.”
The mail that your mail service receives comes from other servers, and they use DNS to look
up your mail service. DNS is able to find your mail service if you have created a mail
exchange (MX) record for it. Your MX record specifies the name of the computer that
handles mail service for your domain. This computer is known as a mail host. For example,
the MX record for the domain example.com may specify that the name of the mail host is
mail.example.com. If a mail service wants to send mail that’s addressed to
someone@example.com, the mail service requests the MX record for the domain
example.com and learns that it should actually send the mail to
someone@mail.example.com.
An MX record can provide redundancy by listing an alternate mail host for a domain. If the
primary mail host is not available, the mail can be sent to the alternate mail host. In fact, an
MX record can list several mail hosts, each with a priority number. If the lowest priority host
is busy, mail can be sent to the host with the next lowest priority, and so on.Mail Service 373
Where Mail Is Stored
The mail service keeps track of email messages in a small database, but the database does not
contain the messages. The mail service stores each message as a separate file in a mail folder.
The mail service stores its database file and folder of messages in the folder /Library/
AppleMailServer by default. You can change the location of the mail folder and database to
another folder, disk, or disk partition. You can even specify a shared volume on another
server as the location of the mail folder and database, although using a shared volume incurs
performance penalties.
Mail service uses an additional folder if you turn on the option to use an alternate mail
transfer agent, such as the UNIX Sendmail program. The alternate mail transfer agent delivers
mail for users of your Apple mail service to the /var/mail folder. This is the standard UNIX
mail delivery location. Mail for each user is stored in standard UNIX mailbox format in a file
with the user’s name. The Apple IMAP and POP service imports mail from this location to the
mail database in the /Library/AppleMailServer folder. A user’s mail remains in /var/mail until
the user checks for new mail. Technically, the Apple mail service imports a user’s mail when
the user selects the Inbox via IMAP or triggers a LIST via POP.
How User Account Settings Affect Mail Service
In addition to setting up and managing mail service as described in this chapter, you can also
configure some mail settings individually for everyone who has a user account on your
server. Each user account has settings that do the following:
m enable or disable mail service for the user account
m specify the server that provides mail service for the user account
m set a quota on the amount of disk space for storing the user account’s mail on the server
m specify the protocol for the user account’s incoming mail: POP, IMAP, or both
m maintain separate inboxes for POP and IMAP mail
m show a POP mailbox in the user’s list of IMAP folders
m alert the user via NotifyMail when mail arrives
What Mail Service Can Do About Junk Mail
You can configure your mail service to decrease the volume of unsolicited mail, also known
as junk mail and spam. You can take steps to block spam that is sent to your mail users. 374 Chapter 9
You can also take steps to prevent senders of junk mail from using your server as a relay
point. A relay point or open relay is a server that unselectively receives and forwards all mail
addressed to other servers. An open relay sends mail from any domain to any domain. Junk
mail senders exploit open relay servers to avoid having their own SMTP servers blacklisted as
sources of spam. You do not want your server blacklisted as an open relay, because other
servers may reject mail from your users.
Your mail service can do any of the following to reduce spam:
m require SMTP authentication
m restrict SMTP relay, allowing relay only by approved servers
m reject all SMTP connections from disapproved servers
m match the DNS name of every mail server to the reverse-lookup of its IP address
m reject mail from blacklisted servers
SMTP Authentication
If your mail service requires SMTP authentication, your server cannot be used as an open
relay by anonymous users. Someone who wants to use your server as a relay point must first
provide the name and password of a user account on your server. SMTP authentication
applies to mail relay, but does not apply to delivery of mail for local mail service users. Your
mail service always accepts mail for local delivery without SMTP authentication.
Your local mail users must also authenticate before sending mail. This means your mail users
must have mail client software that supports SMTP authentication or they will be unable to
send mail.
Restricted SMTP Relay
If your mail service allows SMTP relay only by approved mail servers, then the approved
servers can relay through your mail service without authenticating. You create the list of
approved servers. Servers not on the list cannot relay mail through your mail service unless
they authenticate first. All mail servers, approved or not, can deliver mail to your local mail
users without authenticating. Mail Service 375
SMTP Authentication and Restricted SMTP Relay Combinations
The following table describes the results of using SMTP authentication and restricted SMTP
relay in various combinations.
Rejected SMTP Servers
You can have your mail service reject all SMTP connections from mail servers that you add to
a list of disapproved servers. Your mail service does not allow anyone to authenticate from a
disapproved server. No one can send your users mail or relay mail through your server from
a disapproved server.
Mismatched DNS Name and IP Address
Your mail service can log and optionally reject connections from a mail server whose DNS
name doesn’t match the name that your DNS service gets when it looks up the mail server’s
IP address. This method intercepts junk mail from senders who pretend to be someone else,
but may also block mail sent from a misconfigured SMTP server.
You should be aware that because reverse-lookups of IP addresses involve contacting DNS,
they could slow down the performance of your mail service.
Blacklisted Servers
Your mail service can reject mail from SMTP servers that are blacklisted as open relays by an
Open Relay Behavior-modification System (ORBS) server. Your mail service uses an ORBS
server that you specify. ORBS servers are also known as black-hole servers.
SMTP
authentication
Restricted
SMTP relay Result
On Off All mail servers must authenticate before your mail service
will accept any mail for relay. Authentication is not
required for delivery to local mail users. Your local mail
users must also authenticate to send mail.
On On Approved mail servers can relay without authentication.
Servers that you have not approved can relay after
authenticating with your mail service.
Off On Your mail service can’t be used for open relay. Approved
mail servers can relay (without authenticating). Servers
that you have not approved can’t relay unless they
authenticate, but they can deliver to your local mail users.
Your local mail users do not have to authenticate to send
mail.
This is the most common configuration.376 Chapter 9
What Mail Service Doesn’t Do
Mail service provided by Mac OS X Server does not support
m mailing lists
m virtual domains (user@example1.com and user@example2.com can’t be different mail
accounts)
m Secure Sockets Layer (SSL) for SMTP and POP
m mail services on multiple Mac OS X Servers, because they would all try to provide SMTP
service on port 25 and user accounts can’t be assigned to a particular server for SMTP
service
Mail Service Configuration in the Local Directory
The mail service configuration is stored in the local Open Directory domain of your
Mac OS X Server, in a specific record with specific attributes and values. For example, the
server’s local Open Directory domain stores the path of the UNIX mail delivery location that
is used if you choose to use a mail transfer agent other than the SMTP service of
Mac OS X Server.
You can view and change the values of mail service attributes in the server’s local Open
Directory domain with NetInfo Manager, which is included with Mac OS X Server. For
instructions, see “Using NetInfo Domains” on page 110 of Chapter 2, “Directory Services.”
Overview of Mail Service Tools
The following applications help you set up and manage mail service.
m Server Assistant. Use to start mail service when you install Mac OS X Server
m Server Settings. Use to start, stop, and configure mail service
m Workgroup Manager. Use to create user accounts for email users and configure each
user’s mail options
m Server Status. Use to monitor mail service, view mail logs, list email accounts, and list
connected email users
m Terminal. Optionally use for tasks that involve UNIX command-line tools, such as
cleaning up the mail database and starting SendmailMail Service 377
Setup Overview
You can have mail service set up and started as part of the Mac OS X Server installation
process. An option for setting up mail service appears in the Setup Assistant application,
which runs automatically at the conclusion of the installation process. If you select this
option, mail service is set up as follows:
m SMTP, POP, and IMAP all active and using standard ports
m standard authentication methods used (not Kerberos), with POP and IMAP set for cleartext passwords (APOP and CRAM-MD5 turned off ) and SMTP authentication turned off
m local mail delivery only (no mail sent to the Internet)
m mail relay turned off
m administrator access via IMAP turned on
If you want to change this basic configuration, or if you have not set up your mail service,
these are the major tasks you perform to set up mail service:
m Step 1: Before you begin, do some planning.
m Step 2: Set up MX records.
m Step 3: Start mail service.
m Step 4: Configure incoming mail service.
m Step 5: Configure outgoing mail service.
m Step 6: Configure additional settings for mail service.
m Step 7: Set up accounts for mail users.
m Step 8: Create a postmaster account.
m Step 9: Set up each user’s mail client software.
Following is a summary of these tasks. The description of each task tells you which pages
have detailed instructions for performing the task.
Step 1: Before you begin, do some planning
See “Before You Begin” on page 379 for a list of items to think about before you start fullscale mail service.
Step 2: Set up MX records
If you want users to be able to send and receive mail over the Internet, you should make sure
DNS service is set up with the appropriate MX records for your mail service.
m If you have an Internet service provider (ISP) that provides DNS service to your network,
contact the ISP and have the ISP set up MX records for you. Your ISP will need to know
your mail server’s DNS name (such as mail.example.com) and your server’s IP address. 378 Chapter 9
m If you use Mac OS X Server to provide DNS service, create your own MX records as
described in “Using DNS With Mail Service” on page 516 in Chapter 14, “DNS Service.”
m If you do not set up an MX record for your mail server, your server may still be able to
exchange mail with some other mail servers. Some mail servers will find your mail server
by looking in DNS for your server’s A record. ( You probably have an A record if you have
a Web server set up.)
Note: Your mail users can send mail to each other even if you do not set up MX records.
Local mail service does not require MX records.
Step 3: Start mail service
Make sure the server computer shows the correct day, time, time zone, and daylight-saving
settings in the Date & Time pane of System Preferences. Mail service uses this information to
time stamp each message. An incorrect time stamp may cause other mail servers to handle a
message incorrectly.
Once you’ve verified this information, you can start mail service. If you selected the Server
Assistant option to have mail service started automatically, stop mail service now and then
start it again for your changes to take effect. For detailed instructions, see “Starting and
Stopping Mail Service” on page 380.
Step 4: Configure incoming mail service
Your mail service has many settings that determine how it handles incoming mail. See these
sections for instructions:
m “Working With Settings for Incoming Mail” on page 382
m “Working With Settings for Incoming POP Mail” on page 384
m “Working With Settings for Incoming IMAP Mail” on page 385
Step 5: Configure outgoing mail service
Your mail service also has many settings that determine how it handles outgoing mail. For
instructions, see these sections:
m “Working With Settings for Outgoing Mail” on page 387
m “Working With Settings for SMTP Mail” on page 389
Step 6: Configure additional settings for mail service
Additional settings that you can change affect how mail service stores mail, interacts with
DNS service, limits spam, and handles undeliverable mail. See these sections for detailed
instructions:
m “Working With the Mail Database” on page 393
m “Cleaning Up the Mail Files” on page 395Mail Service 379
m “Limiting Junk Mail” on page 398
m “Working With Undeliverable Mail” on page 402
Step 7: Set up accounts for mail users
Each person who wants mail service must have a user account in a directory domain
accessible by your mail service. The short name of the user account is the mail account name
and is used to form the user’s mail address. In addition, each user account has settings that
determine how your mail service handles mail for the user account. You can configure a
user’s mail settings when you create the user’s account, and you can change an existing
user’s mail settings at any time. For instructions, see
m “Administering User Accounts” on page 137 of Chapter 3
m “Working With Mail Settings for Users” on page 150 of Chapter 3
Step 8: Create a postmaster account
You need to create a user account named “postmaster.” The mail service may send reports to
the postmaster account. When you create the postmaster account, make sure mail service is
enabled for it. For convenience, you can set up forwarding of the postmaster’s mail to
another mail account that you check regularly. Chapter 3, “Users and Groups,” tells you how
to create user accounts.
Step 9: Set up each user’s mail client software
After you set up mail service on your server, mail users must configure their mail client
software for your mail service. For details about the facts that users need when configuring
their mail client software, see “Supporting Mail Users” on page 405.
Overview of Ongoing Mail Service Management
Information in these sections will help you with your day-to-day mail service maintenance
activities:
m “Monitoring Mail Status” on page 403
m “Performance Tuning” on page 407
m “Backing Up and Restoring Mail Files” on page 408
Before You Begin
Before setting up mail service for the first time:
m Decide whether to use POP, IMAP, or both for incoming mail.380 Chapter 9
m If your server will provide mail service over the Internet, you need a registered domain
name. You also need to determine whether your ISP will create your MX records or you
will create them in your own DNS service.
m Identify the people who will use your mail service but don’t already have user accounts in
a directory domain accessible to your mail service. You will have to create user accounts
for these mail users.
Working With General Settings for Mail Service
This section tells you how to start and stop mail service, configure Kerberos authentication,
list your mail server’s local names, change any mail protocol settings, and monitor or archive
mail. These settings affect all incoming and outgoing mail service protocols—POP, IMAP, and
SMTP. All these settings are described in this section.
Starting and Stopping Mail Service
Mail service is ordinarily started automatically after you complete the Server Assistant. You
can also use the Server Settings application to start and stop mail service at your discretion.
To start or stop mail service:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Start Mail Service or Stop Mail Service.
If you plan to turn off mail service for an extended period of time, notify users before you
stop the mail service.
When you start mail service, it looks for an existing database from an earlier version of
Mac OS X Server. Mail service automatically converts an existing mail database and renames
the existing database so that it won’t be converted again. See “Converting the Mail Database
From an Earlier Version” on page 393 for additional information.
Starting Mail Service Automatically
You can set mail service to start automatically whenever the Mac OS X Server system starts
up. This ensures that mail service will start when the system restarts after a power outage or
another unexpected event.
To configure automatic startup for mail service:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the General tab.
4 Select “Start mail server at system startup” and click Save.Mail Service 381
Requiring or Allowing Kerberos Authentication
You can choose to require, allow, or disallow the Kerberos authentication method for all
SMTP, IMAP, and POP mail service.
Before enabling Kerberos authentication for mail service, you must integrate Mac OS X with a
Kerberos server. For instructions, see “Integrating Mac OS X With a Kerberos Server” on
page 199 in Chapter 3, “Users and Groups.”
To enable Kerberos authentication of mail service:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the General tab.
4 Choose a method from the Authentication pop-up menu and click Save.
Choose Standard if you want mail service to use the authentication methods that are set by
clicking POP Options, IMAP Options, and SMTP Options in the Protocols tab.
Choose Kerberos if you want mail service to require Kerberos authentication for POP, IMAP,
and SMTP. In this case, users’ mail client software must support Kerberos.
Choose Any Method if you want to allow but not require the use of Kerberos authentication. A
mail client that does not support Kerberos can use the standard authentication method instead.
Adding or Removing Local Names for the Mail Server
Your mail service has a list of all the domain names for which it is responsible. You should
add any names that are likely to appear after @ in the addresses of mail directed to your
server. For example, the list might contain variations of the spelling of your domain name or
company name. Your mail settings apply to all domain names in this list.
To add or remove local names for the mail server:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click Add and type the domain name of a virtual mail host for which you want your server to
be responsible.
To remove an item from the list, select it and click Remove.
4 Click Save.
Note: If you’ve set up MX records, you don’t need to add anything to this list. Your mail
service will add names as it discovers them in the course of its daily operation.382 Chapter 9
If a domain name in this list does not have an MX record, only your mail service recognizes it.
External mail sent to this domain name will be returned. You should place domain names
without MX records in this list only as a time saver for local (internal) mail.
Changing Protocol Settings for Mail Service
You can change the settings for all protocols that your mail service uses. These may include
SMTP, IMAP, POP, and NotifyMail.
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab, then click the Options button for the protocol you want to change.
4 Make the changes you want and click Save.
Monitoring and Archiving Mail
You can configure mail service to send blind carbon copies of all messages to a user or group
that you specify. You might want to do this if you need to monitor or archive messages.
Senders and receivers of mail do not know that copies of their mail are being archived.
You can set up the specified user or group to receive the blind carbon copies using POP, and
then set up a client email application to log in periodically and clean out the account by
retrieving all new messages. You may want to set up filters in the email client to highlight
certain types of messages. Or you may want to archive all messages for legal reasons.
To monitor or archive all messages:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Hosts.
3 Click the Incoming Mail tab.
4 Select “Blind copy incoming and outgoing messages to” and type a user name or group
name.
5 Click Save.
Working With Settings for Incoming Mail
You can change settings that affect mail coming to users of your mail service, including
mail your users receive from one another. The mail service has settings for limiting incoming
message size, deleting incoming messages automatically, and notifying users who have
new mail.Mail Service 383
Limiting Incoming Message Size
You can set a maximum size for incoming messages. The default is 10,240 kilobytes (10
megabytes).
To set a maximum incoming message size:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Messages tab.
4 Select Message Size and type the number of kilobytes you want to set as the limit.
5 Click Save.
Deleting Email Automatically
You can have your mail service delete incoming messages automatically after a specified
period of time. You may want to set these options if disk space is an issue.
To delete incoming mail automatically:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Messages tab.
4 Select Automatic Mail Deletion and enter the number of days in the fields for unread and
read mail.
Disable either setting by leaving it blank (don’t enter a number of days). Disable all automatic
mail deletion by deselecting Automatic Mail Deletion.
Notifying Users Who Have New Mail
Rather than require each user to periodically check for new mail, the mail service can notify
users when they have new mail. To do this, you set your mail service to use the NotifyMail
protocol.
To set your mail service to use NotifyMail:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable NotifyMail.
4 Click Save.
Warning Automatic mail deletion permanently removes mail from the server, including
messages in IMAP folders.384 Chapter 9
NotifyMail must also be enabled in each user account. For instructions, see “Enabling Mail
Service Account Options” on page 150 of Chapter 3, “Users and Groups.”
In addition, third-party software must be installed on users’ computers. For more
information, see this Web site:
www.notifymail.com
Working With Settings for Incoming POP Mail
Post Office Protocol (POP) is used to receive, but not send, mail. Users connect to a POP
service to retrieve all of their waiting mail. After the user has retrieved mail, it is usually
removed from the server. (A setting in the user’s mail client software determines whether it
asks the POP service to remove the user’s retrieved mail.)
The mail service has settings for requiring authenticated POP connections, changing the
POP response name, and changing the POP port number. All these settings are described in
this section.
Requiring Authenticated POP (APOP)
Your POP mail service can protect users’ passwords by requiring APOP connections. When a
user connects with APOP, the user’s mail client software encrypts the user’s password before
sending it to your POP service. Before configuring your mail service to require APOP, make
sure all users’ mail client software is able to use APOP as well.
To require APOP authentication:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable POP3, if it is not already checked.
4 Click POP3 Options.
5 Select “Require APOP authentication” and click Save.
Changing the POP Response Name
You can change the DNS name that your POP mail service sends back to a user’s mail client
software when the client initiates a POP connection.
To change the POP response name:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable POP3, if it is not already checked.Mail Service 385
4 Click POP3 Options.
5 Enter the DNS name you want your mail service to use when responding to POP
connections, then click Save.
Changing the POP Port Number
The standard port number for POP mail service is 110. You can specify a different port, but
do so carefully. If you change your mail service’s POP port number, you must also change
the POP port used by all users’ mail client software. Also, don’t use a port that is used by
another service.
To change the POP port number:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable POP3, if it is not already checked.
4 Change the port number for the POP3 protocol and click Save.
Working With Settings for Incoming IMAP Mail
Internet Message Access Protocol (IMAP) is a client-server mail protocol that allows users to
access their mail from anywhere on the Internet. Each IMAP user’s mail remains in mailboxes
on the server, just as if it were on the user’s computer. IMAP delivers mail to the user’s inbox
as does POP, but when the user retrieves mail, it is not removed from the server.
The mail service has settings for requiring secure IMAP authentication, changing the IMAP
response name, using case-sensitive IMAP folder names, controlling IMAP connections per
user, terminating idle IMAP connections, and changing the IMAP port number. All these
settings are described in this section.
Requiring Secure IMAP Authentication
Your IMAP mail service can protect users’ passwords by requiring that connections use the
Challenge-Response Authentication Method MD-5 (CRAM-MD5). When a user connects with
CRAM-MD5 authentication, the user’s mail client software encrypts the user’s password
before sending it to your IMAP service. Before configuring your mail service to require
CRAM-MD5 authentication, make sure all users’ mail client software is able to authenticate
using the CRAM-MD5 method.
To require CRAM-MD5 authentication:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.386 Chapter 9
3 Click the Protocols tab and select Enable IMAP, if it is not already checked.
4 Click IMAP Options.
5 Select “Require CRAM-MD5 authentication” and click Save.
Changing the IMAP Response Name
You can change the DNS name that your IMAP mail service sends back to a user’s mail client
software when the client initiates an IMAP connection.
To change the IMAP response name:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable IMAP, if it is not already checked.
4 Click IMAP Options.
5 Enter the DNS name you want your mail service to use when responding to IMAP
connections, then click Save.
Using Case-Sensitive IMAP Folder Names
You can allow mail users to create IMAP folders with names that are spelled the same but are
capitalized differently. For example, a user could have one folder named ‘”Urgent” and a
different folder named “URGENT.”
To allow case-sensitive IMAP folder names:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable IMAP, if it is not already checked.
4 Click IMAP Options.
5 Select “Use case-sensitive IMAP folder names” and click Save.
Controlling IMAP Connections Per User
You can adjust the load each mail user can put on your server by limiting the number of
connections each user can have on a single IP address.
To limit IMAP connections per user:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab, then click IMAP Options.Mail Service 387
4 Enter the number of connections you want to allow, then click Save.
The default setting is 32, and the maximum is 128. A value of zero gives users unlimited
connections.
Terminating Idle IMAP Connections
You can specify how long you want to allow IMAP mail connections to remain idle before the
connection is terminated. Terminating idle connections can improve mail service
performance.
To set idle connection limits:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab, then click IMAP Options.
4 Enter the number of minutes you want to allow for each IMAP connection, then click Save.
The default is 30 minutes, and a zero indicates that there is no time limit. The accepted range
is 1 through 999.
Changing the IMAP Port Number
The default port for incoming IMAP connections is 143. You can change this port number, but
you’ll need to change the port number for IMAP client computers as well. Make sure you
don’t change to a port number already in use by another service or operation.
To change the IMAP port number:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable IMAP, if it is not already checked.
4 Change the port number for the IMAP protocol and click Save.
If you change your mail service’s IMAP port number, you must also change the IMAP port
used by all users’ mail client software.
Working With Settings for Outgoing Mail
You can change settings that affect mail going out of your mail service, including mail that
your users send to one another. The mail service has settings for sending nonlocal mail,
sending only local mail, and suspending outgoing mail service.388 Chapter 9
Sending Nonlocal Mail
If your mail service currently allows sending only local mail, you can change a setting to allow
sending mail to addresses outside your local network, including to the Internet.
To allow sending mail outside your local network:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Outgoing Mail tab.
4 Choose “Allow outgoing mail” from the pop-up menu, then click Save.
Sending Only Local Mail
You can set your mail service to allow sending only messages that are addressed to recipients on
your local network. This setting prevents users from sending mail to addresses on the Internet.
To allow only local outgoing mail delivery:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Outgoing Mail tab.
4 Choose “Limit to local users” from the pop-up menu, then click Save.
If you limit outgoing mail to local users, all the options in the Outgoing Mail pane are
disabled because they are not relevant to local outgoing mail.
Suspending Outgoing Mail Service
You can prevent the mail service from sending new outgoing mail. You could do this to
isolate a problem, or to prevent conflicts with other mail service running on your network.
To suspend outgoing mail service:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and choose Use None from the pop-up menu.
4 Click Save.Mail Service 389
Working With Settings for SMTP Mail
The mail service includes a Simple Mail Transfer Protocol (SMTP) service for sending mail.
Subject to restrictions that you control, the SMTP service also transfers mail to and from mail
service on other servers. If your mail users send messages to another Internet domain, your
SMTP service delivers the outgoing messages to the other domain’s mail service. Other mail
services deliver messages for your mail users to your SMTP service, which then transfers the
messages to your POP service and IMAP service.
Your mail service has settings for requiring SMTP authentication, sending mail via another
SMTP server, changing the SMTP response names, changing the incoming SMTP port
number, changing the outgoing SMTP port number, and enabling an alternate mail transfer
agent. You can also start Sendmail. All these tasks are described in this section.
Your mail service also has settings that restrict SMTP mail transfer and thereby limit junk mail.
For more information on these settings, see “Limiting Junk Mail” on page 398.
Requiring SMTP Authentication
Your server can guard against being an open relay by requiring SMTP authentication.
Requiring authentication ensures that only known users—people with user accounts on your
server—can send mail from your mail service. You can configure the mail service to require
secure authentication using the CRAM-MD5 method. You can also allow the less secure
PLAIN and LOGIN authentication methods, which don’t encrypt passwords, if some users
have email client software that doesn’t support the CRAM-MD5 method.
Note: Requiring SMTP authentication does not affect delivery of mail to users of your mail
service. Your mail service doesn’t require other servers to authenticate before delivering mail
for local mail service users.
To require SMTP authentication:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and Apple Mail Service SMTP from the pop-up menu.
4 Click SMTP Options.
5 Select “Require authenticated SMTP using CRAM-MD5,” optionally select “Allow PLAIN and
LOGIN authentication,” and then click Save.
Sending SMTP Mail via Another Server
Rather than delivering outgoing mail directly to its various destinations, your SMTP mail
service can relay outgoing mail to another server. The other server then attempts to deliver
your SMTP service’s outgoing mail. Your SMTP service batches outgoing mail and sends it to
the other server, which acts as a proxy for delivering the mail. 390 Chapter 9
m You may need to use this setting to deliver outgoing mail through a firewall set up by your
organization. In this case, your organization will designate a particular server for relaying
mail through the firewall.
m You may find this setting useful if your server has slow or intermittent connections to the
Internet, or if you are billed by the number of connections you initiate.
To relay SMTP mail through another server:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Outgoing Mail tab.
4 Click “Relay all SMTP mail via” and enter the DNS name or IP address of the server that
provides SMTP relay.
5 Click Save.
Note: This option is disabled if the pop-up menu is set to “Limit to local users.”
Changing the SMTP Response Names
When your server connects with another server to send outgoing mail, your SMTP mail
service identifies itself by sending a name. Your SMTP service also sends its name when
another server contacts your server to deliver incoming mail. You can specify the name that
your SMTP service sends for incoming connections and the name it sends for outgoing
connections.
m The incoming and outgoing SMTP response names are typically the same.
m The incoming and outgoing response names should match the DNS name that another
server would get by doing a reverse DNS lookup of your server’s IP address.
m If your server connects to the Internet via an Internet gateway or router that uses
Network Address Translation (NAT), your server effectively has the IP address of the
Internet gateway or router. In this case, the incoming and outgoing response names
should match the DNS name that another server would get by doing a reverse DNS
lookup of the Internet gateway’s IP address. An AirPort Base Station is an example of an
Internet gateway that can be configured to use NAT.
To specify the SMTP response names:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and choose Apple Mail Service SMTP from the pop-up menu.
4 Click SMTP Options.
5 Enter the incoming response name and the outgoing response name, then click Save.Mail Service 391
Changing the Incoming SMTP Port Number
You can change the port number on which your SMTP service receives incoming mail from
other servers. Other servers must use this port number to deliver incoming mail to your
server. The standard incoming SMTP port is 25. You can change this port number, but do so
carefully. If you change to a nonstandard incoming SMTP port number, other servers will be
unable to deliver incoming mail to your server unless they use this nonstandard port number
for their outgoing SMTP mail. Make sure you don’t change to a port number already in use by
other services or operations.
To change the incoming SMTP port number:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable SMTP, if it is not already checked.
4 Change the port number for the SMTP protocol and click Save.
Changing the Outgoing SMTP Port Number
You can change the port number that your SMTP service uses when attempting to send
outgoing mail to other servers. The standard port for outgoing SMTP connections is 25. You
can change this port number, but do so carefully. If you use a nonstandard outgoing SMTP
port, your server will be unable to deliver outgoing mail to other servers unless they use this
nonstandard port for their incoming SMTP mail. Make sure you don’t change to a port
number already in use by another service or operation.
To change the outgoing SMTP port number:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Network Settings tab.
4 Change the SMTP port number and click Save.
Enabling an Alternate Mail Transfer Agent
You can use an alternate mail transfer agent, such as the UNIX Sendmail program, to handle
incoming and outgoing SMTP mail. Any mail sent to local email users is processed by the mail
transfer agent and transferred to the Mac OS X Server mail service for delivery. POP and
IMAP continue to function as usual, but SMTP mail is now subject to the rules and settings of
the mail transfer agent.
To use another mail transfer agent:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.392 Chapter 9
3 Click the Protocols tab and choose Other Mail Transfer Agent from the pop-up menu.
4 Click Save.
5 Start the other mail transfer agent program.
Starting Sendmail
If you configure mail service to use an alternate mail transfer agent such as the UNIX
program Sendmail, you need to start the mail transfer agent program. It then becomes the
primary SMTP mail transfer agent on your server.
The UNIX Sendmail program is included with Mac OS X. To start Sendmail as root, type this
command in the Terminal application:
/usr/lib/sendmail -bd
To configure Sendmail to start automatically every time the system starts up, you need root
privileges; edit the /etc/hostconfig file, find the line containing MAILSERVER, and make it read
MAILSERVER=-YESTo keep Sendmail from starting when the system starts up, change the line to
MAILSERVER=-NOThe Sendmail program will not operate if the permissions of the root directory are changed.
Some installer programs for software updates or applications may change the root directory
permissions from the standard for Mac OS X Server to the standard for a Mac OS X client
computer.
The standard for Mac OS X Server is 1755 or rwxr-xr-t, which means read/write/execute by
owner, read/execute by group, and read/execute by everyone (world).
The standard for a Mac OS X client is 1775 or rwxrwxr-t, which allows group write
privileges.
You can check the permissions currently set for the root directory by typing the following
command in the Terminal application:
ls -al /
This form of the ls command displays detailed information for the root directory. The first
character of each line indicates the type of item (d for directory, l for symbolic link, - for
regular file). This is followed by nine characters that indicate the permissions for the item.
The item name is at the end of the line. A single period (.) represents the directory whose
contents are listed, and it is the first line displayed by this ls command. In this case, the first
line is for the root directory.
If the permissions for the root directory are rwrr-xr-t then they are correct for Mac OS X
Server. Mail Service 393
If the permissions for the root directory are rwxrwxr-t then they have been changed to the
standard for a Mac OS X client. To correct this, type the following command in the Terminal
application:
sudo chmod g-w /
For more information on Sendmail, see this Web site:
www.sendmail.org
Working With the Mail Database
The mail database keeps track of messages for all mail service users. Mail service stores
messages in separate files. You can do the following with the mail database and files:
m convert the mail database from an earlier version of Mac OS X Server
m change the location where the mail database and files are stored
m configure automatic mail deletion
m allow administrators to access the mail database and files via IMAP
m clean up the mail database and files
All these tasks are described in this section.
Converting the Mail Database From an Earlier Version
When mail service starts for the first time, it looks for an existing mail database from an
earlier version of Mac OS X Server. Mail service migrates messages from an existing mail
database to the current mail database format. After migrating all messages, mail service
renames the old database to preclude the old database from being converted again. You can
delete the renamed database file when you are satisfied that the migration and conversion
process was successful.
In Mac OS X Server version 10.2, the mail service stores each message in a separate file and
keeps track of message files in a relatively small database file. In earlier versions of Mac OS X
Server, the mail service stores all messages in one large database file, /Library/
AppleMailServer/MacOSXMailDB. The automatic conversion process extracts each message
from the monolithic database file and stores it in a separate file. The message files are located
in a folder at /Library/AppleMailServer/AppleMail (unless you change the location where mail
is stored). The new MacOSXMailDB file contains only user and mail account information.
Note: For the mail database conversion to complete successfully, the server must have
enough disk space available. The amount of disk space available should equal the size of the
database file being converted.394 Chapter 9
Changing Where Mail Is Stored
You can change where mail is stored on the server. The default location is
/Library/AppleMailServer.
To change where mail is stored on the server:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the General tab.
4 Select “Use alternate mail store location” and enter the path of the location that you want
to use.
5 Click Save.
Configuring Automatic Mail Deletion
If disk space is an issue, you can have read and unread mail automatically deleted from your
server at specified times. If you choose this option, you should let your users know how long
their messages will remain on the server before being deleted. Automatic mail deletion
permanently removes mail from the server, including messages in IMAP folders.
To set up automatic mail deletion:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Messages tab.
4 Click Automatic Mail Deletion and type the number of days in the field below for unread mail
and read mail.
Don’t enter a number if you don’t want to enable one of the settings.
5 Click Save.
Allowing Administrator Access to the Mail Database and Files
You can configure IMAP to allow the server administrator to view and modify any message in
the mail database. To take advantage of this administrator access, you must use an email
client that allows you to change its IMAP port number, such as the Mail application in
Mac OS X. To gain administrator access from such an email client, you must know a server
administrator name and password.
The mail client must be configured to use the IMAP administrator port instead of the normal
IMAP port. The standard port number for IMAP administrator access is 626. You can change
your mail service to use a different port number.Mail Service 395
When your mail client connects on the IMAP administrator port, you see all the messages
stored on the server. Each user’s mailbox appears as a separate folder in your mail client. You
can remove disused mailbox folders that belonged to deleted user accounts.
In addition to seeing the mail users, you also see outgoing mail hosts. A host with an
unusually high number of messages queued for delivery may indicate that your mail service
is unable to connect with the host to exchange mail.
If you allow administrator access to the mail database, you should use your server’s IP firewall
service to restrict connections on the IMAP administrator port (port 626 by default) to IP
addresses that are well known to you. For instructions, see Chapter 15, “Firewall Service.”
To configure administrator access to the database:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and select Enable IMAP, if it is not already checked.
4 Click IMAP Options.
5 Select Allow IMAP Administrator Access and optionally change the port number.
6 Click Save.
7 In your email client application, create an account that uses IMAP to connect to your mail
service and change the IMAP port to match the port specified in step 5.
For example, to change an IMAP account’s port number in the Mac OS X Mail application,
choose Preferences from the Mail menu, click Accounts, select the IMAP account, click Edit,
and click the Advanced tab. (If your version of Mail doesn’t have an Advanced tab, click the
Account Options tab.)
Cleaning Up the Mail Files
You can clean up and compact the mail database and other mail files by typing a simple UNIX
command in the Terminal application.
Note: Cleaning up and compacting the mail files may take a long time. The length of time
depends on the number of mail messages and the number of mail users.
To clean up and compact the mail database:
1 In Server Settings, stop mail service.
2 Open Terminal and at the prompt, type the following and then press Return:
sudo /usr/sbin/MailService -compressDB
3 Enter your administrator password and press Return.396 Chapter 9
The cleanup operation takes place without any feedback. During cleanup, a number of
messages are written in the mail service repair log, which you can view by using Server
Status. The cleanup operation is finished when another command-line prompt appears.
4 In Server Settings, start mail service.
Working With Network Settings for Mail Service
You can change the following network settings of your mail service:
m which DNS records mail service uses to look up a mail server
m when mail service updates its DNS cache
m when mail service connections time out
This section describes how to change these settings.
Specifying DNS Lookup for Mail Service
You can specify the type of DNS records you want your mail service to use when it looks up
the server for an address of an outgoing message, such as user@example.com. Your mail
service can look up another server by requesting
m Only an MX list. An MX List consists of one or more MX records for an Internet domain.
An MX record matches a domain name, such as example.com, with the full DNS name of a
mail server, such as mail.example.com. Some domains have more than one mail server,
each with an MX record. In this case, the MX records specify priorities for the mail
servers. Some mail servers don’t have any MX records.
m Only an A record. An A record matches a full DNS name (also known as a host name),
such as mail.example.com, to an IP address.
m An MX list and an A record. By default, your mail service requests MX records. If none
exists, the mail service requests an A record.
To specify the type of DNS records your mail service requests:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Network Settings tab.
4 Select one of the settings for DNS Request, then click Save.Mail Service 397
Updating the DNS Cache in Mail Service
The mail service stores verified domain names in a cache and does not verify the cached
information unless you set the cache to be updated periodically. The cache improves mail
service performance, because the mail service doesn’t have to contact the DNS service for
every message. You may reduce mail service performance if you set the cache to be updated
too frequently.
To change how often the mail service updates its DNS cache:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Network Settings tab.
4 Select one of the Cache Settings options.
Select “Cache DNS information for __ minutes” and enter the number of minutes you want
information to be stored before the cache is refreshed.
Select “Respect ‘Time to Live’ (TTL) DNS Settings” if you want to use the default settings of
the DNS service. Ordinarily, your mail service resends mail repeatedly until it makes a
connection with the server at the destination. TTL specifies how long your mail service
continues requesting connection information from DNS before giving up and generating a
nondelivery report.
5 Click Save.
Changing Mail Service Timeouts
If your mail service has frequent trouble remaining connected to another server, you can
increase the length of time your mail service waits before giving up on connections with
other servers. This can be helpful if your server has a slow or intermittent connection to
the Internet.
To change the allowed connection time:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Network Settings tab.
4 In the Open Connection field, enter the number of seconds you want your mail service to
wait before giving up on a connection attempt.
5 In the Read/Write field, enter the number of seconds you want to allow the other mail host to
respond before your mail service stops attempting to send or receive a message.
6 Click Save.398 Chapter 9
Limiting Junk Mail
You can configure mail settings to decrease the amount of junk mail that your mail service
delivers to users. You can also take steps to prevent senders of junk mail (spam) from using
your server as an open relay. If you allow junk mail senders to use your server as a relay
point, your server may be blacklisted as an open relay, and other servers may reject mail from
your users. Your mail service can do the following to reduce spam:
m Require SMTP authentication so that your server cannot be used as a relay point by
anonymous users. For instructions, see “Requiring SMTP Authentication” on page 389.
m Restrict SMTP relay, allowing relay only by approved servers on a list that you create. For
instructions, see “Restricting SMTP Relay” on page 398.
m Reject SMTP connections from specific servers on another list that you create. For
instructions, see “Rejecting SMTP Connections From Specific Servers” on page 399.
m Log and optionally reject an SMTP connection from a server whose DNS name doesn’t
match a reverse-lookup of its IP address. For instructions, see “Checking for Mismatched
SMTP Server Name and IP Address” on page 399.
m Reject SMTP connections from servers that are blacklisted as open relays by an Open
Relay Behavior-modification System (ORBS) server. For instructions, see “Rejecting Mail
From Blacklisted Senders” on page 401.
m Allow or deny SMTP connections from specific IP addresses by using the firewall service
of Mac OS X Server. For instructions, see “Filtering SMTP Connections” on page 401.
Restricting SMTP Relay
Your mail service can restrict SMTP relay by allowing only approved servers to relay mail. You
create the list of approved servers. Approved servers can relay through your mail service
without authenticating. Servers not on the list cannot relay mail through your mail service
unless they authenticate first. All servers, approved or not, can deliver mail to your local mail
users without authenticating.
Your mail service can log connection attempts made by servers not on your approved list.
To restrict SMTP relay:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.
3 Click the Incoming Mail tab.
4 Select “only hosts in this list” and then edit the list of servers.
Click Add to add a server to the list.
Click Remove to delete the currently selected server from the list.
When adding to the list, you can use a variety of notations.Mail Service 399
Enter a single IP address, such as 192.168.123.55.
Enter an IP address range, such as 192.168.40-43.*.
Enter an IP address/netmask, such as 192.168.40.0/255.255.248.0.
Enter a host name, such as mail.example.com
Enter an Internet domain name, such as example.com
5 Optionally select “Log recipient rejections to error log.”
6 Click Save.
Rejecting SMTP Connections From Specific Servers
Your mail service can reject all SMTP connections from servers on a disapproved-servers list
that you create. No one can authenticate from a disapproved server, much less send your
users mail or relay mail through your mail service.
To reject SMTP connections from specific servers:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Filter tab.
4 Select “Reject messages from SMTP servers in list” and then edit the list of servers.
Click Add to add a server to the list.
Click Remove to delete the currently selected server from the list.
When adding to the list, you can use a variety of notations.
Enter a single IP address, such as 192.168.123.55.
Enter an IP address range, such as 192.168.40-43.*.
Enter an IP address/netmask, such as 192.168.40.0/255.255.248.0.
Enter a host name, such as mail.example.com
Enter an Internet domain name, such as example.com
5 Click Save.
Checking for Mismatched SMTP Server Name and IP Address
Your mail service can log and optionally reject connections from a server whose DNS name
doesn’t match the name that your DNS service gets when it looks up the server’s IP address.
This method intercepts junk mail from senders who pretend to be someone else, but may
also block mail sent from a misconfigured SMTP server.400 Chapter 9
Note: Reverse-lookups of IP addresses may slow the performance of your mail service
because lookups involve more contact with DNS service.
To check SMTP server names and IP addresses:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Filter tab.
4 Select “Log connection if SMTP name does not match IP address” and then optionally select
“Reject if name does not match address.”
5 Click Save.
Your SMTP mail service may be unable to do a successful reverse lookup of a server that
identifies itself in a nonstandard way. Specifically, the SMTP service can determine the server
name in a HELO command that doesn’t deviate too much from standard form.
The SMTP service can determine the server name and do a reverse lookup from HELO
commands like the following:
helo mail.example.com
helo I am mail.example.com
The SMTP service cannot do a reverse lookup from HELO commands like the following:
helo I’m mail.example.com
helo I am mail server mail.example.com
helo what a wonderful day it is
The following table explains the results for various configurations of the settings for logging
and rejecting unsuccessful reverse lookups.
Log Reject Result
No No Accepts all HELO commands
Yes No Accepts all HELO commands and logs each server whose name doesn’t match
or whose name can’t be determined from the HELO command
Yes Yes Logs and rejects each server whose name doesn’t match or whose name can’t
be determined from the HELO commandMail Service 401
Rejecting Mail From Blacklisted Senders
You can have your mail service check an Open Relay Behavior-modification System (ORBS)
server to see if incoming mail came from a known junk-mail sender. ORBS servers are also
known as black-hole servers.
To reject mail from known junk-mail senders:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Filter tab.
4 Select “Use a server for junk mail rejection” and then type the DNS name of an ORBS server.
5 Click Save.
Allowing SMTP Relay for a Backup Mail Server
If your network has more than one mail server, one can be designated as a backup server to
deliver mail in case the primary server goes down. (Backup mail servers are designated by MX
records.) A backup mail server may need to relay SMTP mail. You can set your server to ignore
SMTP relay restrictions when accepting mail as a backup server for another mail server.
To allow SMTP relay for a backup mail server:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and choose Apple Mail Service SMTP from the pop-up menu.
4 Click SMTP Options.
5 Select “SMTP relay when host is a backup for destination” and click Save.
Filtering SMTP Connections
You can use the firewall service of Mac OS X Server to allow or deny access to your SMTP
mail service from specific IP addresses.
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Show Firewall List.
3 Click New and configure the settings to create a filter that allows or denies access to port
number 25 from an IP address or range of IP addresses that you specify, then click Save.
Important Blocking unsolicited mail from blacklisted senders may not be completely
accurate. Sometimes it can prevent valid mail from being received.402 Chapter 9
If your SMTP service does not use port 25, which is standard for incoming SMTP mail, enter
your incoming SMTP port number instead.
4 Add more new filters for the SMTP port to allow or deny access from other IP addresses or
address ranges.
For additional information on the firewall service, see Chapter 15, “Firewall Service.”
Working With Undeliverable Mail
Mail messages may be undeliverable for several reasons. You can configure your mail service
to forward undeliverable incoming mail, limit attempts to deliver problematic outgoing mail,
and report failed delivery attempts. Incoming mail may be undeliverable because it has a
misspelled address or is addressed to a deleted user account. Outgoing mail may be
undeliverable because it’s misaddressed or the destination mail server is not working.
Forwarding Undeliverable Incoming Mail
You can have mail service forward messages that arrive for unknown local users to another
person or a group in your organization. Whoever receives forwarded mail that’s incorrectly
addressed (with a typo in the address, for example) can forward it to the correct recipient. If
forwarding of these undeliverable messages is disabled, they are returned to sender.
To set up forwarding of undeliverable incoming mail:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Messages tab.
4 Select “Forward mail addressed to unknown local users” and type a user name or group
name.
5 Click Save.
Limiting Delivery Attempts in Mail Service
You can limit how often and for how long your mail service attempts to deliver mail sent by
your users. If mail can’t be delivered within the time you specify, the mail service sends a
nondelivery report to the message sender and deletes the message. You can have the mail
service send an earlier nondelivery report. You can also have a nondelivery report sent to the
postmaster account.
To limit delivery attempts:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Host Settings.Mail Service 403
3 Click the Outgoing Mail tab.
4 Enter the number of hours you want the mail service to attempt to deliver a message before
the message expires.
The default is 72 hours.
5 Enter the number of minutes you want the mail service to wait between delivery attempts.
The smallest number allowed is 1 minute; the default is 20 minutes.
6 Optionally click “Notify sender of non-delivery after __ hours” and enter the number of
hours.
7 Optionally click “Notify postmaster of non-delivery.”
8 Click Save.
Note: These options are disabled if the pop-up menu is set to “Limit to local users.”
Sending Nondelivery Reports to Postmaster
When a user on your network sends mail that can’t be delivered, a nondelivery report is sent
back to the user. If for some reason the report can’t be delivered, you can set up mail service
to send the report to the postmaster account. Be sure you’ve set up a user account named
“postmaster.”
Nondelivery reports are not normally sent for mail designated as “bulk,” but you can also
generate nondelivery reports for bulk mailings.
To report undelivered mail to the postmaster account:
1 In Server Settings, click the Internet tab.
2 Click Mail Service and choose Configure Mail Service.
3 Click the Protocols tab and choose SMTP from the pop-up menu.
4 Click SMTP Options.
5 Click one or both of the nondelivery options, then click Save.
Monitoring Mail Status
This section explains how to use the Server Status application to monitor the following:
m overall mail service activity
m connected mail users
m mail accounts
m mail service logs404 Chapter 9
This section also describes how Mac OS X Server reclaims disk space used by logs and how
you can reclaim space manually.
Viewing Overall Mail Service Activity
You can use Server Status to see an overview of mail service activity. The overview reports
whether the service is running, when mail service started, and outgoing connections by
protocol.
To see an overview of mail service activity:
1 In Server Status, select Mail in the Devices & Services list.
2 Click the Overview tab.
Viewing Connected Mail Users
The Server Status application can list the users who are currently connected to the mail
service. For each user, you see the user name, IP address of the client computer, type of mail
account (IMAP or POP), number of connections, and the connection length.
To view a list of mail users who are currently connected:
1 In Server Status, select Mail in the Devices & Services list.
2 Click the Connections tab.
Viewing Mail Accounts
You can use the Server Status application to see a list of users who have mail accounts. For
each account, you see the user name, disk space quota, disk space used, and the percent of
space that is available to the user.
To view a list of mail accounts:
1 In Server Status, select Mail in the Devices & Services list.
2 Click the Accounts tab.
Reviewing Mail Service Logs
The mail service maintains eight logs, and you can use Server Status to view them.
m IMAP, POP, SMTP In, and SMTP Out logs. These four logs contain the history of activity
that is specific to each protocol.
m Router log. Routing errors and routing messages go into the router log.
m Error log. General mail service errors go into the Error log.
m Server log. General mail service information goes into the server log.
m Repair log. This log contains a history of cleanup, compression, and repairs made to the
mail database.Mail Service 405
To view a mail service log:
1 In Server Status, select Mail in the Devices & Services list.
2 Click the Logs tab.
3 Choose a log from the Show pop-up menu.
Reclaiming Disk Space Used by Mail Service Logs
Mac OS X Server automatically reclaims disk space used by mail service logs when they reach
a certain size or age. If you are comfortable using the Terminal application and UNIX
command-line tools, you can change the criteria that determine when disk space is
reclaimed. You can also use a command-line tool to monitor disk space whenever you want,
independently of the automatic disk-space recovery process. For additional information, see
“Log Rolling Scripts” on page 555 and “diskspacemonitor” on page 556, both in Chapter 17,
“Tools for Advanced Users.”
Supporting Mail Users
This section discusses mail settings in your server’s user accounts and mail service settings in
email client software.
Configuring Mail Settings for User Accounts
To make mail service available to users, you must configure mail settings in your user
accounts. For each user, you need to enable mail service, enter the DNS name or IP address
of your mail server, and select the protocols for retrieving incoming mail (POP, IMAP, or
both). You can also set a quota on disk space available for storing a user’s mail. If you
configure a user account for both POP and IMAP, additional options let you specify whether
the user has separate inboxes for POP and IMAP and whether the POP mailbox appears in the
IMAP folder list. One more option specifies whether mail service alerts the user via NotifyMail
when mail arrives.
You configure these settings in the Accounts module of Workgroup Manager. For instructions,
see “Working With Mail Settings for Users” on page 150 in Chapter 3, “Users and Groups.”406 Chapter 9
Configuring Email Client Software
Users must configure their email client software to connect to your mail service. The
following table details the information most email clients need and the source of the
information in Mac OS X Server.
Email client
software Mac OS X Server Example
User name Full name of the user Steve Macintosh
Account name
Account ID
Short name of user account steve
Password Password of user account
Host name
Mail server
Mail host
Mail server’s full DNS name or IP address, as
used when you log in to the server in Server
Settings
mail.example.com
192.168.50.1
Email address User’s short name, followed by the @ symbol,
followed by one of the following:
m Server’s Internet domain (if the mail server
has an MX record in DNS)
m Mail server’s full DNS name
m Server’s IP address
steve@example.com
steve@mail.example.com
steve@192.168.50.1
SMTP host
SMTP server
Same as host name mail.example.com
192.168.50.1
POP host
POP server
Same as host name mail.example.com
192.168.50.1
IMAP host
IMAP server
Same as host name mail.example.com
192.168.50.1
SMTP user Short name of user account steve
SMTP password Password of user accountMail Service 407
Creating Additional Email Addresses for a User
Mail service allows each individual user to have more than one email address. Every user has
one email address that is formed from the short name of the user account. In addition, you
can define more short names for any user account by using Workgroup Manager. Each
additional short name is an alternate email address for the user. The additional short names
are called virtual users. For more information on defining additional short names, see
“Defining Short Names” on page 140 in Chapter 3, “Users and Groups.”
Someone whose user account has multiple short names nonetheless has only one mail
account. A user receives mail for all of the user’s short names in one mailbox. The user
cannot set up a different mailbox (or different incoming mail accounts) for each short name.
If a user needs an additional mailbox, you must create another user account.
Note: Mail service does not support virtual domains. For example, mail service cannot
deliver mail for webmaster@example1.com to the same mailbox as mail for
webmaster@example2.com if example1.com and example2.com have different IP addresses.
Performance Tuning
Mail service needs to act very fast for a short period of time. Mail service sits idle until a user
wants to read or send a message, and then it needs to transfer the message immediately.
Therefore, mail service does not put a heavy continuous demand on the server; it puts
intense but brief demands on the server. As long as other services do not place heavy
continuous demands on a server (as a QuickTime streaming server would, for example), the
server can typically handle several hundred connected users.
As the number of connected mail users increases, the demand of mail service on the server
increases. If your mail service performance needs improvement, try the following actions:
m Adjust how often mail service updates its DNS cache. For instructions, see “Updating the
DNS Cache in Mail Service” on page 397.
m Adjust the load each mail user can put on your server by limiting the number of
connections each user can have on a single IP address. For instructions, see “Controlling
IMAP Connections Per User” on page 386.
m Specify how long you want to allow IMAP mail connections to remain idle before the
connection is terminated. For instructions, see “Terminating Idle IMAP Connections” on
page 387.
m Move the mail storage location to its own hard disk or hard disk partition. For
instructions, see “Changing Where Mail Is Stored” on page 394.
m Run other services on a different server, especially services that place frequent heavy
demands on the server. (Each server requires a separate Mac OS X Server license.)408 Chapter 9
Backing Up and Restoring Mail Files
You can back up the mail service data by making a copy of the mail service folder. If you need
to restore the mail service data, you can replace the mail service folder with a backup copy.
The mail service folder contains the following items:
m MacOSXMailDatabase, which is the mail service database file
m AppleMail, which is the folder that contains a file for each mail message and a file for each
mail account
These items are stored in the folder /Library/AppleMailServer unless you specify a different
location. For instructions on changing the mail folder location, see “Changing Where Mail Is
Stored” on page 394.
An incremental backup of the mail service folder can be fast and efficient. If you use a thirdparty application to back up the mail service folder incrementally, the only files copied are
the small database file and the message files that are new or changed since the last backup.
Although you can restore only part of the mail service folder—some message files in the
AppleMail folder with or without the MacOSXMailDatabase file—restoring only part of the
mail service folder can corrupt the mail database. The mail service automatically attempts to
clean up a mail service folder that has been restored improperly. You can also clean up the
mail service folder manually. For instructions, see “Cleaning Up the Mail Files” on page 395.
After restoring the mail service folder, notify users that messages stored on the server have
been restored from a backup copy.
If you’re using the UNIX Sendmail program or another mail transfer agent instead of
Mac OS X Server’s SMTP service, you should also back up the contents of the /var/mail
folder. This folder is the standard location for UNIX mail delivery.
Where to Find More Information
You can find more information about mail service in books and on the Internet.
Books
For general information about mail protocols and other technologies, see these books:
m A good all-around introduction to mail service can be found in Internet Messaging, by
David Strom and Marshall T. Rose (Prentice Hall, 1998).
Important Stop the mail service before backing up or restoring the mail service folder. If
you back up the mail service folder while mail service is active, the backup mail database file
may be out of sync with the backup AppleMail folder. If you restore while mail service is
active, the active mail database file may become out of sync with the active AppleMail folder.Mail Service 409
m For more information on MX records, see “DNS and Electronic Mail” in DNS and BIND,
3rd edition, by Paul Albitz, Cricket Liu, and Mike Loukides (O’Reilly and Associates, 1998).
m Also of interest may be Removing the Spam: Email Processing and Filtering, by Geoff
Mulligan (Addison-Wesley Networking Basics Series, 1999).
m To learn about email standards, see Essential E-Mail Standards: RFCs and Protocols
Made Practical, by Pete Loshin ( John Wiley & Sons, 1999).
Internet
There is an abundance of information about the different mail protocols, DNS, and other
related topics on the Internet.
Request for Comments (RFC) documents provide an overview of a protocol or service and
details about how the protocol should behave. If you are a novice server administrator, you
will probably find some of the background information in an RFC helpful. If you are an
experienced server administrator, you can find all the technical details about a protocol in its
RFC document. You can search for RFC documents by number at this Web site:
www.faqs.org/rfcs
For more information about Sendmail, see this Web site:
www.sendmail.org
You can find out more about servers that filter junk mail at this Web site:
www.ordb.org
For technical details about how mail protocols work, see these RFC documents:
m POP: RFC 1725
m IMAP: RFC 2060
m SMTP: RFC 821 and RFC 822
For simple explanations about mail service, see this Web site:
www.whatis.com
Search for any technical term to find a simple explanation of the term. Also, this Web site
offers a set of links to more detailed information about how a particular technology works.411
C H A P T E R
10
10 Client Management: Mac OS 9 and OS 8
Macintosh Manager provides network administrators with a centralized method of managing
Mac OS 9 and Mac OS 8 workstations, controlling access to software and removable media,
and providing a consistent, personalized experience for users. After you import basic
information (user name, password, and user ID) from Workgroup Manager user accounts,
you can customize preferences and privileges for users, workgroups, and computer lists.
Mac OS X Server saves user documents and preferences in a home directory, so your users
can access their files from any Mac on your network.
Like Workgroup Manager, Macintosh Manager lets you set network-wide policies for
controlling user access to applications, file server volumes, and printers. Macintosh Manager
provides its own authentication and preference management for Mac OS 9 or Mac OS 8
computers and can be used with NetBoot clients.
Client management can help you create a more tailored and efficient user experience.
Because you can define the user environment, you can provide an interface suitable for users
with different skill levels. This can make it easier, for example, to set up an elementary school
computer lab for use by a wide range of students from kindergarten to eighth grade.
This chapter summarizes how Macintosh Manager works, gives details about different types
of managed environments, and tells you how to
m set up Macintosh Manager
m import users into Macintosh Manager
m set up workgroups and computer lists for Mac OS 9 and OS 8 clients
m create managed environments for Mac OS 9 and OS 8 clients
m implement Macintosh Manager security settings and controls
Note: Macintosh Manager is not used to manage Mac OS X clients. If you need to manage
Mac OS X clients, read Chapter 6, “Client Management: Mac OS X.”412 Chapter 10
Transition Strategies for Macintosh Manager
If you are migrating to Macintosh Manager 2.2 from an earlier version, you can do a simple
upgrade to the new Macintosh Manager. Functionality remains much the same, but you may
notice some differences in how Macintosh Manager stores certain items.
If you need more information about migration issues and strategies, download the
“Upgrading to Mac OS X Server” from the Web site listed below:
www.apple.com/macosx/server/
The User Experience
This section describes both the actual user experience and the server processes for Mac OS 9
managed clients.
Logging In
Users imported into Macintosh Manager can simply type their Mac OS X Server user names
and passwords in the Macintosh Manager login dialog box. Alternatively, you can allow users
to choose their names from a list (showing long names) at login.
When a user logs in, Macintosh Manager uses Directory Services to verify that the user ID is
valid. If it is valid, Macintosh Manager finds the correct workgroups for that user and displays
them in a list. If a user belongs to more than one workgroup, he or she can select a
workgroup from the list. If a user belongs to only one workgroup, login proceeds
automatically without displaying a workgroup list. Macintosh Manager workgroup settings
define the user’s working environment (Finder, Restricted Finder, or Panels). Client Management: Mac OS 9 and OS 8 413
Depending upon the computer being used, the network configuration, and access privileges,
the user may have access to various resources such as printers, applications, and volumes.
Settings for the computer, the workgroup, and the user determine the final set of privileges
and preferences that define the user experience for an individual.
Logging In Using the All Other Users Account
Users who have a Mac OS X user account but have not been imported into Macintosh Manager
can type their Mac OS X Server user names and passwords in the Macintosh Manager login
dialog box. If the All Other Users account belongs to more than one workgroup, the user can
select a workgroup from a list. Otherwise, login continues automatically.
Logging In Using the Guest Account
Any user can log in as Guest, provided that the Guest account has been activated. The
Guest account does not require password authentication. If the Guest account belongs to
more than one workgroup, the user can select a workgroup from a list. Otherwise, login
continues automatically.
Locating the Home Directory
User home directories are mounted automatically when a user logs in. A folder with the
user’s name on it appears on the desktop or on a panel depending upon the workgroup
type. The user’s home directory is located inside the Users folder.
Guest users have a temporary local home directory for storing files or preferences.
User
environment
Selection
Access to
resources
List of
workgroups
User name
and password
Log in
Select a workgroup 414 Chapter 10
Finding Applications
Approved applications for Panels and Restricted Finder workgroups are located in the “Items
for workgroup name” folder inside the user’s home directory. For users in a Finder
workgroup, applications are stored in the client computer’s Applications folder or
Applications (Mac OS 9) folder.
Finding Shared Documents
Depending on the user environment and how you set up workgroup folders, users may have
access to several areas where they can view or store shared items. For example, you can set
up a group documents volume inside the Macintosh Manager sharepoint to allow users to
collaborate more effectively, or you might provide a hand-in folder for a Panels workgroup to
allow users to turn in documents.
Before You Begin
You should consider taking advantage of client management if
m you want to provide users with a consistent, controlled interface while allowing them to
access their documents from any computer
m you want to control privileges for users with mobile computers
m you want to reserve certain resources for only specific groups or individuals
m you need to secure computer usage in key areas such as administrative offices,
classrooms, or open labs
Before you set up Macintosh Manager to manage users, groups, or computers, be sure to
follow these preliminary steps.
Step 1: Make sure computers meet minimum requirements
Client Computer Requirements
Software
m Mac OS 8.1 to Mac OS 9.x as the primary operating system
m Appearance control panel v. 1.0.1 or later
Note: Macintosh Manager is not used to manage Mac OS X clients.
Hardware
m Macintosh computer with a 68K processor
m 8 megabytes (MB) of physical random access memory (RAM) (not virtual memory)
m 2 MB of disk space available
Important If you have clients using earlier versions of Macintosh Manager, be sure to
upgrade them to Macintosh Manager 2.2 before you connect them to the Mac OS X Server. Client Management: Mac OS 9 and OS 8 415
m 16-bit monitor recommended if using the Panels environment
Administrator Computer Requirements
Software
m Mac OS X Server (with Macintosh Manager administrator software) installed
You can also install only the Macintosh Manager administrator software if you want to
access the administrator software on a nonserver computer (the computer must use
either Mac OS X v10.2 or Mac OS 9.2 as the operating system).
Hardware
m Macintosh computer with a G3 processor
m 128 MB of RAM; at least 256 MB of RAM for high-demand servers running multiple
services
m 4 gigabytes (GB) of available disk space
m Minimum monitor resolution of 800 x 600
Note: Automatic hardware restart requires a Macintosh Server G4 or Power Mac G4 released
in February 2000 or later.
Step 2: Install Macintosh Manager administrator software
You can use Macintosh Manager administrator software in either Mac OS X or Mac OS 9, but
you cannot use it in Mac OS 8. You can install the administrator software on a Mac OS X
server, on selected “administrative” client computers, or on all client computers. Only server
administrators, Macintosh Manager administrators, and workgroup administrators have
access to the Macintosh Manager administrator application.
Using designated administrative computers can make it easier to change or update
management settings for clients. For example, if you have a set of computers in a classroom,
you could install the administrator software on the teacher’s computer and give the teacher
administrative access. Then, the teacher can make immediate changes as needed, such as
adding users to a workgroup or providing access to a different printer.
Because the administrator computer is used to set up Macintosh Manager, the administrator
computer should have access to the same printers and applications you want to use for your
client computers. This makes it easier to create lists of allowed applications and printer lists 416 Chapter 10
for the clients. The administrator computer can have access to more printers and
applications than clients but shouldn’t have access to fewer.
To set up an administrative client computer:
1 Make sure the computer meets minimum requirements.
2 Make sure the system software is either Mac OS X or Mac OS 9.2.
3 Make sure necessary applications are installed.
4 Set up printer access using either Print Center (for Mac OS X) or Desktop Printer Utility (for
Mac OS 9).
5 Install Macintosh Manager administrator and client software.
Before you use the Macintosh Manager administrator application, open the Sharing
preference in System Preferences in Mac OS X and make sure Web sharing and file sharing
are turned off. If you are using Mac OS 9, check the settings for the File Sharing and Web
Sharing control panels.
Step 3: Set up client computers
Mac OS 9 computers and Mac OS 8 computers require different setup procedures.
To set up Mac OS 9 client computers:
1 Make sure the computer meets minimum requirements.
2 Make sure the system software is Mac OS 9 (version 9.1 or later recommended).
3 Install Macintosh Manager client software, if it is not already installed.
4 Open the Multiple Users control panel.
5 Click Options, then click Other.
6 Select “Macintosh Manager account (on network).”
7 Click Save.
8 Select “On” to turn on Multiple User Accounts.
9 Close the control panel, and then choose Logout from the Special menu.
Important When you make printers available to client computers, Macintosh Manager
creates desktop printers for your Mac OS 9 clients. The Mac OS X version of the Macintosh
Manager administrator application only creates LaserWriter desktop printers. If you need to
provide access to non-LaserWriter printers, you must use the Mac OS 9 version of the
Macintosh Manager administrator application to manage clients. Client Management: Mac OS 9 and OS 8 417
The computer locates Macintosh Manager servers (any Mac OS X Server with Macintosh
Manager server processes installed) on your network automatically when you log out. You
can select the server you want to use. If the computer can’t locate a Macintosh Manager
server, browse to find the TCP/IP address (not the AppleTalk address) of the server you want.
To set up Mac OS 8 client computers:
1 Make sure the system software is Mac OS 8 (version 8.1 or later).
2 Install Macintosh Manager client software.
3 Restart the computer.
To stop managing Mac OS 8 client computers, remove the Multiple Users startup extension
from the System Folder and restart the computer.
Using Update Packages
If you are already using Macintosh Manager 2.0 or later on a client computer, you can easily
upgrade to the latest version of Macintosh Manager by using an automatic update package.
The update package is located on the Macintosh Manager installation CD. It is not installed
automatically.
To use an update package:
m Copy the update package to the Multi-User Items folder on your Macintosh Manager
server.
All connected clients periodically look for an update package in the Multi-User Items folder. If
an update package is found, clients run the update automatically regardless of whether or
not the update is for a new or previous version. Before you use an update package, be sure
to shut down any computers you don’t want to update. After the update is complete, remove
the update package from the Multi-User Items folder, and then restart the client computers.
Choosing a Language for Macintosh Manager Servers and Clients
Ideally, the language used on client computers should match the language used on the
Macintosh Manager server. However, if you want to set up different languages on certain
client computers, you can do so.
Important For computers using Mac OS 8.6, a user in the Finder environment can access
the Startup Disk control panel. Disable the control panel with Extensions Manager before
you use Macintosh Manager with those computers.418 Chapter 10
Client computers using different languages can connect to the same server provided the
server language script matches the client language script. For example, a user at a client
computer that uses French-language client software with the script set to Roman can connect
to the server. Another user at a German client computer using Roman script can also use the
same server. You can set the script in the International pane of System Preferences (in
Mac OS X) or using the International control panel (in Mac OS 9 or 8).
When a user connects to a Macintosh Manager server, the client computer should use the
same language software that was used during any previous connections. For example, if a
user connects to the Macintosh Manager server from a French client computer and then from
a German client computer, preference folders and other folders in the user’s home directory
may be created for each language, so the user may not be able to share preferences across
languages. On the other hand, if separate folders are not created, then different-language
versions of two programs may end up sharing a preference file. This could cause the client
computer to freeze.
Changing the Apple File Service Language Script
The correct Apple file service language script (for “Encoding for older clients”) should be
selected before using the Macintosh Manager server. If Macintosh Manager service is already
in use, stop Macintosh Manager service before changing the language script.
The “Encoding for older clients” script should match the client computer’s language script
(selected in the International pane of System Preferences) in addition to the language script
used for the Macintosh Manager administration application.
Step 4: Make sure you’ve set up users and their home directories
If you haven’t set up users and home directories already, do so before you proceed. Read
Chapter 3, “Users and Groups,” for more information.
Inside Macintosh Manager
The sections that follow describe some of Macintosh Manager’s components and provide
background information about how Macintosh Manager works with other Mac OS X Server
services.
Macintosh Manager Security
Although Macintosh Manager is not a designated “security application,” you can use Macintosh
Manager settings to provide more administrative control or to allow greater flexibility for users.
For example, you might want to restrict local file and system access privileges, allow users to
play audio CDs, or allow users to access some applications but not others. Client Management: Mac OS 9 and OS 8 419
Macintosh Manager users cannot access other users’ home directories, nor can they change
network settings (AppleTalk and TCP/IP control panels), Energy Saver settings, or Multiple
Users settings.
Macintosh Manager’s design prevents users from renaming Macintosh Manager files or
changing the file type or creator. In addition, the Macintosh Manager extension is not
affected if a computer is restarted with extensions off, and users cannot disable the
Macintosh Manager extension by moving it or turning it off.
About the Macintosh Manager Share Point
When Macintosh Manager server software is installed, a share point named Macintosh
Manager is created on the server. Its permissions are automatically set to allow access from
Macintosh Manager. Users who don’t have administrative privileges can’t see the contents of
the share point and do not interact with it. The Macintosh Manager share point exists
primarily to service the databases, but it is also the default location for the workgroup
document volume. For more information about the contents of the workgroup document
volume, see “Sharing Information in Macintosh Manager” on page 443.
If you need to save space, you can move the Macintosh Manager share point to another
volume as long as the name of the share point is the same, the folder remains a share point,
and the access privileges are the same. Avoid using non-ASCII special characters (such as •,
å, é, or ü) or any double-byte characters (such as Kanji characters) in the names of share
points you plan to use with Macintosh Manager.
The Multi-User Items Folder
The Multi-User Items folder is located in the Macintosh Manager share point. Files and
folders inside the Multi-User Items folder contain information about options set using
Macintosh Manager, such as the location of the Macintosh Management server, aliases to
workgroup items, cache information, and the databases for users, groups, and computer
lists. The Multi-User Items folder contains the following items:
m Activity Log file: This file contains log entries used to generate reports that show
information such as login activity, printer usage, and application usage. You can define the
number of entries in the Activity Log file. See “Setting the Number of Items in a Report”
on page 463 for more information.
m CD-ROM Preferences file: This file contains a list of CDs users are allowed to use, along
with any settings for specific items on each CD.
m Computers folder: This folder contains database files that store Macintosh Manager
settings for each computer list you set up.
Important Do not place the Macintosh Manager share point on a UFS-formatted volume. 420 Chapter 10
m Groups folder: This folder contains a folder for each Macintosh Manager workgroup
and database files that store information about Macintosh Manager settings for each
workgroup, such as the allowed items list and the location of the workgroup document
folder.
m Multi-User Items file: This file contains an archive of the files currently inside the MultiUser Items folder. Do not open or modify the file. If it is deleted, it is created again the
next time you use Macintosh Manager.
m Printers folder: This folder contains files that represent the desktop printers you set up
in Macintosh Manager. A file is created for each desktop printer used by a Macintosh
Manager workgroup. When a user logs in to a workgroup that uses a desktop printer, the
printer information is copied to the desktop of the client computer.
You should use Macintosh Manager to modify printer information; don’t open or remove
items in the Printers folder. If you delete a printer file from this folder, workgroup
members who want to use that printer see a message that the printer can’t be found.
m Users folder: This folder contains database files that store Macintosh Manager settings for
each user account and a folder for each user that has logged in to the server at least once.
How the Multi-User Items Folder Is Updated
The client’s Multi-User Items folder is always updated when you make changes in Macintosh
Manager. A copy of this folder is stored automatically in the System Folder of each client
computer. If the client computer’s Multi-User Items folder is deleted, the computer
downloads a new, clean copy from the server as needed, but not while a user is logged in.
The folder is also updated under the following circumstances:
m If a client computer is connected to the server, but no users are logged in, Macintosh
Manager checks periodically to see if any items in the folder need to be updated. If
changes were made while a user is logged in to a computer, the folder isn’t updated until
the user logs out.
m If a computer is disconnected from the server automatically because it was idle for a
period of time, no update checks are made until a user logs in and out of the workstation.
m If the client’s Multi-User Items folder is deleted, the client downloads a new, clean copy
from the server when a user logs in.
How Macintosh Manager Works With Directory Services
Both Macintosh Manager and Workgroup Manager have access to user account information
in the Directory Services database. If you are managing Mac OS 9 or Mac OS 8 clients, you
must import users from Workgroup Manager into Macintosh Manager or use Macintosh
Manager’s All Other Users feature in order to provide user access to your managed network. Client Management: Mac OS 9 and OS 8 421
The only information shared between Macintosh Manager and Workgroup Manager is the
user ID, which is stored in Directory Services along with the user name, password, and
information about the location of the user’s home directory.
For more information about Directory Services, see Chapter 2, “Directory Services.”
Macintosh Manager uses the user ID to verify and obtain a user’s user name and password
through Directory Services and to find the user’s home directory. The user ID is also used to
match users to the correct workgroups, preferences, and computer lists in Macintosh Manager.
All other user information, such as user storage quotas and system access privileges, is set up
using Macintosh Manager. After users are imported, you can create workgroups for those
users and create lists specifying which computers your workgroups can use. Macintosh
Manager workgroups and computer lists are completely independent of Workgroup Manager
groups and computer lists.
Where User Information Is Stored
Macintosh Manager stores information about settings for users, workgroups, and computers
in database files located in folders inside the Multi-User Items folder. The User, Group, and
Computers folders each contain two database files:
m One file contains an index of each record in the database (such as the name of a
workgroup).
m The other file contains the specific information for each record (such as workgroup
members, privileges, and environment).
Directory services
Macintosh
Manager data
User ID
Workgroup Manager data
Users
Groups
Users
Groups
Computer
lists
Computer
lists
User name and password
Shared
information422 Chapter 10
Although the users, groups, and computers databases are not part of a larger relational
database, each refers to information stored in the other databases. For example, the users
database contains a list of workgroups to which a user belongs. To maintain consistency
between databases, Macintosh Manager checks references from one database to another and
updates the databases as needed.
How Macintosh Manager Works With Home Directories
You can set up home directory locations when you create user accounts. If a user doesn’t
have a home directory, he or she will not be able to log in. Mac OS 9 and Mac OS 8 managed
clients mount the user’s home directory automatically when a user logs in. The user is the
owner of his or her own home directory and has full access to its contents. Macintosh
Manager prevents access to other users’ home directories, even if the folder’s permissions
have been set to allow access.
For more information about creating user accounts and home directories, see Chapter 3,
“Users and Groups.”
How Macintosh Manager Works With Preferences
In addition to controlling certain privileges, Macintosh Manager allows you to control
application preferences and System Preferences. You can define these preferences using
folders inside a user’s Managed Preferences folder.
m Preferences in the Initial Preferences folder are set only once for a user.
m Preferences in the Forced Preferences folder are set every time a user logs in.
m To control preferences for Mac OS 8 users, you can use the Preserved Preferences folder.
For more information about how to use these folders to control user preferences, see
“Managing Preferences” on page 466.
Where Macintosh Manager Preferences Are Stored
This section describes how user-specific preferences (such as Web browser “favorites” and
desktop backgrounds) are stored in a Macintosh Manager environment. There are some
differences in how preferences are handled on Mac OS 9 and Mac OS 8 computers.
Macintosh Manager stores and accesses preferences this way:
m When a user is not logged in: Most of a user’s individual preferences are stored on the
server, for both Mac OS 9 and Mac OS 8 client computers.
m When a user logs in to Macintosh Manager: The individual preferences for that user
are located by Macintosh Manager and put in effect for as long as the user is logged in.
Where the preferences are stored while the user is logged in varies depending on which
operating system is used:
For Mac OS 9 clients: Preferences are stored in the /Library/Classic/Preferences folder in
the user’s home directory. Client Management: Mac OS 9 and OS 8 423
For Mac OS 8 clients: Preferences are stored in the Preferences folder in the System
Folder on the client computer’s hard disk.
If a user does not have a home directory, you can store preferences for Mac OS 9 in the
Preferences folder in the Users folder on the client hard disk, but you cannot store them in
the Preferences folder in the System Folder.
Using the MMLocalPrefs Extension
If some applications create excess network activity, storing preferences locally may help
decrease the overall burden on your network. You can install the MMLocalPrefs extension on
Mac OS 9 computers to allow Macintosh Manager to store and access user preferences
locally. Using the MMLocalPrefs extension may increase login and logout times because user
preferences need to be copied to and from the local hard disk.
The MMLocalPrefs extension must be installed manually on individual computers, and
it affects any user who can access those computers. This extension does not work on
Mac OS 8 computers.
Using NetBoot With Macintosh Manager
Although you are not required to use NetBoot with Macintosh Manager, you can use it to
administer each computer’s system setup in labs and classrooms. With NetBoot you can
provide students with identical user environments and easy access to the same resources on
a secure network that is easy to maintain.
Preparation for Using NetBoot
If client computers use system software supplied by a NetBoot server, you can ensure that
each computer has the same version of software and access to the same applications.
Regardless of what users change during a session, the computers return to the same system
configuration after restart. Network computers are easy to maintain because the user
applications need to be installed only on a disk image stored on the server.
You must use the NetBoot Desktop Admin utility to change the Multiple Users control panel
options so that NetBoot client computers retrieve account information from Macintosh
Manager when they start up.
The steps below give a general description of how to prepare your managed network and
clients for use with NetBoot. See Chapter 12, “NetBoot,” for more detailed information.
m Set up the client computers to start up from the Mac OS disk image on the server.
m Use Macintosh Manager to control user environment, preferences, and access to local and
network resources.
Important Do not install the MMLocalPrefs extension if you need to enable the Check Out
feature for Mac OS 9 clients.424 Chapter 10
m Install the Macintosh Manager server software on the server containing the Mac OS image
that NetBoot client computers will use to start up. Use the same server to store users’
documents and applications.
m Set up workgroup administrator accounts for certain users, such as teachers or technical
staff, then show them how to use Macintosh Manager to manage user accounts and
workgroups.
Setting Up Mac OS 9 or Mac OS 8 Managed Clients
The following steps provide an overview of the initial setup process for managing clients in
Macintosh Manager. Detailed information and tasks related to each part of the process are
contained in other sections of this chapter as indicated by page references.
Step 1: Make sure Macintosh Manager services are available
In the General pane of Server Settings, click the Macintosh Manager service icon. If
Macintosh Manager is available, you will see a globe on the service icon and the first menu
item will be Stop Macintosh Management service. If the first menu item is Start Macintosh
Management Service, choose it to start Macintosh Manager.
Step 2: Log in to Macintosh Manager Admin as an administrator
For instructions, see “Logging In to Macintosh Manager as an Administrator” on page 425.
Step 3: Import user accounts
You can import user accounts from Workgroup Manager or from a text file, and you can use a
template to apply settings. Macintosh Manager provides a Guest User account. You can also
use the All Other Users account to provide access to unimported users.
For more information about working with user accounts, see “Importing User Accounts” on
page 426.
Step 4: Designate a Macintosh Manager administrator
For instructions, see “Designating Administrators” on page 431.
Step 5: Designate workgroup administrators
For instructions, see “Designating Administrators” on page 431. Client Management: Mac OS 9 and OS 8 425
Step 6: Create workgroups for users
Workgroups let you group users together and apply the same settings to all the users. You
can set up workgroups according to any criteria, such as purpose (video production) or
location (a fourth-grade classroom), and provide users with convenient access to necessary
resources. You can also use a template to apply workgroup settings.
For more information about creating workgroups, see “Setting Up Workgroups” on page 436.
Step 7: Create computer lists
Computer lists let you group computers and apply the same settings to all the computers.
You can use a template to apply settings to a computer list. The All Other Computers account
lets you provide managed network access to computers that aren’t in a computer list.
For more information about using computer lists, see “Setting Up Computer Lists” on
page 451.
Step 8: Select global settings and set up managed preferences folders
In addition to various settings for users, workgroups, and computers, Macintosh Manager
provides other security and CD-ROM settings in the Global pane. You can also manage user
preferences by placing preference files in Forced, Initial, or Preserved preferences folders.
For information about using global settings, see “Using Global Security Settings” on page 462
and “Using Global CD-ROM Settings” on page 465.
For information about using managed preference folders, see “Managing Preferences” on
page 466.
Logging In to Macintosh Manager as an Administrator
The first time you open the Macintosh Manager administrative software and log in, you can
use your Mac OS X Server administrator account. Later on, you can still log in to Macintosh
Manager Admin using that account or other Macintosh Manager administrator accounts that
you set up.
To log in to Macintosh Manager:
1 Click the Macintosh Manager icon in the Dock to open Macintosh Manager. To open
Macintosh Manager from Workgroup Manager, click the Macintosh Mgr icon and select Open
Macintosh Manager.
2 Enter your Mac OS X Server administrator account user name and password.
After you log in, you can add user accounts, create workgroups, create computer lists,
designate administrators, and access and change Macintosh Management service settings.426 Chapter 10
Working With Macintosh Manager Preferences
Macintosh Manager preference settings let you choose a sorting method for users and
workgroups and choose a format for exported reports. Only Macintosh Manager
administrators can change these settings.
To change Macintosh Manager preferences:
1 Log in to Macintosh Manager.
2 Choose Preferences from the Macintosh Manager menu (in Mac OS X) or choose Preferences
from the File menu (in Mac OS 9).
3 Select settings for sorting users (by either name or type).
4 Select settings for sorting workgroups (by either name or environment).
5 Select a format for reports exported to a text file (using either tabs or commas to separate
information fields).
6 If you want to use templates for users, groups, or computers, select “Show template” to
include the “template” item in the list of accounts.
Importing User Accounts
This section explains various ways to import users and apply user settings. All user accounts
must be created before you can import or modify them using Macintosh Manager. You
cannot create user accounts in Macintosh Manager. If you have not already set up users, see
Chapter 3, “Users and Groups,” for information and instructions.
Macintosh Manager user accounts are for anyone who uses a computer in a managed
environment. Most users do not require access to the Macintosh Manager administrator
application. If you want to give certain users (for example, managers, teachers, and so forth)
administrative privileges, read “Designating Administrators” on page 431 for details.
You select user settings and user type in the Users pane of Macintosh Manager. You can select
options manually or use a template to apply settings as users are imported.
Applying User Settings With a Template
You can create a template and use it to apply identical settings to multiple users at once
during import. This makes it easy to start managing large numbers of users quickly.
Note: Once you set up a template, you cannot reset it to its original state. You can, however,
change template settings any time you want.
To set up or change a user template:
1 In the Users pane of Macintosh Manager, select Template in the Imported Users list. Client Management: Mac OS 9 and OS 8 427
If you don’t see the template, open Macintosh Manager Preferences and make sure “Show
templates” is selected.
To open Macintosh Manager Preferences in Mac OS X, choose Preferences from the
Macintosh Manager menu. In Mac OS 9, choose Preferences from the Edit menu.
2 In the Basic and Advanced panes, set options you want to use for the template, then
click Save.
Importing All Users
If you have a small number of users in your Mac OS X Server database, you may want to
import them to Macintosh Manager all at once. You can import up to 10,000 users with the
Import All feature.
To import all users:
1 In Macintosh Manager, click Users.
2 Click Import All.
An individual Macintosh Manager user account is created for each imported user. Depending
on the number of users imported, this process may take some time. You can also import
users individually or in groups.
If you have more than 10,000 users to import, you may want to consider importing users
from a text file.
Importing One or More Users
If necessary, you can import individual users or small groups of users. You must be using
Macintosh Manager Admin in Mac OS X in order to import one user at a time. You cannot
import one user at a time using Macintosh Manager on a Mac OS 9 computer.
To add one or more users to Macintosh Manager:
1 In Macintosh Manager, click Users.
2 Click Import.
3 If Workgroup Manager is not already open, a message about adding users appears. Click
Open to open Workgroup Manager.
4 In Workgroup Manager, click Users & Groups, then select Show Users & Groups List.
5 In the Users & Groups List, select the user or users you want to import, then drag them to
the Imported Users list in Macintosh Manager. You may need to rearrange the windows so
that you can see both lists.
If you can’t find a user in the Users & Groups List, that user may not be in your Mac OS X
Server directory.428 Chapter 10
If you have fewer than 10,000 users to import, you can also use the Import All feature.
Collecting User Information in a Text File
You can create a plain text file that contains user information and then use this file when you
import users into Macintosh Manager. Your file must contain at least one of the following
pieces of information about each user: user ID, user name, or short name. You do not need
to list password information.
To collect user information in a text file:
1 Make sure each user in the file already exists in directory services. Information for missing
users is ignored.
2 Make sure each line of user information is separated by a hard return.
If you have multiple items of user information on each line, make sure the items are
separated by either commas or tabs.
3 Make sure the file is saved as plain text and has “.txt” at the end of the file name.
To reduce the likelihood of error, avoid mixing types of user information in the text file. For
example, you could use only the user ID for each user.
Importing a List of Users From a Text File
Using a text file to import user information is a convenient way to start managing large
numbers of users.
To import users from a text file:
1 In Macintosh Manager, click Users.
2 Choose Import User List from the File menu, then select the file you want to import.
3 In the Available Fields list, select the list item that matches the first item of user information
in your text file, then click Add to add the item to the Import list.
For example, if the first item in your text file is the user ID, the first item you add to the
Import list should be user ID. Do the same for other information you want to import.
4 Choose either tab or comma for the field delimiter, depending on how you separated pieces
of user information in your text file.
5 Click Open Sample Import to preview imported information, or click OK to start the import.
If a user cannot be found, you will see a warning message. Users in the text file must be
present in the directory services database before you can import them into Macintosh
Manager. Client Management: Mac OS 9 and OS 8 429
Finding Specific Imported Users
You can use the “Select Users By” feature to search for Macintosh Manager users according to
chosen criteria.
To search for users:
1 Open Macintosh Manager, then click Users.
2 If “Template” appears in the list of users, make sure it is not selected.
3 Choose Select Users By from the Edit menu.
4 Select the kinds of search information you want to use.
If you select Comment, you can find users that have certain words in their comment fields.
Providing Quick Access to Unimported Users
If you want to allow user access to a managed network without having to set up user
accounts, you can use the All Other Users feature, or you can set up a guest user account.
If mobile clients require access to your network, you may also want to use the All Other
Computers account.
Using Guest Accounts
In Macintosh Manager, you can create three types of “guest” accounts, all of which can be
managed.
m All Other Users
Using All Other Users is a quick way to provide access to large numbers of users and
manage them without having to import them into Macintosh Manager. Users with existing
Mac OS X user accounts can log in and access their own home directories, preferences,
and documents. They have the privileges and environment you set up for the All Other
Users Account. You can also set login settings for All Other Users and allow them to
exceed printer quotas.
For information about how to set up the All Other Users account see “Providing Access to
Unimported Mac OS X Server Users” on page 430.
m Guest Users
When a user logs in as Guest, no password is required. Anyone can use the guest account
when it is available, whether he or she has a Macintosh Manager user account, a Mac OS X
Server user account, or no account at all.
All users logged in as Guest have the same privileges and preferences. Any settings you
choose for the guest account apply to all users who log in as Guest. You can set login
settings and user storage quotas for guest users. You can also allow them to exceed
printer quotas.430 Chapter 10
For more information about using the guest user account, see “Setting Up a Guest User
Account” on page 431.
m All Other Computers
Any computer that is “unknown” or not in a Macintosh Manager computer list uses
settings selected for the All Other Computers account. Allowing unknown or “guest”
computers is useful if you want to manage users who want to connect to your network
using their own portable computers.
For more information about how to set up the All Other Computers account, see “Setting
Up the All Other Computers Account” on page 452.
Providing Access to Unimported Mac OS X Server Users
After you enable the All Other Users feature, Macintosh Manager creates the All Other Users
account and makes it available in the Imported Users list. You can treat the All Other Users
account like any other user account with its own workgroup and settings, with a few exceptions:
m Computer checkout is not allowed.
m Working offline at a client computer is not allowed.
m A disk quota is not enforced.
Using the All Other Users account is the quickest and most convenient way to grant
authenticated access and set up customized environments for users without having to import
them into Macintosh Manager. For example, in a school with a central user database, you can
set up Macintosh Manager service in a computer lab using only the All Other Users account.
Any user on campus who has a Mac OS X Server account can walk into the lab, log in, and
access his or her home directory in a managed environment.
To set up the All Other Users account:
1 In Macintosh Manager, click Global, and then click Security.
2 Select Allow “All Other Users” and click Save.
3 Click the Users tab and select All Other Users in the Imported Users list.
4 Select settings in the Basic and Advanced panes, then click Save.
5 Click Workgroups, add All Other Users to a workgroup, and give the workgroup a name.
6 Select settings for that workgroup, then click Save.
7 Click Computers and make computers available to the workgroup you just created. Client Management: Mac OS 9 and OS 8 431
Setting Up a Guest User Account
Because the Guest account does not require individual user names and passwords for each
user, it is a good choice for setting up a public computer or kiosk where users do not need to
access their home directories.
After you enable the Guest account, Macintosh Manager creates the account and makes it
available in the Imported Users list.As with any other user account, you can add the Guest
account to a workgroup and apply Macintosh Manager settings, with a few exceptions:
m Computer checkout is not allowed.
m Working offline at a client computer is not allowed.
To set up the Guest account:
1 Open Macintosh Manager, click Global, and then click Security.
2 Select “Allow Guest access.”
3 Click Users, and select Guest from the Imported Users list. In the Basic and Advanced panes,
select the settings you want to use.
4 Click Workgroups. Create a workgroup for the Guest account, or select an existing
workgroup and add Guest to the Workgroup Members list in the Members pane.
5 Provide access to computers by making one or more lists of computers available to the
workgroups.
6 Click Save.
Designating Administrators
After you import user accounts, you’ll need to give some users administrative privileges. For
Macintosh Manager, the privilege hierarchy is similar to that of Workgroup Manager, but
Macintosh Manager uses only two types of administrative accounts. Macintosh Manager
workgroup administrators are similar to Workgroup Manager’s directory domain
administrators, but their privileges apply only to workgroups created in Macintosh Manager.
About Macintosh Manager Administrators
A Macintosh Manager administrator can import, edit, and delete user accounts and create
workgroup administrators and additional Macintosh Manager administrators. A Macintosh
Manager administrator can change any of the Macintosh Manager settings and, if allowed, can
use his or her administrator password to log in as any user except another Macintosh
Manager administrator.432 Chapter 10
A Macintosh Manager administrator’s administrative privileges do not apply in Mac OS X
Workgroup Manager tools. For example, a Macintosh Manager administrator cannot create
user accounts in Workgroup Manager (unless he or she also has a Mac OS X server
administrator account).
Allowing Mac OS X Server Administrators to Use Macintosh Manager Accounts
Because Macintosh Manager is disconnected from data (other than the user ID) used by
Workgroup Manager, Mac OS X Server administrator accounts are imported to Macintosh
Manager as regular users. They may not be able to access their home directories when they
log in to client computers, and they will not automatically have administrative privileges in
Macintosh Manager. They cannot access the Macintosh Manager share point or set up
managed preferences.
You should create a separate Mac OS X Server user account for any server administrators you
want to include in Macintosh Manager, and then import those accounts. If you want to give
these users full administrative privileges in Macintosh Manager, follow the instructions for
“Creating a Macintosh Manager Administrator” on page 432.
About Workgroup Administrators
Workgroup administrators can add or modify user accounts and workgroups according to
privileges assigned to them. Regardless of privileges, they cannot change a user’s type or
change access settings, and they cannot create Finder workgroups.
Workgroup administrators also have access to shared folders, such as hand-in folders, which
can be used to collect documents from users. In a school environment, for example, teachers
who are workgroup administrators can distribute and collect assignments over the network.
A teacher can also make available various network resources, applications, and CDs that
promote teaching objectives for the class.
Creating a Macintosh Manager Administrator
You should create at least one Macintosh Manager administrator to prevent users from
bypassing security and changing to a different Macintosh Manager server.
To designate a Macintosh Manager administrator:
1 In Macintosh Manager, click Users.
2 Select one or more users in the Imported Users list.
3 Change the user type to Macintosh Manager Administrator, then click Save.
Creating a Workgroup Administrator
You can set up workgroup administrator accounts for people (such as teachers or technical
coordinators) who may need to add or modify certain user accounts or workgroups. Client Management: Mac OS 9 and OS 8 433
To designate a workgroup administrator:
1 In Macintosh Manager, click Users.
2 Select one or more users in the Imported Users list.
3 Change the User Type to Workgroup Administrator, then click Save.
Changing Your Macintosh Manager Administrator Password
Macintosh Manager administrators can change their passwords whenever necessary.
To change your administrator password:
1 Log in to Macintosh Manager.
2 Choose Change Password from the Configure menu.
3 In the text fields provided, type your current password, then type your new password. Then,
type your new password again to verify it.
Working With User Settings
This section describes basic and advanced user settings and how to use them. Available
settings in the Advanced pane vary depending upon the user type. All users have the same
options available for basic settings regardless of user type.
Changing Basic User Settings
Name, short name, and ID information is imported with each user. This information cannot
be changed in Macintosh Manager. For information about how to change this information,
see Chapter 3, “Users and Groups.”
You can change basic settings for more than one user at a time. When you have multiple
users selected, the name, short name, and ID change to “Varies.”
To change Basic user settings:
1 In Macintosh Manager, click Users, and then click Basic.
2 Select one or more users in the Imported Users list.
3 Select a type from the User Type pop-up menu.
4 Select login settings.
“User can log in” is already selected for you. Deselect it if you want to disable user login
immediately.
If you want to prevent a user from logging in after a specific date (for example, after a school
session ends), select “Disable log-in as of __” and type in a date.
5 Add comments (up to 63 characters long) in the Comments field.434 Chapter 10
This is a good place to put user-specific information (for example, a student’s grade level or
an employee’s office location) or keywords that will help you find users.
6 Click Save.
Allowing Multiple Logins for Users
Ordinarily, users must log out on one computer before they can log in on another. However,
you may want to allow certain users, such as technical support staff or administrators, to log
in on several computers simultaneously (to do maintenance tasks, for example).
To allow simultaneous logins:
1 In Macintosh Manager, click Users, and then click Advanced.
2 Select a user from the Imported Users list.
3 Deselect “User can only log in at one computer at a time.”
4 Click Save.
Granting a User System Access
Users who have system access can access all items on a client computer, including the Finder
and the System Folder. Grant system access to specific users, such as workgroup
administrators or technical support staff, only if necessary. Macintosh Manager administrators
always have system access.
To allow system access for a user:
1 In Macintosh Manager, click Users, and then click Advanced.
2 Select a regular user or workgroup administrator in the Imported Users list.
3 Select “User has system access.”
4 Click Save.
Changing Advanced Settings
Depending upon the user type, some advanced settings may or may not be available. Also,
workgroup administrators cannot change access settings, email settings, or user type.
To change advanced settings for a user:
1 In Macintosh Manager, click Users, and then click Advanced.
2 Select the user or users you want to modify in the Imported Users list.
You can select multiple users, but they should be of the same type. If you select different
types of users, you will be able to modify only the advanced settings that those users have
in common. Client Management: Mac OS 9 and OS 8 435
3 Select access settings and set quotas.
Initially, users of all types can log in to only one computer at a time. No other settings are
selected.
4 If the user is a workgroup administrator, select the privileges you want the user to have
under “Allow this Workgroup Administrator to.” Initially, no privileges are selected.
5 Click Save.
Limiting a User’s Disk Storage Space
A disk space quota limits the amount of storage space available in a user’s home directory.
Once a user exceeds the storage limit, he or she cannot save any more files there. Users see a
warning message if they run out of storage space.
To set a user storage quota:
1 In Macintosh Manager, click Users, and then click Advanced.
2 Select a user in the Imported Users list.
3 Select “Set user storage quota to __ K” and type in the maximum amount of storage space to
allow in kilobytes (1024 kilobytes = 1 megabyte).
When you set a storage quota, keep in mind the amount of space available and the number
of users who will share it.
4 To allow a user to save files even if he or she exceeds the set quota, select “Only warn user if
they exceed this limit.”
5 Click Save.
Updating User Information From Mac OS X Server
If you change user information in Workgroup Manager or delete user accounts, you need to
synchronize Macintosh Manager with the Mac OS X Server database to make sure user data is
the same in both places.
To update Macintosh Manager user data:
1 In Macintosh Manager, click Users.
2 Choose Verify Users & Workgroups from the File menu.
If the user account exists in the server database, Macintosh Manager updates the user’s
information to match information in the server database. For very large numbers of users,
this process can take some time.
Note: If the user account can’t be found, the user is deleted from Macintosh Manager.436 Chapter 10
Setting Up Workgroups
In the Members pane of the Workgroups pane, you can create new workgroups, change an
existing workgroup’s name or type, and add or remove workgroup members.
This section describes the different workgroup environments and tells you how to apply
workgroup settings manually, by duplicating a workgroup, and by using a template.
Types of Workgroup Environments
Workgroups can have one of three types of desktop environments. All three types have some
optional settings in common. Important differences are described below.
m Finder workgroups have the standard Mac OS desktop.
The System Folder and Applications folder are not automatically protected, but you can
choose to protect them. Members of Finder workgroups have no restrictions on the File
menu, Apple menu, or Special menu. They also have no restrictions on removable media
or CDs.
m Restricted Finder workgroups have the standard Mac OS desktop, but with restrictions.
The System Folder and the Applications folder are protected. This means users can view
the contents, but cannot modify them or add new items. Users can access File menu and
Special menu items, but you can choose available items for the Apple menu. You can also
control the user’s ability to take screen shots, and you can choose privileges for CDs,
removable media, and shared folders.
m Panels workgroups have a simplified interface with large icons that make using a
computer easy for novice users, particularly children.
Panels workgroup options are the same as Restricted Finder options, with a few additions.
You can control access to the File menu and the Special menu in addition to the Apple
menu, and you can select whether or not to show a mounted volume as a panel. Members
of a Panels workgroup cannot view items on the local hard disk.
Creating a Workgroup
Workgroup members can be of any user type, and workgroups can have up to 1500
members. Workgroup administrators, if allowed, can create Restricted Finder and Panels
workgroups, but they cannot create Finder workgroups.
To create a workgroup:
1 In Macintosh Manager, click Workgroups.
Important If a user is not a workgroup member, he or she cannot log in to the Macintosh
Manager network. Group accounts are not imported from Workgroup Manager; you must
create them. Every managed user must belong to at least one workgroup. Users can belong
to more than one workgroup, but users can select only one workgroup when they log in. Client Management: Mac OS 9 and OS 8 437
2 Click New and type a name for the workgroup.
3 Choose an environment type from the Environment pop-up menu.
4 Select one or more users in the Available Users list and click Add.
To remove workgroup members, select the users you want to remove in the Workgroup
Members list, then click Remove.
5 Choose settings for this workgroup in the other panes, then click Save.
You can duplicate workgroups or use a template to apply settings to new workgroups.
Using a Template to Apply Workgroup Settings
You can use a template to quickly create several workgroups that have the same settings.
Once you modify the template, each new workgroup you create will have the template
settings. You can make additional changes to the workgroup after it is created.
Note: Once you set up a template, you cannot reset it to its original state. You can, however,
change template settings any time you want.
To set up or change a template:
1 In Macintosh Manager, click Workgroups.
2 Select Template in the Workgroups list.
If you don’t see the template, open Macintosh Manager Preferences and make sure “Show
templates” is selected.
To open Macintosh Manager Preferences in Mac OS X, choose Preferences from the
Macintosh Manager menu. In Mac OS 9, choose Preferences from the Edit menu.
3 In each of the Workgroup panes, set the options you want to use in the template, then
click Save.
Creating Workgroups From an Existing Workgroup
Duplicating an existing workgroup is a quick way to create another Macintosh Manager
workgroup that already has settings or members you want.
To duplicate a workgroup:
1 In Macintosh Manager, click Workgroups. Then select a workgroup in the Workgroups list.
2 Click Duplicate and type a new name for the workgroup.
3 Add or remove members and change settings if you wish, then click Save.438 Chapter 10
Modifying an Existing Workgroup
After a workgroup is created, you can change its name or environment type and add or
remove members. A workgroup administrator can change settings for a workgroup only if he
or she is also a member of that workgroup.
To change Members settings:
1 In Macintosh Manager, click Workgroups, and then click Members.
2 Change the workgroup name in the text field.
3 Select a new environment in the pop-up menu.
Workgroup administrators cannot select Finder as a workgroup environment.
4 To add new members, select one or more users in the Available Users list and click Add. To
remove members, select members in the Workgroup Members list, and click Remove.
5 Click Save.
Using Items Settings
Items settings let you make files and applications on client computers available to workgroup
members.
Setting Up Shortcuts to Items for Finder Workgroups
You can use settings in the Items pane to create a list of applications, folders, and files that
workgroups can access. If you choose to allow access to local items, the items appear in the
Shortcut Items list. Macintosh Manager creates an alias for each item in the list.
Aliases for shortcut items appear on the user’s desktop. When users log in, their computers
look for the original file at the “Find chosen items” location and create an alias for the file.
To make items on the local volume available to a workgroup:
1 In Macintosh Manager, click Workgroups, and then click Items.
2 Select “Members can open any items on local volumes” if you want to allow access to items
stored on the computer where users are logged in.
If you select this option, access is not restricted, but you can use Shortcut Items to provide
quick access to a particular set of applications, folders, and/or files.
3 Select a volume in the Volume pop-up menu.
Important Unless you plan to look for original items only on local volumes, be sure
personal file sharing is turned off and other Apple Filing Protocol (AFP) services are not
running before you proceed. Alternatively, use a computer that has Macintosh Manager, but
not file service, installed. Client Management: Mac OS 9 and OS 8 439
4 Select items in the Volume list that you want to add to the Shortcut Items list and click Add.
To remove items from the Shortcut Items list, select them and click Remove. Use Find to
search for additional items, such as files or folders.
5 Select a location from the “Find chosen items” pop-up menu.
A user’s computer looks for the original file at this location, and then downloads the alias.
6 Click Save.
Making Items Available to Panels or Restricted Finder Workgroups
If you choose to allow access to only specific items, the items appear in the Approved Items
list. Macintosh Manager creates an alias for each item in the list.
Aliases for approved items appear either on a panel for Panels workgroups or in a folder on
the desktop for Restricted Finder workgroups. When users log in, their computers look for
the original file at the “Find chosen items” location and create an alias for the file.
To provide access to applications and other items:
1 In Macintosh Manager, click Workgroups, and then click Items.
2 Select an application access setting.
Select “Members can open any items on local volumes” if you want to allow access to items
stored on the computer where users are logged in. If you select this option, access is not
restricted, but you can use Shortcut Items to provide quick access to a particular set of
applications, folders, and/or files.
Select “Allow members to open only the following items” if you want to allow access to only
certain approved applications, folders, or files.
3 Select a volume in the Volume pop-up menu.
4 Select items in the Volume list that you want to add to the Approved Items or Shortcut Items
list, and click Add. You can also drag and drop items directly into the list.
To remove items from the list, select them and click Remove. Use Find to search for
additional items, such as files or folders.
5 Select a location from the “Find chosen items” pop-up menu.
When a user attempts to open a Shortcut Items or Approved Items alias, the computer looks
for the original file at the “Find chosen items” location.
Important Unless you plan to look for original items only on local volumes, be sure
personal file sharing is turned off and other AFP services are not running before you
proceed. Alternatively, use a computer that has Macintosh Manager, but not file service,
installed.440 Chapter 10
The computer can search local volumes and mounted server volumes. If the original item is
on a server volume that is not mounted, the computer won’t be able to find it.
For a NetBoot client computer, a local volume is the hard disk in the computer or any
external hard disk connected directly to the computer. The startup volume for a NetBoot
client computer is a remote volume, but it is treated as a local volume.
6 Click Save.
Making Items Available to Individual Users
In some cases, you may want to make specific documents or applications available to
individual users. For example, a user working on a special video project may require a videoediting application that other workgroup members don’t need.
To make items available to a specific user:
m Place the items in the user’s home directory.
Using Privileges Settings
Settings in the Privileges pane allow you to enable certain security measures, control access
privileges for workgroup folders, and set options to allow users to take screen shots, play
audio CDs, and open items on removable media. Available privilege settings vary depending
upon the type of workgroup selected in the Workgroups list. If you have more than one type
of workgroup selected when you make changes, you will be able to change only those
settings that the workgroups have in common.
Protecting the System Folder and Applications Folder
For Panels and Restricted Finder workgroups, these folders are always locked. Users can view
the contents, but cannot make changes. Finder workgroups do not automatically have these
folders protected, but you can set these restrictions.
To protect these folders:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a Finder workgroup in the Workgroups list.
3 Click the checkboxes next to System Folder and Applications folder to protect them.
4 Click Save.
Protecting the User’s Desktop
You can prevent users from storing files or folders on the desktop and changing the desktop
pattern, icon arrangement, or other desktop settings. Client Management: Mac OS 9 and OS 8 441
To protect the desktop:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a workgroup in the Workgroups list.
3 Click the checkbox to select “Lock the user’s desktop on the startup volume.”
4 Click Save.
Preventing Applications From Altering Files
Enforcing file-level security prevents applications from writing to protected folders and files,
but it may cause some older applications to report disk errors or have problems opening. If
you don’t enforce file-level security, applications can write information (for example,
temporary data or preferences) wherever necessary.
File-level security is available only for Mac OS 9 clients and applies only to applications. It
does not affect user access to folders and files.
To enable file-level security:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a workgroup in the Workgroups list.
3 Select “Enable file level security for Mac OS 9 workstations,” then click Save.
Preventing Access to FireWire Disks
You can enable file-level security to prevent users in a Panels workgroup from accessing
FireWire hard disks that are mounted at startup. This applies only to Mac OS 9 clients and
does not affect Finder or Restricted Finder workgroups.
Allowing Users to Play Audio CDs
Users in a Finder workgroup can always play audio CDs. Panels or Restricted Finder
workgroups don’t automatically have that privilege, but you can give it to them.
To allow users to play audio CDs:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a Panels or Restricted Finder workgroup in the Workgroups list.
3 Select “Play audio CDs,” then click Save.
Some CDs contain more than just audio tracks. If the first track on a CD is an audio track,
then it is an audio CD.442 Chapter 10
Allowing Users to Take Screen Shots
Special key combinations let users take a picture of the computer screen (called a “screen
shot”) and save the picture as a file stored in the user’s Documents folder. Users in Finder
workgroups are always allowed to take screen shots. Panels or Restricted Finder workgroups
don’t automatically have this privilege, but you can give it to them.
To allow users to take screen shots:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a Panels or Restricted Finder workgroup in the Workgroups list.
3 Select “Take Screen Shots,” then click Save.
If disk space is a concern, you may not want to enable this feature.
Allowing Users to Open Applications From a Disk
If you use a list of “approved items” (applications or scripts) that users can access, users in a
Panels or Restricted Finder workgroup cannot open applications on removable media (for
example, floppy disks) unless you allow it.
Finder workgroups do not have this restriction.
To allow users to open applications on removable media:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a Panels or Restricted Finder workgroup in the Workgroups list.
3 Select “Open approved items on removable media,” then click Save.
Removable media include floppy disks, Zip disks, and all other types of removable media
except CDs or DVDs.
You can set up a list of approved items in the Items pane of the Workgroups pane.
Setting Access Privileges for Removable Media
For Panels and Restricted Finder workgroups, you can set access privileges for removable
media. Removable media include floppy disks, Zip disks, and all other types of removable
media except CDs.
To set privileges for removable media, other than CDs:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a Panels or Restricted Finder workgroup in the Workgroups list.
3 Select an access privilege setting from the pop-up menu next to “Removable media (except
CDs),” then click Save. Client Management: Mac OS 9 and OS 8 443
Setting Access Privileges for Menu Items
For certain Finder menus, you can decide which menu items users can see. For Panels
workgroups, you can control items in the Apple menu, File menu, and Special menu. For
Restricted Finder workgroups, you can only control items in the Apple menu and the Special
menu. Finder workgroups do not have these restrictions.
To set privileges for menu items:
1 In Macintosh Manager, click Workgroups, and then click Privileges.
2 Select a Panels or Restricted Finder workgroup in the Workgroups list.
3 Select each menu item you want workgroup members to be able to use, then click Save.
Sharing Information in Macintosh Manager
Macintosh Manager provides a number of ways to share information among users or
workgroups by using different types of shared folders. Most shared folders are created inside
the group documents volume. Some folders are created automatically, but others must be
created by the administrator.
Types of Shared Folders
m Workgroup shared folder
Only members of a single workgroup can use this folder. A workgroup shared folder is
automatically created when you set up a group documents volume.
m Global shared folder
Members of all workgroups whose workgroup folder is on the same volume can access
this folder, allowing documents to be shared between workgroups. A global shared folder
is automatically created when you select a group documents volume.
m Workgroup hand-in folder
Hand-in folders must be set up manually and are available only to Panels and Restricted
Finder workgroups. The hand-in folder is stored on the group documents volume. At
least one workgroup administrator or Macintosh Manager administrator must be a
member of the workgroup to use this feature because only an administrator can see items
in the hand-in folder.
Workgroup members put items into the folder by choosing Hand In from the File menu
(in the Panels environment) or by dragging the item to the hand-in folder (in the
Restricted Finder environment).
m Folder on the startup disk named __
A Macintosh Manager administrator can create a folder at the top level of the startup disk
and then allow users to open items stored in that folder. This type of folder is useful for
storing items that workgroup members need to access easily or frequently, such as clip art.444 Chapter 10
Folder Access Privileges
Macintosh Manager allows four levels of access privileges for workgroup folders:
Selecting Privileges for Workgroup Folders
After you create a group documents volume, you can set user access privileges (Read Only,
Write Only, Read & Write, or No Privileges) for various workgroup folders.
To set access privileges for workgroup folders:
1 Make sure the group documents volume is already set up before you proceed.
2 In Macintosh Manager, click Workgroups, and then click Options.
3 Select a Panels or Restricted Finder workgroup.
4 Select an access privilege setting from the pop-up menu next to each type of folder that is
available for the workgroup.
5 Click Save.
Setting Up a Shared Workgroup Folder
A shared workgroup folder is a convenient location where workgroup members can store
and share any kind of information, depending on how file and folder access privileges are
configured. For example, if you set up read-write permission for a shared group documents
volume, several users can share HTML files or images for a collaborative project.
To set up a group documents folder:
1 Open Macintosh Manager.
Before you proceed, make sure the group documents settings in the Options pane are
correct. If they are not, choose the correct group documents location and login settings, and
then click Save.
Access setting What it means
Read Only Users can view and open items in the folder, but they cannot
modify them, and they cannot “write to” the folder. For example,
they cannot save a file in the folder.
Write Only Users cannot view or open items in the folder, but they can write
information to the folder. For example, they can copy a
document to the folder.
Read & Write Users have unrestricted access to the folder. They can view, open,
modify, or write information to the folder.
No Privileges Users cannot do anything at all with the folder. Client Management: Mac OS 9 and OS 8 445
2 Click Workgroups, then click Privileges.
3 Select one or more workgroups in the Workgroups list.
4 In the Privileges section, set “Workgroup shared folder” to Read & Write, then click Save.
If you want to prevent users from changing the documents in the workgroup shared folder,
you can lock each document.
Setting Up a Hand-In Folder
A hand-in folder works like a drop box. Users can save items in the folder, but they can’t see
any items in the folder. Hand-in folders are very useful for collecting and protecting sensitive
documents. For example, in a classroom, students can turn in homework by copying their
files into the folder. Employees in a workplace can place status reports or personal reviews in
a hand-in folder that only their managers can access.
Hand-in folders are available only for Panels or Restricted Finder workgroups.
To create a hand-in folder:
1 Open Macintosh Manager, click Workgroups, and then click Options.
Before you proceed, make sure the group documents settings in the Options pane are
correct. If they are not, choose the correct group documents location and login settings,
then click Save.
2 Click Workgroups, then click Privileges.
3 Select one or more Panels or Restricted Finder workgroups in the Workgroups list.
4 In the Privileges section, set “Workgroup hand-in folder” to Write Only, then click Save.
The hand-in folder appears as an item in the File menu for Panels workgroups. For Restricted
Finder workgroups and workgroup administrators, it appears as a folder on the desktop.
Using Volumes Settings
You can use the Volumes settings for Workgroups to select which volumes are mounted
when users log in and control login options for each volume. A volume is a shared folder on
a file server.
Connecting to AFP Servers
Mac OS X Server supports TCP/IP network connections to Apple Filing Protocol (AFP) servers
such as the Macintosh Manager server. You cannot use AppleTalk connections to AFP servers.446 Chapter 10
Providing Access to Server Volumes
If workgroup members need to use files and applications that are not stored on the
Macintosh Manager server, you can mount volumes automatically when users log in.
Even if you don’t set up a server volume to mount automatically, users can still connect to it
if they have access to the network and have an account on (or guest access to) that server.
To connect to volumes automatically:
1 In Macintosh Manager, click Workgroups, and then click Volumes.
2 Select one or more workgroups.
3 Select a volume in the Volumes list, then click Add.
If you don’t see the volume you want, click Find and locate the volume.
When the volume is mounted, it requests a login name and password.
4 Select a volume in the Mount at Log-in list and choose login settings (explained in the steps
that follow).
5 If the volume doesn’t use the same user names and passwords used by Macintosh Manager,
select “Prompt user for log-in.” Users must enter a valid user name and password.
6 If you want to grant easy access to a volume for all users, select “Log in automatically as this
AFP user” and type in a valid user name and password.
This isn’t as secure as requiring users to log in with their own information, because you can’t
control access individually or track who has logged in to the server.
You can select “Always try automatic log-in with user’s name and password first” in addition
to the other login settings.
If this attempt at login fails, the login method you selected under “When mounting” is used.
7 Select “Use AFP privileges” to use Apple Filing Protocol read and write permission settings to
determine access privileges for a particular volume. Ordinarily, Macintosh Manager allows
read-only access to volumes.
This setting does not apply to Finder workgroups.
8 If you select “Require an administrator password to unmount,” users can’t disconnect the
volume unless they have the correct password.
This setting does not apply to Finder workgroups.
9 For Panels workgroups only, select “Show volume on a panel” if you want the user to see the
volume icon.
If you don’t select this option, the volume can only be seen in the Applications panel.
10 Click Save. Client Management: Mac OS 9 and OS 8 447
Using Printers Settings
Printers settings let you control access to workgroup printers and limit the number of pages
printed. Some settings are available only if you select “Allow member to use only the
following Desktop Printers.”
Making Printers Available to Workgroups
Before you can make a printer available to a workgroup, the printer must appear in the Available
Printers list. You can add printers using Create New in the Printers pane of Workgroups, or you
can add them in the Print Center application (in Mac OS X) on the Macintosh Manager server.
Note: The Mac OS X version of the Macintosh Manager administrator application only creates
LaserWriter desktop printers. If you need to provide access to non-LaserWriter printers, you
must use the Mac OS 9 version of the Macintosh Manager administrator application to manage
clients. To add printers in Mac OS 9, use the Chooser in the Apple menu.
To allow access to printers:
1 In Macintosh Manager, click Workgroups, and then click Printers.
2 Make sure “Allow members to use only the following Desktop Printers” is selected.
3 Select one or more printers in the Available Printers list and click Add.
4 When you have finished adding printers, click Save.
You cannot grant access to both the system access printer and desktop printers. If you want a
workgroup to use the system access printer, log in to the System Access workgroup as an
administrator and use the Chooser to select a printer. Then follow the steps above.
Setting a Default Printer
When a user prints a document, applications prefer to send the document to the default
printer. If multiple printers are available, the user has the opportunity to select a different
printer.
After printers have been added to the Available Printers list, you can determine how
applications will know which printer to use first.
To select a default printer:
1 In Macintosh Manager, click Workgroups, and then click Printers.
2 Make sure “Allow members to use only the following Desktop Printers” is selected.
3 Select a printer in the Selected Printers list and click Set Default Printer.
If multiple printers are available and you select “Remember last used printer,” applications
prefer to send print jobs to the last printer used, even if it isn’t the default printer. The user
still has the opportunity to select a different printer.448 Chapter 10
Restricting Access to Printers
You can restrict access to a printer by removing it from the Selected Printers list or by
requiring a password to use it.
To restrict access to a printer:
1 In Macintosh Manager, click Workgroups, and then click Printers.
2 Make sure “Allow members to use only the following Desktop Printers” is selected.
3 Select a printer in the Selected Printers list. If you want to remove the printer from the list,
click Remove.
4 Select “Require an administrator password to print to this printer” to protect only the
selected printer. To password-protect all printers in the list, select “Require an administrator
password to print to any printer.”
Setting Print Quotas
A print quota limits the number of pages a user is allowed to print over a period of time. The
number of pages allowed refers to the document’s page count, not to the number of pieces
of paper. For example, if you print a 16-page document using a layout that shows four
document pages on each printed page, you’ll use four sheets of paper; however, 16 pages are
subtracted from your print quota. Pages are counted against the maximum allowance even if
the printing job is not completed (for example, if there is a paper jam).
Using a print quota helps encourage users to use printing resources wisely and helps
decrease waste. You can set an individual quota for each printer in the Selected Printers list.
To set a print quota for a user:
1 In Macintosh Manager, click Workgroups, and then click Printers.
2 Make sure “Allow members to use only the following Desktop Printers” is selected.
3 Select a printer in the Selected Printers list.
4 Select “Limit users to no more than __ pages every __ days” and enter the maximum
number of pages to allow in a number of days.
5 Click Save.
Allowing Users to Exceed Print Quotas
When you set a print quota, the limitation applies to every user in the selected workgroup.
However, you can allow certain users to ignore all print quotas.
To allow a user to exceed all print quotas:
1 In Macintosh Manager, click Users, and then click Advanced.
2 Select a user from the Imported Users list, then select “Allow user to exceed print quotas.” Client Management: Mac OS 9 and OS 8 449
3 Click Save.
Setting Up a System Access Printer
If the printer you want to use doesn’t support desktop printing software, you can make the
printer available as a system access printer. The system access printer becomes the default
printer for the selected workgroup.
Users who can see the Chooser can select any printer visible to them. When the user logs out
of a client computer, the printer originally chosen by the administrator as the system access
printer becomes the default printer again.
Note: You cannot use both regular desktop printers and a system access printer.
To set up a system access printer:
1 Create one or more computer lists containing client computers on which you plan to use
system access printers.
2 For each workgroup you want to use a system access printer, make sure that workgroup has
access to the computers in the list or lists you created.
3 Log in to a client computer using the System Access workgroup.
You see the System Access workgroup only if you are a Macintosh Manager administrator or if
“User has System Access” is enabled for your account.
4 Select Chooser from the Apple menu.
5 Select and set up a printer, then choose Quit from the File menu and log out.
6 Repeat steps 3 through 5 for each client computer where users need access to a system
access printer.
7 From the server or an administrator computer, open Macintosh Manager.
8 Click Workgroups, then click Printers.
9 Select a workgroup that has access to the computers you set up in the previous steps.
10 Select “Members use printer selected in System Access.”
11 Click Save.
If you specify that a workgroup should use the system access printer, but do not select a
printer from a client computer, users who log in to that computer will not be able to print
unless they have access to the Chooser.
Using Options Settings
Options settings are used to set up a group documents folder, create a login message for
workgroups, set startup and login events, and allow users in Panels or Restricted Finder
workgroups to eject CDs.450 Chapter 10
Choosing a Location for Storing Group Documents
You can use a group documents location to store folders and files you would like to make
available to everyone in a workgroup. Once you have chosen a location and login settings for
the group documents volume, you can set up shared folder access in the Privileges pane.
To set up a group documents volume:
1 In Macintosh Manager, click Workgroups, and then click Options.
2 Select a location for storing group documents in the “Stored on volume” pop-up menu.
3 If the volume doesn’t use the same user names and passwords used by Macintosh Manager,
select “Prompt user for log-in.”
Users must enter a valid user name and password.
4 If you want to grant easy access to the group documents volume for all users, select “Log in
automatically as this AFP user” and type in a valid user name and password.
This isn’t as secure as requiring users to log in with their own information, because you can’t
control access individually or track who has logged in to the server.
5 If the group documents location is “Designated Macintosh Management Server,” you can
choose “Log-in Automatically using the default name and password.”
The default name and password are internal to Macintosh Manager. You cannot track user
login if you choose this setting.
You can select “Always try automatic log-in with user’s name and password first” in addition
to the other settings. If this attempt at login fails, the login method you selected under
“When mounting” is used.
6 Click Save.
If the location you want doesn’t appear in the menu, choose Other from the “Stored on
volume” pop-up menu. You can only select volumes that are mounted on the server. If you
still can’t find the volume you want, click Find and mount the appropriate volume.
Making Items Open at Startup
Give users a head start on their work by conveniently opening applications or folders for
them when the computer starts up.
To open items at startup:
1 On each client computer, place the items you want to open at startup in the Startup Items
folder in the Mac OS 9 or Mac OS 8 System Folder.
2 In Macintosh Manager, click Workgroups, and then click Options.
3 Select one or more workgroups in the Workgroups list.
4 Select “Open items in the Startup Items folder” and click Save. Client Management: Mac OS 9 and OS 8 451
For computers that start up using NetBoot, you must follow special procedures to copy items
to the Startup Items folder on the startup disk image. See Chapter 12, “NetBoot,” for details.
Checking for Email When Users Log In
If a user has a Post Office Protocol (POP) email account, you can have Macintosh Manager
check the mail server for messages when the user logs in.
To check for email automatically:
1 Open Macintosh Manager.
Before you proceed, click Computers, and then click Control. Check the incoming email
server information and make sure it is correct. The incoming email server must be a POP
server in order to check email at login.
2 Click Workgroups, then click Options.
3 Select “Check for email when members log in,” then click Save.
Creating Login Messages for Workgroups
You can display a message or announcement when a user logs in.
To create a workgroup login message:
1 In Macintosh Manager, click Workgroups, and then click Options.
2 Type a message in the Group Message box, then click Save.
Setting Up Computer Lists
You can use Macintosh Manager to manage computers by grouping several computers
together and choosing settings for them. Once you create a list of computers you want to
manage, you can select workgroups that are allowed to use them, and you can customize
control settings, security settings, and login settings for each list. Checkout features are used
to manage mobile computers such as iBooks.
This section tells you how to set up computer lists individually, by duplication, or by using
a template.
Creating Computer Lists
Computer lists are simply groups of computers, in the same way that workgroups are groups
of users. These lists appear under “Machine Lists” on the left side of the Computers pane.
You can limit access to computers by assigning specific workgroups to the computers you
want them to use. Computer lists are also useful if you want certain computers to have
different settings.452 Chapter 10
A computer cannot belong to more than one list.
To set up a computer list:
1 In Macintosh Manager, click Computers, and then click Lists.
2 Click Add and give the new list a name.
The name can contain up to 31 characters (including period, underscore, dash, or space).
The name cannot contain a colon (:).
3 Click Find and choose or connect to a computer from the workstation selection window.
Repeat this step for each computer you want to appear in the list. To remove a computer
from the list, select it and click Remove.
4 Make sure the login option is set to Enabled. Choose additional settings for the computer list
in the other Computers panes, then click Save.
Setting Up the All Other Computers Account
Any settings selected for All Other Computers are applied to computers that connect to your
managed network but do not appear in their own computer lists. These computers are also
called guest computers.
To set up the All Other Computers account:
1 In Macintosh Manager, click Computers.
2 Select the All Other Computers account.
3 Choose the settings you want to use in each pane of the Computers pane, then click Save.
Duplicating a Computer List
You can easily create a computer list with the same settings as one you have already created.
A duplicate list doesn’t contain any computers because a computer cannot be in more than
one list, but the settings are the same as the original.
To duplicate a computer list:
1 In Macintosh Manager, click Computers, and then click Lists.
2 Select an existing computer list and click Duplicate.
3 Type a new name for the list, then click Add to add computers to the list.
4 Click Save. Client Management: Mac OS 9 and OS 8 453
Creating a Computer List Template
You can use a template to apply the same initial settings to new computer lists. After you set
up the template, each new computer list you add will have the template settings. You can
change the computer list settings or the template settings at any time.
You cannot add computers to a template because computers cannot belong to more than
one list.
Note: Once you set up a template, you cannot reset it to its original state. You can, however,
change template settings any time you want.
To create a template for computer lists:
1 In Macintosh Manager, click Computers, and then select Template in the list of computer
lists.
If you don’t see the template, open Macintosh Manager Preferences and make sure “Show
templates” is selected.
To open Macintosh Manager Preferences in Mac OS X, choose Preferences from the
Macintosh Manager menu. In Mac OS 9, choose Preferences from the Edit menu.
2 In each Computers pane, set options you want to use for the template, then click Save.
Disabling Login for Computers
Occasionally, you may need to prevent user access on certain computers while you do
maintenance tasks, such as installing and updating applications or running hard disk
maintenance software. You can prevent access to computers by disabling login.
To prevent users from logging in on certain computers:
1 In Macintosh Manager, click Computers, and then click List.
2 Select a computer list, then set one of the login options explained in the steps that follow.
3 Select “Disabled--Ask User” to allow the user to choose to shut down the computer, go to the
Finder (if the user has an administrator password), or pick a new Macintosh Manager server.
4 Select “Disabled--Go to Finder” to take the user to the Finder automatically.
5 Select “Disabled--Pick a different server” to allow the user to select another Macintosh
Manager server from a list of local network servers.
6 Click Save.
To allow users to log in again, select Enabled in the login pop-up menu and click Save.454 Chapter 10
Using Workgroup Settings for Computers
You use settings in the Workgroups pane of the Computers pane to control access to
computers.
Controlling Access to Computers
You can make computers available to everyone, or you can limit access to certain computers.
If you want to allow specific workgroups to use only certain computers, make sure you have
already set up the workgroups first. Then create a list of computers you want to make
available to them, and follow the steps below.
The same workgroup can be added to more than one computer list.
To make computers available to workgroups:
1 In Macintosh Manager, click Computers, and then click Workgroups.
2 If you want to make computers available to everyone, select “All workgroups can use these
computers.” To limit access to only certain workgroups, select “Allow only the following
workgroups to use these computers.”
3 Select workgroups in the Available Workgroups list and click Add to add them to the Allowed
Workgroups list. To remove an allowed workgroup, select it and click Remove.
4 Click Save.
If you want to disable access to certain computers, use one of the “disabled” login settings in
the Lists pane of the Computers pane.
Using Control Settings
Control settings are used to set email settings in addition to options that affect the clock,
hard disk name, and automatic disconnect.
Disconnecting Computers Automatically to Minimize Network Traffic
While a computer is connected to a network, even if no user is logged in, it looks for updates
to databases on the server at regular intervals. On very large networks, you may notice delays
in client response. You can ease the burden on your network by scheduling an automatic
disconnect for computers when they are not in use.
To enable automatic disconnect:
1 In Macintosh Manager, click Computer, and then click Control.
2 Select a computer list, then select “Disconnect from the server if no user logs in within __
minutes.”
3 Type in how many minutes the computer should wait before disconnecting. Client Management: Mac OS 9 and OS 8 455
4 Click Save.
When the computer disconnects from the server, the computer still displays the login screen,
but an X appears over the server icon in the menu bar. Automatic updates will not occur
again until a user logs in.
To reconnect a client, select a user and click Login. Then, click Cancel in the password
dialog box.
Setting the Computer Clock Using the Server Clock
If your network doesn’t have access to a Network Time Protocol server, you can synchronize
the clocks on managed computers with the clock on the server.
To synchronize computer clocks:
1 In Macintosh Manager, click Computers, and then click Control.
2 Select a computer list, then select “Synchronize computer clocks with the server’s clock.”
3 Click Save.
Using a Specific Hard Disk Name
Specifying a certain name for a computer’s hard disk can make it easier for some applications
to locate information, such as preferences. Using a specific hard disk name is particularly
useful if you use NetBoot. NetBoot clients have a startup volume named “NetBoot HD” by
default. If the computers in a list use NetBoot, you should make sure the hard disk name is
the same for NetBoot and non-Netboot computers. This ensures that the paths to all
applications used on these clients are the same.
To use a specific hard disk name:
1 In Macintosh Manager, click Computers, and then click Control.
2 Select a computer list, then select “Force computer hard disk name to __” and type in the
name you want to use (for example, Macintosh HD).
3 Click Save.
Creating Email Addresses for Managed Users
Macintosh Manager can create an email address for a user who doesn’t already have one.
When a user logs in, Macintosh Manager adds the user’s short name to the default domain
name you specify and creates an email address.
If a user has other imported email settings, they will override Macintosh Manager’s settings
when the user connects to the Macintosh Manager network.
To create an email address for a user:
1 In Macintosh Manager, click Computers, and then click Control.456 Chapter 10
2 Select a computer list.
3 Under User Email Addresses, type the default domain name, the incoming (POP) mail server
address, and the outgoing (SMTP) server address.
4 Click Save.
To have the computer check for messages when the user logs in, select “Check for email
when members log in” in the Options pane of the Workgroups pane.
Using Security Settings for Computers
Computer security settings let you choose security settings for users, computers, and
applications.
Keeping Computers Secure If a User Forgets to Log Out
If a user doesn’t log out when he or she finishes using a computer, other people can use the
computer without logging in. They will have access to anything the previous user had access
to, including that user’s home directory and documents. You can prevent this type of
unauthorized access with the idle logout feature.
Idle logout occurs when there is no user activity (such as typing or using the mouse) for a
specified period of time. For example, suppose you enable idle logout after 15 minutes. A
user logs in, works for a while, and then decides to leave the computer and go have a snack,
but doesn’t log out. After 15 minutes, the user returns and must enter a user name and
password again to gain access.
To enable idle logout:
1 In Macintosh Manager, click Computers, and then click Control.
2 Select a computer list, then select “Enable idle log-out” and enter the number of minutes the
computer should wait.
3 Choose a logout option.
If you select “Log user out,” users see a dialog box after idle log out and have the opportunity
to save any unsaved documents, and then they return to the login screen.
If you select “Lock the screen,” the screen goes black and a dialog box appears. Users can
save any unsaved documents, and then they can either enter a password and continue
working or log out.
4 Click Save.
If this feature has been activated and the computer is connected to the network, you can use
a Mac OS X Server administrator password to log in. Client Management: Mac OS 9 and OS 8 457
Allowing Access to All CDs and DVDs
Using computer security settings, you can allow user access to CDs and DVDs with no
restrictions.
To allow access to any CD or DVD:
1 In Macintosh Manager, click Computers.
2 Click Security and select a computer list.
3 Select “Access all CD-ROMs” and click Save.
4 Select “Show a panel for inserted CD-ROMs” to make it easy for Panels workgroups to find
inserted CDs.
Allowing Access to Specific CDs or DVDs
You can restrict user access to CDs and DVDs by using a list of approved discs. You can also
allow users to access only certain files on a CD or DVD.
First, create the list of approved discs and items, and then allow user access to the discs.
To allow access to only specific CDs or DVDs:
1 In Macintosh Manager, make sure you have already set up a list of approved discs and items
in the CD-ROMs pane of the Global pane.
See “Using Global CD-ROM Settings” on page 465 for instructions.
2 Click Computers, then click Security and select a computer list.
3 Select “Access approved CD-ROMs only.”
4 Select “Show a panel for inserted CD-ROMs” to make it easy for Panels workgroups to find
inserted CDs.
Choosing Computer Security Settings for Applications
Some applications may occasionally use “helper applications” to do jobs they cannot do
themselves. For example, if a user clicks a Web link in an email message, the email
application might want to open a Web browser. Other applications, such as installers, may
need to quit the Finder and restart in order to finish their jobs.
To allow applications to open other applications or quit the Finder:
1 In Macintosh Manager, click Computers, and then click Security and select a computer list.
2 Select “Open other applications, such as helper applications” and/or select “Quit the Finder”
to allow these options for applications.
Important Macintosh Manager does not automatically allow these options, but you may
choose to do so. Allowing these options can weaken computer security.458 Chapter 10
3 Click Save.
Allowing Specific Applications to Be Opened by Other Applications
You can allow specific applications to act as helper applications for other applications that
might need to use them. The applications you want to designate as helpers must already be
added to the list of allowed items for one or more workgroups.
To specify helper applications:
1 Open Macintosh Manager.
2 Choose Application Preferences from the Configure menu.
3 Select an application from the list.
The list only shows applications currently assigned to workgroups. If the application you
want isn’t in the list, click Add to browse for the application, or click Custom and type in the
name and four-character code of the application you want to add.
4 To designate the application as a valid helper, select “Allow this application to be opened by
other applications.”
Allowing Users to Work Offline
If the Macintosh Manager server or a user’s home directory is not available, you can still allow
offline computer use. The user must log in, but the Macintosh Manager server is not available.
If the home directory is not available, users may not be able to save their documents.
To allow users to work offline:
1 In Macintosh Manager, click Computers.
2 Click Security and select a computer list.
3 Select “Work offline if the Macintosh Manager Server is not available” to allow this option for
users. If you want, you can also select “Require an Administrator password to work offline”
for this option.
4 Select “Work offline if the user’s home directory is not available” to allow this option for
users.
5 Click Save. Client Management: Mac OS 9 and OS 8 459
Allowing Users to Switch Servers After Logging In
Ordinarily, after users log in, they cannot switch to another managed server without an
administrator password. However, you can allow users this privilege.
To allow users to switch servers:
1 In Macintosh Manager, click Computers.
2 Click Security and select a computer list.
3 Select “Switch to another server without authentication” to allow this option for users.
4 Click Save.
If you want NetBoot client computers to choose a different Macintosh Manager server,
remove the DNSPlugin extension from the NetBoot image.
Allowing Users to Force-Quit Applications
If you allow users to force-quit applications, they can press Command-Option-Esc to force an
application to quit.
Note: Allowing this option may pose a security risk.
To allow users to force-quit:
1 In Macintosh Manager, click Computers.
2 Click Security and select a computer list.
3 Select “Force Quit applications” to allow this option for users.
4 Click Save.
Allowing Users to Disable Extensions
If users are allowed to restart computers, you can also allow them to turn off extensions by
pressing the Shift key during startup. This will not disable the Macintosh Manager extension
or necessary system extensions.
Note: Allowing this option may pose a security risk.
To allow users to start up with extensions off:
1 In Macintosh Manager, click Computers.
2 Click Security and select a computer list.
3 Select “Disable extensions during startup” to allow this option for users.
Important Allowing this option can decrease server security. Also, if you have servers that
use older versions of Macintosh Manager, switching a client computer to one of these servers
may cause the server to install the older software on the client computer.460 Chapter 10
4 Click Save.
Using Computer Login Settings
Computer login settings allow you to choose how users log in, what messages they see, and
what panel names look like.
Choosing How Users Log In
When users log in to a computer, they can either type their names or choose their names
from a list. If you decide to use a list for login, the list can contain up to 2000 users. You can
choose not to display administrators in that list.
To set login options:
1 In Macintosh Manager, click Computers.
2 Click Log-In and select a computer list.
3 Select “Users choose their name from a list (1-2000 users)” to use the list option. If you do
not want administrator names to appear in the list, select “List displays users only (no
administrators).”
4 If you do not want to use a list, select “Users type their name.”
5 Click Save.
Creating Login Messages for Computers
You can create two types of messages for computers. Each can contain up to 127 characters.
m The banner message appears in the login dialog box.
m The server message appears in a separate panel after users log in. It is preceded by the
phrase “From: Global Administrator.”
To set up a login message:
1 In Macintosh Manager, click Computers.
2 Click Log-In and select a computer list.
3 Type your banner message or server message in the appropriate message text box.
If you do not want to use a message, leave the text box blank.
4 Click Save.
Customizing Panel Names
You can customize the names of the workgroup and user documents panels shown for Panels
workgroups. Client Management: Mac OS 9 and OS 8 461
To customize a panel name:
1 In Macintosh Manager, click Computers.
2 Click Log-In and select a computer list.
3 If you want the workgroup’s name to appear on a workgroup documents panel, select “Show
the workgroups name” or click the button next to the text box and type a different name.
4 If you want the user’s name to appear on a user document panel, select “Show the user’s
name” or click the button next to the text box and type a different name.
5 Click Save.
Managing Portable Computers
It is important to plan how you want to manage portable computers that have access to your
network. This section gives suggestions for managing portable computers and tells you how
to use Macintosh Manager’s checkout feature.
Portable Computers With Network Users
You can let users share specific portable computers, such as those in an iBook Wireless
Mobile Lab. An iBook Wireless Mobile Lab contains either 10 or 15 student iBooks
(plus an additional iBook for an instructor), an Airport base station, and a printer, all on a
mobile cart. The cart lets you take the computers to your users (for example, from one
classroom to another).
To manage the mobile lab, first create a computer list containing all of the iBooks. Make sure
users have network accounts and home directories, and then assign sets of users to
workgroups that will use the iBooks. You might want to create different workgroups for
different purposes, such as one for a history class, one for a biology class, and so on. You can
use the Check Out feature to allow these workgroups to use the iBooks.
You can use the All Other Computers account to manage network users who have their own
portable computers. See “Providing Quick Access to Unimported Users” on page 429 for
more information.
Portable Computers With Local Users
Local user accounts cannot be managed using Macintosh Manager. However, you can use the
Multiple Users control panel to set up local user accounts on specific computers in one of
two ways:
m The user does not have administrator privileges, but has a local account.
m The user is the administrator for the computer.462 Chapter 10
If the user is the local administrator, he or she has total access to the all folders and
applications on the computer, including the System Folder.
Letting Users Check Out Computers
You can allow users to check out and take home a portable computer (to continue working
on a project after school, for example). Macintosh Manager settings and security features
remain in effect on the computer even while it is checked out.
To check out a computer:
1 In Macintosh Manager, click Computers.
2 Click Check Out and select a computer list.
3 Select “These computers can be Checked Out” and then select one of the checkout options
in the steps that follow.
4 Select “All users are allowed to Check Out these computers” to allow this option.
5 Select “Allow only the following users to Check Out these computers” to restrict checkout to
a list of specific users. Then, select users in the Available Users list and click Add to make
them allowed users.
To remove users from the Allowed user list, select one or more users and click Remove.
6 Click Save.
Using Wireless Services
You can provide wireless network service to managed clients using AirPort, for example.
Make sure the Macintosh Manager Server is within range of your wireless service. If a user on
a portable computer goes out of range, he or she cannot log in to Macintosh Manager, but
you can allow the user to work offline. See “Allowing Users to Work Offline” on page 458 for
more information.
If you need more information about using Airport, consult Airport documentation or visit the
Web site:
www.apple.com/airport/
Using Global Security Settings
In Macintosh Manager, global security settings apply to your entire Macintosh Manager
network (all users, groups, and computers). These settings cover a variety of options that
affect reports, guest access, passwords, and how preferences are copied. Client Management: Mac OS 9 and OS 8 463
Using Macintosh Manager Reports
Macintosh Manager provides a number of different reports to help you keep track of user
and network activity.
To view a report:
1 Open Macintosh Manager.
2 Choose the report you want from the Reports menu.
You can view the selected report immediately, and then export it to a file or print it if
you wish.
You can set additional criteria for the Activity Log report and the Computers report before
you see the results.
Setting the Number of Items in a Report
You can set the maximum number of log entries to show for Macintosh Manager reports.
Note: The Connected Users report will show only up to 300 log entries, even if the
maximum number of log entries you set is greater than 300.
To set how many log entries are tracked:
1 In Macintosh Manager, click Global, and then click Security.
2 In the text box next to “Maximum number of log entries,” type a number.
To view a report, go to the Report menu and choose the report you want to see.
Keeping the Administration Program Secure
If an administrator forgets to quit the Macintosh Manager administration application, another
person could potentially make changes and save them. To prevent this kind of unauthorized
access, you can make the administration application quit after a specified time if there is no
user activity.
To allow the administration program to quit automatically:
1 In Macintosh Manager, click Global, and then click Security.
2 Select “Quit the administration program if idle for __ minutes” and enter the number of
minutes the application should wait before quitting automatically.
3 Click Save.
Warning When the administration application quits automatically, unsaved changes
are lost.464 Chapter 10
Verifying Login Information Using Kerberos
If all users must authenticate using Kerberos, follow the steps below. For more information
about using Kerberos, see “Using Kerberos” on page 197.
To use Kerberos verification:
1 In Macintosh Manager, click Global, and then click Security.
2 Select “Clients must authenticate using Kerberos” and click Save.
Preventing Users From Changing Their Passwords
Ordinarily, all users can change the passwords assigned to them. If you don’t want users to
change their own passwords, you can remove that privilege.
To keep users from changing their passwords:
1 In Macintosh Manager, click Global, and then click Security.
2 If “Users can change their passwords” is selected, deselect it.
3 Click Save.
Allowing Administrators to Access User Accounts
You can allow a system administrator to log in as any user. The user can enter the user name
for the account he or she wants to access and use the appropriate administrator password.
To allow administrators to log in as other users:
1 In Macintosh Manager, click Global, and then click Security.
2 Select “Users may log in using a server administrator’s password.”
3 Click Save.
Copying Preferences for Mac OS 8 Computers
Users on Mac OS 8 computers can make changes to preferences while they are logged in (for
example, they can change the desktop picture). However, when users log out, their
preferences are saved only if you allow them to be saved. Macintosh Manager provides two
ways to control how preferences are copied for Mac OS 8 users.
m If you want to save all preference changes for each user, you can copy the entire
Preferences folder. Macintosh Manager will copy every item in the folder, regardless of
what it is or how big it is. Copying unnecessary or large items can increase login and
logout times for Mac OS 8 clients. For more information, see “Preserved Preferences” on
page 468. Client Management: Mac OS 9 and OS 8 465
m If you want to limit the preferences copied, you can choose to copy only Internet
preferences and administrator-defined preferences. Preference folders for Web browsers
are copied, but the cache folders inside them are deleted. Using this option can
significantly lighten the load on the server and have less of an impact on login and logout
times.
If you use this option, Macintosh Manager will always copy the following preference files
and folders:
Explorer (cache folder inside is deleted)
Fetch Preferences
Internet Preferences
JPEGView Preferences
NCSA Telnet Preferences
Netscape ƒ (cache folder inside is deleted)
Newswatcher Preferences
RealAudio Player Preferences
StuffIt Expander Preferences
To set how Mac OS 8 user preferences are copied:
1 In Macintosh Manager, click Global, and then click Security.
2 Select one of these options:
To copy all preference items, select “Copy entire Preferences folder.”
To copy only certain preference items, select “Copy only Internet or administrator-defined
preferences.”
3 Click Save.
Using Global CD-ROM Settings
Global CD-ROM settings let you allow access to all CDs and DVDs or to only a specific list of
discs. When you make a disc available to Macintosh Manager, you can view its contents, and
then you can allow users access to all items on the disk or just the items you select.
Note: These settings do not apply to audio CDs. The audio CD setting is in the Privileges
pane of the Workgroups pane.
To create a list of available discs and disc items:
1 In Macintosh Manager, click Global, and then click CD-ROMs.
2 Insert a CD or DVD.466 Chapter 10
3 Select the disc name and click Add to make it available in Macintosh Manager. To remove an
available item, select it and click Remove.
4 To make specific items on a disc available to users, select a CD or DVD in the “Available in
Macintosh Manager” list.
In the “Allowed items on (__)” list, select items you want to make available to users. Click
Allow All to select and allow every item on the disc. Click Allow None to deselect all items.
5 When you have finished, click Save.
To make only your list of approved items available to users, select a computer list and make
sure to select “Access approved CD-ROMs only” in the Security pane for Computers. You may
also want to select “Show a panel for inserted CD-ROMs” to make it easy for Panels
workgroups to find inserted CDs.
Managing Preferences
You can use the Managed Preferences folder to customize how application preferences and
system preferences are handled to meet your particular needs and goals. For example, you
can make sure that users always start out with a specific set of preferences or that some userset preferences are never overridden.
A Managed Preferences folder is created on the workgroup data volume the first time any
member of a workgroup logs in. Inside this folder are either two or three (initially empty)
additional preference folders, depending on the client operating system:
Using Initial Preferences
Preferences in the Initial Preferences folder are set once during login. The first time users log
in, they get a fresh copy of any preferences contained in the Initial Preferences folder. Users
can modify these preferences, and the changes are saved at logout.
For example, in a classroom setting, a teacher can set up preferences and a list of bookmarks
for a particular Web browser. He or she stores a copy of those preferences in the Initial
Preferences folder. When students log in on the first day of class, they all start out with the
same browser preferences and the same list of bookmarks.
Client operating system Contents of Managed Preferences folder
Mac OS 9 Initial Preferences folder
Forced Preferences folder
Mac OS 8 Initial Preferences folder
Forced Preferences folder
Preserved Preferences folder Client Management: Mac OS 9 and OS 8 467
After a user’s first login, Macintosh Manager checks the user’s Preferences folder and
compares it to the contents of the Initial Preferences folder. If a user already has a preference
in the folder, Macintosh Manager doesn’t replace that preference. If a user’s folder doesn’t
contain one or more initial preferences, Macintosh Manager copies the missing files to the
user’s folder.
This process is repeated each time a user logs in, so you can place additional preference files
in the Initial Preferences folder later. For example, if you install new software and place the
software preferences file in the Initial Preferences folder, Macintosh Manager copies the new
file to a user’s Preferences folder when the user opens the new software for the first time.
To use the Initial Preferences folder:
1 Set up a workgroup data volume (Group Documents) in the Options pane of the
Workgroups pane.
2 From a client computer, access the group documents volume.
3 Create any preferences you want to place in the Initial Preferences folder.
4 Copy the preferences you created to the Initial Preferences folder on the group documents
volume.
5 Repeat steps 1 through 4 for each group documents volume.
Exceptions to Initial Preferences
A few preferences are created automatically the first time a user logs in, regardless of
whether you’re using an Initial Preferences folder. You don’t need these items in the Initial
Preferences folder because they won’t be copied to the user’s folder:
m Apple Menu Options Preferences
m AppSwitcher Preferences
m Internet Preferences
m Keyboard Preferences
m Keychains
m Location Manager Preferences
m Mac OS Preferences
m TSM Preferences
m User Preferences
Using Forced Preferences
Using the Forced Preferences folder lets you ensure that users start out with a specified set of
preferences every time they log in. If a user changes his or her preferences, those
preferences are replaced with the preferences in the Forced Preferences folder the next time
the user logs in.468 Chapter 10
Forced preferences are copied to the appropriate location depending upon the client
operating system. The processes are explained below.
m Mac OS 9 clients: When a user logs in, Macintosh Manager compares preference folders
and files in the /Library/Classic folder of a user’s home directory to items in the Forced
Preferences folder. Macintosh Manager deletes any matching items from the user’s folder
and replaces them with preferences from the Forced Preferences folder. If any forced
preferences are missing from the user’s folder, Macintosh Manager places new copies of
these items in the user’s Preferences folder.
If there are items in the user’s Preferences folder that do not match any items in the
Forced Preferences folder, Macintosh Manager does nothing to them. If you have
concerns about these items accumulating or consuming disk space, clean out the user’s
Preferences folder occasionally.
m Mac OS 8 clients: When a user logs in, Macintosh Manager copies items from the Forced
Preferences folder to the Preferences folder in the System Folder on the client computer,
regardless of whether other copies already exist. No files or folders are copied to the
user’s Preferences folder in the home directory.
To use forced preferences:
1 Set up a workgroup data volume (Group Documents) in the Options pane of the
Workgroups pane.
2 From a client computer, access the group documents volume.
3 Create any preferences you want to place in the Forced Preferences folder.
4 Copy the preferences you created to the Forced Preferences folder on the group documents
volume.
5 Repeat steps 1 through 4 for each group documents volume.
Preserved Preferences
The Preserved Preferences folder is available only for Mac OS 8 client computers. The files
and folders that you put in the Preserved Preferences folder are never actually copied.
Instead, Macintosh Manager creates a list containing the names of all the folders and files
inside the Preserved Preferences folder. Macintosh Manager uses this list to determine which
preferences need to be copied between the server and the client computer during login and
logout. Because you can limit which preferences are copied, using the Preserved Preferences
folder can help you decrease login and logout time for Mac OS 8 clients.
When you use Preserved Preferences, this is what happens during login and logout on a
Mac OS 8 client: Client Management: Mac OS 9 and OS 8 469
m When a user logs in: Macintosh Manager scans the Preserved Preferences folder and
builds a list containing the names of the files and folders inside. Macintosh Manager
automatically adds the names of the preferences that are always copied to create a
combined list. Next, Macintosh Manager copies all the files and folders on the combined
list from the user’s Preferences folder on the server to the client computer’s Preferences
folder. Any existing files and folders in the client’s Preferences folder that have the same
name as those in the combined list are deleted and replaced. If an item in the list does
not exist in either the user’s Preferences folder on the server or the Preferences folder on
the client computer, the item is skipped.
m When the user logs out: Macintosh Manager uses the same process to determine which
preferences are copied from the client computer’s Preferences folder back to the user’s
Preferences folder on the server. All items matching those on the combined list are
deleted from the Preferences folder on the client computer.
Note: A user who logs in using the System Access workgroup may not be able to use
some applications, because the preferences for the applications were deleted from the
Preferences folder after the last user logged out.
To use preserved preferences:
1 Set up a workgroup data volume (Group Documents) in the Options pane of the
Workgroups pane.
2 From a client computer, access the group documents volume.
3 Create any preferences you want to preserve for users.
4 Copy the preferences you created to the Preserved Preferences folder on the group
documents volume.
Alternatively, you can set up Preserved Preferences using “placeholders” instead of the
actual preferences, as long as the name and type of the placeholder match the name and
type of the preference. For example, if an application’s preferences are in a folder called
“MyApp Prefs,” you can create an empty folder named “MyApp Prefs” in the Preserved
Preferences folder.
5 Repeat steps 1 through 4 for each group documents volume.
The table below lists certain preferences that are always copied, and other preferences that
are never copied. You do not have to include any of these preferences in the Preserved
Preference folder.
Always copied Never copied
Control Strip Preferences AppleTalk Preferences
Date & Time Preferences Client Preferences
Finder Preferences ColorSync Profiles470 Chapter 10
Solving Problems
This section describes some problems you may encounter while using Macintosh Manager
and provides troubleshooting tips and possible solutions. If your problem is not addressed
here, you may want to check Macintosh Manager Help or consult the AppleCare Knowledge
Base online.
I’ve Forgotten My Administrator Password
Contact your Mac OS X Server administrator if you forget your password. If necessary, the
server administrator can change your password using the Workgroup Manager application.
Administrators Can’t Get to the Finder After Logging In
If you have system access, you can choose the System Access workgroup when you log in. If
you don’t have system access, and you need to go to the Finder often, ask your Macintosh
Manager administrator to enable system access for your account.
You can bypass Macintosh Manager login by pressing Command-Shift-Esc when the Welcome
dialog box appears. Then enter either the computer owner’s password or a local
administrator’s name and password.
Generic Icons Appear in the Items Pane
If generic icons appear in the Items pane of the Workgroups pane in Macintosh Manager,
restart the computer with Mac OS 9 and rebuild the Desktop file.
Mac OS Preferences Desktop Picture Preferences
Panels Preferences Energy Saver Preferences
Extensions Manager Preferences
Multi-User Items
Multi-User Preferences
Open Transport Preferences
Remote Access
TCP/IP Preferences
Users & Groups Data File
Users & Groups Data File Backup
Always copied Never copied Client Management: Mac OS 9 and OS 8 471
Selecting “Local User” in the Multiple Users Control Panel Doesn’t
Work
You cannot use both Macintosh Manager client software and the Multiple Users control panel
on the same computer.
If you want to set up local users, do not install Macintosh Manager client software on the
computer. Instead, install the Multi-User Startup extension and use the Multiple Users control
panel version 1.4.1.
Some Printers Don’t Appear in the Available Printers List
When you make printers available to client computers, Macintosh Manager creates desktop
printers for your Mac OS 9 clients. The Mac OS X version of the Macintosh Manager
administrator application creates only LaserWriter desktop printers. If you need to provide
access to non-LaserWriter printers, you must use the Mac OS 9 version of the Macintosh
Manager administrator application to manage clients.
Users Can’t Log In to the Macintosh Manager Server
First, make sure the server has enough free disk space. If the user’s password has not been
changed and his or her user account has not been deleted, check the user’s Macintosh
Manager login privileges.
To make sure login is enabled:
1 In Macintosh Manager, click Users, and then click Basic.
2 Make sure “User can log in” is selected. If “Disable login as of __” is also selected, make sure
the date has not already passed.
Users Can’t Log In as “Guest” on Japanese-Language Computers
If users need to log in using the Guest account on Japanese-language client computers, you
must change the computer’s language script to Roman in the International pane of System
Preferences.
A Client Computer Can’t Connect to the Server
Try doing the following:
m Make sure the server is running. If you recently started the server, it may take a few
minutes for the server to appear.
m Make sure network information (including DNS information) is entered correctly.
m Make sure the client computer is not low on memory and that it is connected to the
network.
m If many computers start up at once, the load on your network may be too great. Try
starting fewer computers at one time.472 Chapter 10
The Server Doesn’t Appear in the AppleTalk List
Mac OS X Server does not support AppleTalk network connections to Apple Filing Protocol
(AFP) servers, such as the Macintosh Manager server. To connect to AFP servers, set client
computers to connect via TCP/IP.
Macintosh Manager client computers can, however, use AppleTalk for service discovery. If
your network has AppleTalk zones, users on Mac OS 8 computers may need to select the
zone where the server resides. On Mac OS 9 computers, use the Network Browser to make
sure you are connected to the server.
The User’s Computer Freezes
If the computer’s system software is earlier than Mac OS 9, make sure file sharing is turned off.
Users Can’t Access Their Home Directories
Users may see a message if their home directories cannot be found at login.
In Workgroup Manager, make sure the user’s home directory exists and has the correct
permissions settings. Then, make sure the server that contains the user’s home directory
is connected.
Users Can’t Access Shared Files
Shared workgroup folders are normally located on the same server volume. However, if you
store workgroup documents on more than one volume, some users may not be able to
access all of their shared documents without changing workgroups.
If the user belongs to more than one workgroup and workgroup documents are stored on
several servers, make sure the user has the latest version of AppleShare.
Shared Workgroup Documents Don’t Appear in a Panels Environment
If you created a workgroup data volume but users in a Panels workgroup can’t see it, make
sure the workgroup data volume contains the shared documents folders.
Also check to make sure the location of the Users folder has not changed. The Users folder is
usually located at the top level of either the server volume or the workgroup data volume.
Applications Don’t Work Properly or Don’t Open
Some applications write to or create special files in places other than the Preferences folder
inside the System Folder. If you enforce file-level security for a workgroup, some older
applications may not function properly or may report errors. See “Preventing Applications
From Altering Files” on page 441 for more information. Client Management: Mac OS 9 and OS 8 473
You can create a folder called “Other Applications•” and then put the Applications folder
(and all of its contents) inside. The Other Applications• folder must reside in the client
computer’s Applications folder. If the client computer is running Mac OS 9.1 or later, the
Applications folder is called “Applications (Mac OS 9).”
Users Can’t Drag and Drop Between Applications
In most cases, Macintosh Manager does not allow the drag-and-drop feature. Use the Copy
and Paste commands instead.
Users Can’t Open Files From a Web Page
Sometimes Web browsers rely on helper applications to open files that the browser itself
cannot handle (for example, media files or PDF files).
1 In Macintosh Manager, click Computers, and then click Security.
2 Select “Open applications, such as helper applications.”
Sometimes the Right Application Doesn’t Open for Users
If the wrong application opens when a user tries to open a document, try rebuilding the
client computer’s desktop.
Where to Find More Information
The AppleCare Web site provides a variety of resources, including the Knowledge Base (a
database containing technical articles about product usage, implementation, and problem
solving). Investigate the Web site at
www.apple.com/support
Discussion lists for Mac OS X Server and Macintosh Manager let you exchange ideas and tips
with other server administrators. You can sign up for a discussion list at
www.lists.apple.com475
C H A P T E R
11
11 DHCP Service
Dynamic Host Configuration Protocol (DHCP) service lets you administer and distribute IP
addresses to client computers from your server. When you configure the DHCP server, you
assign a block of IP addresses that can be made available to clients. Each time a client
computer starts up, it looks for a DHCP server on your network. If a DHCP server is found,
the client computer then requests an IP address. The DHCP server checks for an available IP
address and sends it to the client computer along with a “lease period” (the length of time
the client computer can use the address) and configuration information.
You can use the DHCP module in Server Settings to
m configure and administer DHCP service
m create and administer subnets
m configure DNS and NetInfo options for client computers
m view DHCP and NetBoot client computers
If your organization has more clients than IP addresses, you will benefit from using DHCP
service. IP addresses are assigned on an as-needed basis, and when they are not needed, they
are available for use by other clients. You can use a combination of static and dynamic IP
addresses for your network if you need to. Read the next section for more information about
static and dynamic allocation of IP addresses.
Larger organizations may also benefit from some of the other features DHCP service
provides, such as being able to set DNS and NetInfo options for client computers.
You may not need to use DHCP service if you have a simple network with enough IP
addresses for your clients. You can use one of the methods described later in this chapter to
assign static IP addresses to all your network clients.
Before You Set Up DHCP Service
Before you set up DHCP service, read this section for information about creating subnets,
assigning static and dynamic IP addresses, locating your server on the network, and avoiding
reserved IP addresses.476 Chapter 11
Creating Subnets
Subnets are groupings of computers on the same network that simplify administration. You
can organize subnets any way that is useful to you. For example, you can create subnets for
different groups within your organization or for different floors of a building. Once you have
grouped client computers into subnets, you can configure options for all the computers in a
subnet at one time instead of setting options for individual client computers. Each subnet
needs a way to connect to the other subnets. A hardware device called a router typically
connects subnets.
Assigning IP Addresses Dynamically
With dynamic allocation, an IP address is assigned for a limited period of time (the lease
period) or until the client computer doesn’t need the IP address, whichever comes first. By
using short leases, DHCP can reassign IP addresses on networks that have more computers
than available IP addresses.
Using Static IP Addresses
Static IP addresses are assigned to a computer or device once and then do not change. You
may want to assign static IP addresses to computers that must have a continuous Internet
presence, such as Web servers. Other devices that need to be continuously available to
network users, such as printers, may also benefit from static IP addresses.
Static IP addresses can be set up either by manually entering the IP address on the computer
or device or by configuring DHCP to provide the same address to a specific computer or
device on each request. DHCP-assigned addresses allow configuration changes at the DHCP
server. Manually configured static IP addresses avoid possible issues certain services may have
with DHCP-assigned addresses and avoid the delay required for DHCP to process the request.
Server Settings does not provide a way to assign static IP addresses using the BootP protocol
(the protocol underlying DHCP). To assign static IP addresses, you can use the NetInfo
Manager application in Mac OS X to create the appropriate properties in the local NetInfo
database. See “Configuring Static Ports for Shared NetInfo Domains” on page 113 for more
information on setting up static IP addresses on local networks.
Locating the DHCP Server
When a client computer looks for a DHCP server, it broadcasts a message. If your DHCP
server is on a different subnet from the client computer, you must make sure the routers that
connect your subnets can forward the client broadcasts and the DHCP server responses. If
you have a relay agent or a router on your network that can relay BootP communications, it
will work for DHCP. If you don’t have a relay, you need to place the DHCP server on the
same subnet as your clients.DHCP Service 477
Interacting With Other DHCP Servers
You may already have other DHCP servers on your network, such as AirPort base stations.
Mac OS X Server can coexist with other DHCP servers as long as each DHCP server uses a
unique pool of IP addresses. However, you may wish your DHCP server to provide an LDAP
server address for client auto-configuration in managed environments. AirPort base stations
cannot provide an LDAP server address. Therefore, if you wish to use the auto-configuration
feature you must set up AirPort base stations in Ethernet bridging mode and have Mac OS X
Server provide DHCP service. If the Airport base stations are on separate subnets, then your
routers must be configured to forward client broadcasts and DHCP server responses as
described previously. If you wish to provide DHCP service with AirPort base stations then
you cannot use the client auto-configuration feature and you must manually enter LDAP
server addresses at client workstations.
Assigning Reserved IP Addresses
Certain IP addresses can’t be assigned to individual hosts. These include addresses reserved
for loopback and addresses reserved for broadcasting. Your ISP will not assign such
addresses to you. If you try to configure DHCP to use such addresses, you will be warned
that the addresses are invalid, and you will need to enter valid addresses.
Setting Up DHCP Service for the First Time
If you used the Setup Assistant to configure ports on your server when you installed Mac OS X
Server, some DHCP information is already configured. You still need to follow the steps in this
section to finish configuring DHCP service. You can find more information about settings for
each step in “Managing DHCP Service” on page 478.
Step 1: Create subnets
The following instructions show you how to create a pool of IP addresses that are shared by
the client computers on your network. You create one range of shared addresses per subnet.
These addresses are assigned by the DHCP server when a client issues a request.
To create subnets:
1 In Server Settings, click the Network tab, click DHCP/NetBoot, and choose Configure DHCP.
If you configured ports in the Setup Assistant, you see the port information in the Subnets
pane. (The list of subnet address ranges shown is extracted from the host’s local NetInfo
database. It is initially set to one subnet address range for each active Ethernet port.)
2 Click New to create new subnets, or choose an existing subnet and click Edit.478 Chapter 11
m In the General pane of the subnet settings window, you need to set a range of IP
addresses for each subnet, and specify the router address. If you don’t use a router on
your network, enter your server’s IP address in the Router field. When you click Enable
DHCP, you can choose a lease time for the IP address.
m Click the DNS and NetInfo tabs to set options for your client computers. Default settings
for the server, if they exist, already appear in each pane. Configuring the options in these
panes provides a starting point for client computers when DHCP service is turned on. You
may need to set the DNS server address. See “Setting the Default DNS Server for DHCP
Clients” on page 479 for more information.
Step 2: Set up logs for DHCP service
You can log DHCP activity and errors to help you monitor requests and identify problems
with your server.
DHCP service records diagnostic messages in the system log file. To keep this file from
growing too large, you can suppress most messages by selecting “serious errors only (quiet)”
in the Logging pane of the Configure DHCP window. For more information on setting up
logs for DHCP service, see “Setting Up Logs for DHCP Service” on page 480.
Step 3: Start DHCP Service
Start DHCP service from Server Settings.
To start DHCP service:
1 Click DHCP/NetBoot.
2 Choose Start DHCP.
If the server successfully starts up, the menu item changes to Stop DHCP, and a globe
appears on the DHCP/NetBoot icon.
Managing DHCP Service
This section describes how to set up and manage DHCP service on Mac OS X Server.
Starting and Stopping DHCP Service
Follow these steps when starting or stopping DHCP.
To start or stop DHCP service:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Start DHCP or Stop DHCP.DHCP Service 479
As the service is starting up or shutting down, a globe flashes on the DHCP/NetBoot icon.
When the service is turned on, the globe appears on the DHCP/NetBoot icon. It may take a
moment for the service to start (or stop).
Setting the Default DNS Server for DHCP Clients
The first time you connect to a Mac OS X Server using Server Settings, the DHCP client
module does not use the DNS server IP address you entered in the Setup Assistant. You must
set the default address in the DHCP module of Server Settings.
To configure DHCP to use the correct DNS server:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet address range and click Edit.
4 Click the DNS tab.
5 Click Use Defaults, then click Save.
Setting the LDAP Server for DHCP Clients
You can use DHCP to provide your clients with LDAP server information rather than manually
configuring each client’s LDAP information.
To configure DHCP to provide the LDAP server address:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet address range and click Edit.
4 Click the LDAP tab.
5 Enter an LDAP server name and search base.
6 Enter a port or leave the field blank to use the default port.
7 Select “LDAP over SSL” if you wish LDAP information to be encrypted with SSL.
SSL must be enabled on your server to use this option.
8 Click Apply to add the server to the LDAP Servers list at the top of the pane.
The order in which the LDAP servers appear in the list determines their search order in the
automatic Open Directory search policy.
9 Click New to clear the entry fields and enter additional LDAP server information.
If you wish to delete a server from the list, click the server name and then click Delete.480 Chapter 11
To modify a listed server, click the server name. Edit the name, search base, port, and SSL
settings. Click Apply to update the LDAP Servers list.
10 Click Save when finished to save changes to the LDAP Servers list.
Setting Up Logs for DHCP Service
You can choose the level of detail you want to log for DHCP service.
m “Log warnings and errors only (normal)” can alert you to conditions in which data is
inconsistent, but the DHCP server is still able to operate.
m “Log serious errors only (quiet)” will indicate conditions for which you need to take
immediate action (for example, if the DHCP server can’t start up).
To set up logs for your DHCP server:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Click the Logging tab and select the logging option you want.
Deleting Subnets From DHCP Service
You can delete subnets and subnet IP address ranges.
To delete subnets or address ranges:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet or a subnet address range and click Delete.
Changing Lease Times for Subnet Address Ranges
You can change how long IP addresses in a subnet are available to client computers.
To change the lease time for a subnet address range:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet address range and click Edit.
4 Enter a number in the Lease Time field and choose a value from the pop-up menu.
5 Click Save.
Click Use Defaults to use the default subnet address range for this port. The default range
includes all valid addresses for the port, based on its IP address and subnet mask.DHCP Service 481
Monitoring DHCP Client Computers
The DHCP client list shows the following information for each client computer in the
database:
m DHCP client ID
m computer name
m hardware address
m IP address served to the client
m lease time left
To view the DHCP client list:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose View DHCP Clients.
3 Click Refresh to update the list.
Click any column heading to sort the list by different criteria.
Creating Subnets in DHCP Service
Subnets are groupings of client computers on the same network that are organized by
location (different floors of a building, for example) or by usage (all eighth-grade students,
for example). Each subnet has at least one range of IP addresses assigned to it.
To create a new subnet:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Click New, or select an existing subnet and click Duplicate.
4 Enter the name of the new subnet and choose a port from the pop-up menu.
5 Enter a beginning and ending IP address for this subnet range.
Addresses must be contiguous, and they can’t overlap.
6 Enter the subnet mask and router for this subnet, then click Save.
Click Use Defaults to use the default subnet address range for this port. The default range
includes all valid addresses for the port, based on its IP address and subnet mask.
To use the Mac OS X Server for the gateway for the subnet, enter the server IP address in the
router field.
Changing Subnet Settings in DHCP Service
Use Server Settings to make changes to DHCP subnet settings.482 Chapter 11
To change subnet settings:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet address range and click Edit.
4 Make the changes you want.
5 Click Save.
You can click Use Defaults to use the server’s default settings.
Setting DNS Options for a Subnet
You can decide which DNS servers and default domain name a subnet should use. DHCP
service provides this information to the client computers in the subnet.
To set DNS options for a subnet:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet address range and click Edit.
4 Click the DNS tab.
5 Enter the IP addresses of the DNS servers you want this subnet to use.
6 Enter the default domain name associated with the subnet, then click Save.
If you click Use Defaults, DHCP service gets DNS information from a DNS lookup that
supplies the domain name and default DNS servers.
Setting NetInfo Options for a Subnet
You can give client computers in a subnet access to the information in NetInfo databases by
“binding” the clients to one or more NetInfo parent servers.
You need to know the file name of the NetInfo database (or NetInfo tag) you want to use and
the IP address of the server that hosts that database (or domain). The NetInfo tag is
“network” if the domain was created using NetInfo Domain Setup.
To set NetInfo options for a subnet:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet and click Edit.
4 Click the NetInfo tab.
5 Enter the NetInfo tag of the NetInfo domain for this subnet.DHCP Service 483
6 Enter the IP address of each NetInfo parent server, then click Save.
Click Use Defaults if you want to use the server’s default NetInfo settings.
Disabling Subnets Temporarily
You can temporarily shut down a subnet without losing all its settings.
To disable a subnet:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP.
3 Select a subnet address range and click Edit.
4 Deselect Enable DHCP in the General pane, then click Save.
Viewing DHCP and NetBoot Client Lists
The DHCP Clients window gives the following information for each client:
m The IP address served to the client. Declined addresses are listed with “Declined” in the
Time Left column.
m The number of days of lease time left, until the time is less than 24 hours; then the
number of hours and minutes.
m The DHCP client ID. This is usually, but not always, the same as the hardware address.
m The computer name.
m The hardware address.
The NetBoot client list shows the following information for each connected client computer:
m path to the startup disk image used by the client
m clients’ Ethernet address (from the TCP/IP control panel)
m system software version and type of computer
To view the DHCP or NetBoot client list:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose View DHCP Clients or View NetBoot Clients.
3 Click Refresh to update the list.
Click any column heading to sort the list by different criteria.
Viewing DHCP Log Entries
If you’ve enabled logging for DHCP service, you can check the system log for DHCP errors.484 Chapter 11
To see DHCP log entries:
1 In Server Settings, click the General tab.
2 Click Log Viewer and choose System Software.
3 Choose System Log from the pop-up menu and look for entries that begin with “bootpd.”
Solving Problems
m Examine logs to pinpoint problems.
m Try a different client to determine whether the problem is with the client or the server.
Where to Find More Information
Request for Comments (RFC) documents provide an overview of a protocol or service and
details about how the protocol should behave. If you are a novice server administrator, you’ll
probably find some of the background information in an RFC helpful. If you are an
experienced server administrator, you can find all the technical details about a protocol in its
RFC document. You can search for RFC documents by number at this Web site:
www.faqs.org/rfcs
For details about DHCP, see:
m DCHP: RFC 2131485
C H A P T E R
12
12 NetBoot
NetBoot lets you start up Macintosh client computers from disk images on a Mac OS X
Server. A disk image is a file that looks and acts like a mountable disk or volume. NetBoot
disk images that contain system software can be used as a startup disk by client computers
on the network.
By creating Mac OS disk images on a server, you can have your Macintosh client computers
start up from a standardized Mac OS configuration. You can ensure that all the clients are
running the same system software, which is properly configured for the tasks users will be
doing on their computers. Because the client computers are all starting up from the same
disk image, you can quickly update the operating system for the entire group by changing
the configuration of the disk image from which they start. You can also use NetBoot to start
up other Mac OS X Servers.
Mac OS X Server allows you to create set up than one disk image. This lets you provide
custom Mac OS environments for different groups of clients. You can also create disk images
containing application software.
You use the following Mac OS X Server applications to set up and administer NetBoot:
m Network Image Utility—to create Mac OS X disk images. The Network Image Utility is
installed with Mac OS X Server software, in the Utilities folder.
m NetBoot Desktop Admin—to modify the Mac OS 9 system disk image and accompanying
disk image for applications.
m Server Settings (DHCP/NetBoot pane of the Network tab)—to enable and configure
NetBoot on the server.
m PropertyListEditor—to edit property list (plist) files (used primarily when creating custom
packages for Network Install images)
m Package Maker—to create package files that can be included on disk images.
You can use Mac OS X client management services to provide a personalized work
environment for any NetBoot client computer user. For information about client
management services, see Chapter 6, “Client Management: Mac OS X,” and Chapter 10,
“Client Management: Mac OS 9 and OS 8.” 486 Chapter 12
The Mac OS X Server product includes the following CDs that contain applications and files
specific to NetBoot:
m Mac OS X Server Administration Tools CD
NetBoot, Network Install ƒ—includes Network Image Utility (in Image Creation ƒ) and
Package Maker and PropertyListEditor (in Image Manipulation ƒ)
m NetBoot, Mac OS 9 CD
About NetBoot.pdf (Read Me file)
NetBoot Desktop Admin ƒ—contains About NetBoot Desktop Admin (Read Me file) and
NetBoot Desktop Admin
NetBoot.pkg—contains the preconfigured Mac OS 9.2.2 system disk image
Note: The contents listed above are localized into four languages: English, French,
German, and Japanese. Each localized set appears in a separate folder on the CD labeled
by language.
Prerequisites
Administrator Requirements
If you want to set up NetBoot on your server, you should meet the following requirements:
m You are the server administrator.
m Your are familiar with Network Setup.
m You know the DHCP configuration.
You will also need to work with your networking staff who can configure network topologies,
switches, routers, and other network settings.
Server Requirements
Your server must meet the following requirements:
m DHCP service (either provided by this server or elsewhere on your network)
m Ethernet:
100 Mb (for fewer than 10 clients)
100 Mb switched (for 10–50 clients)
Gigabit (more than 50 clients)
Warning Setting up your server to use NetBoot requires that you have the authority
(authorization privileges) as well as the expertise to make changes to your network
configuration. Potential risks include loss of data, client computers that can’t start up, and
failure of the network. NetBoot 487
These are estimates for the number of clients supported. See “Capacity Planning” on
page 488 for a more detailed discussion of the optimal system and network configurations to
support the number of clients you have.
NetBoot is not supported over wireless connections.
Client Computer Requirements
Any Macintosh computer that can run Mac OS 9.2.2 (all Macintosh computers released since
the iMac) can use Netboot to start up from a Mac OS X Server disk image. At the time of this
publication, this includes the following Macintosh computers:
m iMac
m iBook
m eMac
m Power Macintosh G3 (blue and white)
m Power Mac G4
m Power Mac G4 Cube
m PowerBook (FireWire)
m PowerBook G4
m Xserve
Note: You should install the latest firmware updates on all client computers. Firmware
updates are available from the Apple support Web site:
www.apple.com/support/
Older Macintosh computers—tray-loading iMac computers and Power Macintosh G3 (blue
and white) computers—require static addressing when using NetBoot. See “Network
Requirements” on page 488.
Client computer RAM requirements
The following are the minimum RAM requirements for a client computer starting up from a
Mac OS 9 or Mac OS X NetBoot disk image.
Start up from Mac OS 9 disk image: 64 MB
Start up from Mac OS X disk image: 128 MB
Client computers using Network Install must also have 128 MB of RAM.
Software updates for NetBoot system disk images
You should make sure to use the latest system software available when creating NetBoot disk
images. New releases of Macintosh computers require updates of system software, so if you
have new Macintosh clients you’ll need to update the disk images.488 Chapter 12
You cannot update Mac OS X disk images directly. To “update” your Mac OS X disk images,
you must create new ones. See “Creating a Mac OS X Disk Image” on page 496.
To update Mac OS 9 disk images, see “Modifying the Mac OS 9 Disk Image” on page 498.
Ethernet support on client computers
NetBoot is supported only over the built-in Ethernet connection. Multiple Ethernet ports are
not supported on client computers.
Network Requirements
The recommended method of provided IP addressing for NetBoot clients is DHCP. However,
some older client computers require BootP for IP address assignment when using NetBoot.
When this is the case, there can be only one server providing BootP addressing on the
network to which those clients are attached. See the following section, “Capacity Planning,”
for more information on this topic and other issues relevant to your network configuration
when using NetBoot.
The following Macintosh computers require BootP addressing for NetBoot:
m tray-loading iMac computers
m Power Macintosh G3 (blue and white) computers
Capacity Planning
The number of NetBoot client computers you can connect to your server depends on how
your server is configured, the server’s hard disk space, and a number of other factors.
In planning for your server and network needs, consider these factors:
m Ethernet speed: 100Base-T or faster connections are required for both client computers
and the server. As you add more clients, you may need to increase the speed of your
server’s Ethernet connections. Ideally you want to take advantage of the Gigabit Ethernet
capacity built in to your Mac OS X server hardware to connect to a Gigabit switch. From
the switch you should connect Gigabit Ethernet or 100 Mb Ethernet to each of the
NetBoot clients.
m Hard disk capacity and number of NetBoot images: The NetBoot server requires a
certain amount of hard disk space depending on the size and configuration of the system
image and the number of images being served.
m Hard disk capacity and number of users: If you have a large number of users, consider
adding a separate file server to your network to store user documents. Because the
system software for a disk image is written to a shadow image for each client booting from
the disk image, you can get a rough estimate for the required hard disk capacity required
by multiplying the size of the shadow image by the number of clients. NetBoot 489
m Location of server and client: NetBoot clients that require static IP addresses (NetBoot
1.0) must be located on the same subnet as the server, and there can be only one server
on that subnet serving static addresses.
m Number of Ethernet ports on the switch: Distributing NetBoot clients over multiple
Ethernet ports on your switch offers a performance advantage. Each port must serve a
distinct segment.
NetBoot Implementation
This section describes how NetBoot is implemented on Mac OS X Server—including
information on the protocols, files, directory structures, and configuration details that
support the NetBoot functionality.
NetBoot Image Folder
The NetBoot image folder contains the startup disk image file, a boot file that the firmware
uses to begin the startup process, and other files required to start up a client computer over
the network. A NetBoot image folder (NBI folder) is something like a package file (a folder
compressed into a file), except that the folder and its contents are uncompressed so that the
contents are readily visible. The name of a NetBoot image folder includes the suffix “.nbi”.
An NBI folder for Mac OS 9 (MacOS 9.2.2.nbi) is slightly different from an NBI folder for
Mac OS X (MacOSX.nbi) since the components required for startup are different. The
following tables describe the contents of each.
Mac OS X NetBoot image folder (MacOSX.nbi)
You use Network Image Utility to create a Mac OS X NBI folder. The utility lets you
m name the image
m choose the image type (NetBoot or Network Install)
m provide an image ID (not visible to users)
m choose the default language—English, French, German, or Japanese
m specify a default user name and password
File Description
booter Boot file
mach.macos.x UNIX kernel
mach.macosx.mkext Drivers
MacOSX.dmg System startup image file (may include application software)
NBImageInfo.plist Property list file490 Chapter 12
m enable automatic installation (Network Install only)
m add additional package or preinstalled applications (Network Install only)
Note: The size of the disk image is set automatically by Network Image Utility when you
choose the image type. NetBoot disk images are 2.0 GB and Network Install disk images are
1.4 GB.
See “Creating a Mac OS X Disk Image” on page 496.
Mac OS 9 NetBoot image folder (MacOS9.2.2.nbi)
You use NetBoot Desktop Admin to modify the Mac OS 9 NBI folder. The utility lets you
change the image file (NetBoot HD.img), the name of the image, adjust the size of the image,
and add software to the application image.
Property List File
The property list file (NBImageInfo.plist) stores the properties that you use to configure an
NBI folder. The property lists for Mac OS 9 and Mac OS X are described in the following
tables. For the most part, the values in the NBImageInfo.plist are set by the tools you use to
work with the image files—NetBoot Desktop Admin (for Mac OS 9 images) and Network
Image Utility (for Mac OS X images)—and you do not need to change the property list file
directly. Some values are set by the Configure DHCP/NetBoot panel in Server Settings. If you
need to edit a property list file, however, you can use PropertyListEditor, which is supplied on
the Mac OS X Server Administration Tools CD.
Mac OS 9 property list
File or Folder Description
Mac OS ROM Boot file
NetBoot HD.img System startup image file
Application HD.img Application image file
NBImageInfo.plist Property list file
Backup Folder created by NetBoot Desktop Admin for the backup image
Property Type Description
BootFile String Name of boot ROM file: Mac OS ROM.
Index Number Image ID.
IsDefault Boolean True specifies this image file as the default. NetBoot 491
Mac OS X property list
Boot Server Discovery Protocol (BSDP)
NetBoot uses an Apple-created extension to BootP and DHCP called Boot Server Discovery
Protocol, or BSDP for short. This protocol implements a method of discovering NetBoot
servers on a network. BSDP allows NetBoot clients to obtain their IP identities from either
the BSDP server or from a DHCP server elsewhere on the network. BSDP provides some
basic load balancing. See “Load Balancing” on page 504.
IsEnabled Boolean Sets whether the image is available to NetBoot (or Network
Image) clients.
IsInstall Boolean True specifies a Network Install image; False specifies a
NetBoot image.
Name String Name of the image as it appears in the Startup Disk control
panel (Mac OS 9) or Preferences pane (Mac OS X).
Type String Classic.
Property Type Description
Property Type Description
BootFile String Name of boot ROM file: booter.
Index Number Image ID.
IsDefault Boolean True specifies this image file as the default.
IsEnabled Boolean Sets whether the image is available to NetBoot (or Network
Image) clients.
IsInstall Boolean True specifies a Network Install image; False specifies a
NetBoot image.
Name String Name of the image as it appears in the Startup Disk control
panel (Mac OS 9) or Preferences pane (Mac OS X).
RootPath String Specifies path to disk image on server.
Type String NFS.492 Chapter 12
TFTP and the Boot ROM File
NetBoot uses the Trivial File Transfer Protocol (TFTP) to send the boot ROM from the server
to the client. Installation of the NetBoot software on a server places the Mac OS 9 boot ROM
file in /Library/NetBoot/NetBootSPx/imagename.nbi/ (where x is the volume number and
imagename is the name of the NBI folder.) The file is called “Mac OS ROM.” For Mac OS X
images, Network Image Utility creates the boot ROM file (“booter”) at this location. The
NetBootSPx directory is automatically created as an NFS share point when you install
NetBoot on your server.
Instead of pointing the client directly to the location of the boot ROM file, NetBoot points to
a symbolic link stored in the directory /private/tftpboot/. The symbolic link references the
actual location of the Mac OS ROM file. This allows you to move the Mac OS ROM file, should
the need arise, by changing the symbolic link in /private/tftpboot/.
Disk Images
The read-only disk images contain the system software and applications used over the
network by the client computers. The name of a disk image file typically ends in .img or
.dmg. Disk Copy—a utility included with Mac OS X and Mac OS 9.2.2—can mount disk image
files as volumes on the desktop. With NetBoot, disk images mounted this way behave as
system startup disks.
You set up Mac OS 9 and Mac OS X disk images in slightly different ways. A preconfigured
Mac OS 9 disk image is provided for you on the CD named NetBoot, Mac OS 9. (The CD
contains four localized versions of the Mac OS 9 image: Tier 0: English, Japanese, French,
and German.) See “Installing the Mac OS 9 Disk Image” on page 497. You can modify the
Mac OS 9 disk image using NetBoot Desktop Admin. See “Modifying the Mac OS 9 Disk
Image” on page 498.
You use Network Image Utility to create Mac OS X disk images, using a Mac OS X install disc
as the “source.” See “Creating a Mac OS X Disk Image” on page 496.
Shadow Images
Many clients may read from the same system disk image, but whenever a client needs to
write anything back to its startup volume (such as print jobs and other temporary files),
NetBoot automatically redirects the written data to the client’s shadow image—a file hidden
from regular system and application software. The shadow image is what preserves the
unique identity of each computer during the entire time it is running off a NetBoot server
disk image. NetBoot transparently handles reading changed data from the shadow file, while
reading unchanged data from the shared system image. The shadow image is recreated at
boot time, so any changes made by the user to his or her startup volume are lost upon
restart. For instance, if a user saves a document to the startup volume, after a restart that
document will be gone. This behavior preserves the condition of the environment the
administrator set up. Therefore it is recommended that users have accounts on a file server
on the network to save their documents.NetBoot 493
NetBoot creates share points on all available server volumes to store client shadow images as
a way of providing load balancing for NetBoot clients. See “Load Balancing” on page 504.
NetBoot Files and Directory Structure
NetBoot learns about a client it supports the first time the client attempts to start up from
the NetBoot server. When a clients attempts to start up from a disk image on the NetBoot
server, it provides information to NetBoot, which NetBoot saves and uses to identify the
client during future startup attempts. The file that holds this information is called
bsdpd_client and is kept in the /var/db/ directory.
Security
You can secure access to NetBoot service on a case-by-case basis using the hardware address
of specific computers to which you specifically allow or deny access. A client computer’s
hardware address is automatically added to the NetBoot Filtering list when the client starts
up using NetBoot and is, by default, enabled to use NetBoot. See “Filtering NetBoot Client
Connections” on page 503.
Note: The hardware address for a computer using Mac OS X can be found by opening the
Network system preference and examining the Ethernet address under TCP/IP. The hardware
address for a computer using Mac OS 9 can be found by opening the TCP/IP control panel,
choosing Get Info from the File menu, and examining the hardware address.
NetBoot and AirPort
The use of AirPort wireless technology with NetBoot clients is not supported by Apple and
is discouraged.
Setup Overview
Here is an overview of the basic steps for setting up NetBoot:
Step 1: Evaluate and update your network, servers, and client
computers as necessary
The number of client computers you can support using NetBoot is determined by the
number of servers you have, how they are configured, hard disk storage capacity, and other
factors. See “Capacity Planning” on page 488.494 Chapter 12
Some older client computers require BootP for getting an IP address assignment when using
NetBoot. (See “Network Requirements” on page 488 for a list of Macintosh computers that
require BootP.) When this is the case, you must make sure that only one server on the
network to which those clients are attached is configured to supply BootP addressing.
Because this may impact your ability to implement a load balancing strategy, you may want to
set up a separate subnet for these clients, as described in the next step. For more information
about providing load balancing for NetBoot clients see “Load Balancing” on page 504.
Depending on the results of your evaluation in step 1, you may want to add servers or hard
disks, add Ethernet ports, or make other changes to your servers, and you may want to set
up one or more subnets for your BootP clients, depending on the number of BootP clients
that you have.
You may also want to implement subnets on this server (or other servers) in order to take
advantage of NetBoot filtering. See “Filtering NetBoot Client Connections” on page 503.
If you plan to provide personalized work environments for NetBoot clients by using
Workgroup Manager (Mac OS X clients) and Macintosh Manager (Mac OS 9 clients), you
should set this up and import users from the Mac OS X Server Users & Groups database
before you create disk images. Make sure you have at least one Macintosh Manager user
assigned to the System Access workgroup for Mac OS 9 clients and the Workgroup Manager
for Mac OS X clients. See Chapter 6, “Client Management: Mac OS X,” on page 267 and
Chapter 10, “Client Management: Mac OS 9 and OS 8,” on page 411.
If you plan to provide authentication and personalized work environments for NetBoot client
users by using Workgroup Manager (Mac OS X clients) and Macintosh Manager (Mac OS 9
clients), you should set this up and import users from the Mac OS X Server Users & Groups
database before you create disk images. Make sure you have at least one Macintosh Manager
user assigned to the System Access workgroup for Mac OS 9 clients and the Workgroup
Manager for Mac OS X clients. See Chapter 6, “Client Management: Mac OS X,” and
Chapter 10, “Client Management: Mac OS 9 and OS 8.”
Step 2: Create disk images for client computers
You can set up both Mac OS 9 disk images and Mac OS X disk images for client computers to
start up from. A preconfigured Mac OS 9 image is supplied with Mac OS X Server on the
NetBoot, Mac OS 9 CD. The Mac OS 9 disk image can be modified. If you are supporting new
client computers that were released after this version of Mac OS X Server, you will need to
modify the Mac OS 9 disk image to support the new clients. See “Modifying the Mac OS 9
Disk Image” on page 498.
To create Mac OS X disk images, you use Network Image Utility. See “Creating a Mac OS X
Disk Image” on page 496.NetBoot 495
Step 3: Set up DHCP
NetBoot requires that you have a DHCP—either on the local server or on a remote server on
the network. You need to make sure that you have a range of IP addresses sufficient to
accommodate the number of clients that will be using NetBoot at the same time.
See Chapter 11, “DHCP Service,” on page 475.
Step 4: Configure and turn on the NetBoot service
You use the Configure DHCP/NetBoot panel in Server Settings to configure NetBoot on your
server. See “Configuring NetBoot on Your Server” on page 501.
You turn on the NetBoot service by starting DHCP/NetBoot service and enabling disk images.
See “Starting NetBoot on Your Server” on page 501 and “Enabling NetBoot Disk Images” on
page 502.
Step 5: Set up NetBoot filtering (optional)
NetBoot filtering is done by client computer hardware address. Each client’s hardware
address is automatically registered the first time the client attempts to start up from a
NetBoot disk image. You then disallow a client address to prevent the client from using
NetBoot. See “Filtering NetBoot Client Connections” on page 503.
Step 6: Test your NetBoot setup
Because there is risk of data loss or bringing down the network (by misconfiguring DHCP), it
is recommended that you test your NetBoot setup before implementing it on all your clients.
You should test each different model of Macintosh that you are supporting. This is to make
sure that there are no problems with the boot ROM for a particular hardware type.
Step 7: Set up all client computers to use NetBoot
When you are satisfied that NetBoot is working on all types of computers then you can set up
all your client computers to start up from the NetBoot disk images.
You can set up NetBoot in the following ways:
Clients running Mac OS 9: Use the Startup Disk control panel to select a startup disk image
on the server, then restart the computer. See “Selecting a NetBoot Startup Image (from
Mac OS 9)” on page 506.
Note: You must update the Startup Disk control panel on client computers running
Mac OS 9 from their local hard disks in order to be able to view NetBoot disk images in the
control panel. See “Updating the Startup Disk Control Panel” on page 505.
Clients running Mac OS X version 10.2 or later: Use the Startup Disk System Preference
pane to select a startup disk image on the server, then restart the computer. See “Selecting a
NetBoot Startup Image (from Mac OS X)” on page 506.496 Chapter 12
Any client: Restart the computer and hold down the N key until the NetBoot icon starts
flashing on the screen. The client starts up from the default image on the NetBoot server. See
“Starting Up Using the N Key” on page 507.
Setting Up NetBoot on a Mac OS X Server
This section describes how to enable NetBoot on a Mac OS X server and how to create and
edit NetBoot disk images.
Creating a Mac OS X Disk Image
NetBoot lets you provide one or more Mac OS X disk images to support NetBoot clients you
want to start up over the network. You use Network Image Utility to create these images.
Network Image Utility creates a Mac OS X disk image by using the files on a Mac OS X
installation disc. Have the install CD ready—you’ll need to insert the disc into the CD drive
during this procedure.
Note: You are required to purchase a user license for each client starting up from a NetBoot
disk image.
To create a Mac OS X disk image:
1 Open Network Image Utility.
2 Enter a name for the disk image you are creating.
3 Select NetBoot from the Image Type popup menu.
Network Image Utility automatically adjusts the size of the disk image depending on the type of
image you create. NetBoot disk images are 2 GB and Network Install disk images are 1.4 GB.
4 Enter an Image ID.
The Image ID allows you mount multiple identical disk images (on multiple servers) without
each of them showing up in clients’ Startup Disk control panels and panes. All the images
with the same image name and ID are listed only once. Providing duplicate disk images on
multiple servers allows Mac OS X Server to employ load balancing for NetBoot clients.
5 Choose the default language for the system: English, French, German, or Japanese.
6 (Optional) Enter the default user name, short name, and password (in both the Password
and Verify fields) to create a default user account.
Entering a default name and password creates a “dummy” user account that anyone can use
to log in to the disk image. Users who have their own accounts can also log in with their own
names and passwords. The default user is created with administrator privileges for the client
computer.
7 Click Create Image.NetBoot 497
If you haven’t inserted a Mac OS X install CD, you will be prompted to do so.
The image file is created and saved in a NetBoot image folder in the following location,
where x is the volume number and imagename is the image name you provided:
/Library/NetBoot/NetBootSPx/imagename.nbi/
If the source for the Mac OS X software is on two CDs, you will be prompted to remove the
first disc and insert the second.
Installing Classic (Mac OS 9) on a Mac OS X Disk Image
You install Classic onto a Mac OS X image by copying a Mac OS 9.2.2 system folder onto an
“unlocked” NetBoot image. You must also select the Mac OS X image and start Classic using
the System 9 preference pane to complete the integration of Classic into the image.
Do not try to install Classic onto Network Install disk images. This procedure for installing
Classic only works for NetBoot disk images.
To install Classic on a Mac OS X disk image:
1 Make sure the disk image file (.dmg) is unlocked.
In the Finder, select the image file and choose Show Info from the File menu. If the file is
locked, click the Locked checkbox to unlock it.
2 Double-click the image file to mount the Mac OS X image on your server.
3 Drag a Mac OS 9 System Folder to the disk image.
You can use the System Folder from the NetBoot, Mac OS 9 CD that came with Mac OS X
Server, or use another Mac OS 9 version 9.2.2 System Folder that has been blessed
(previously run as Classic under Mac OS X.)
4 In your server’s System Preferences, open the Classic preferences pane and select the disk
image as the startup volume for Classic.
5 Click Start to start up Classic.
6 Shut down Classic, then eject the image file.
7 (optional) Lock the image file if you want to protect against inadvertent changes.
Installing the Mac OS 9 Disk Image
Included with the NetBoot software is a preconfigured Mac OS 9 disk image, provided on the
NetBoot, Mac OS 9 CD, which you install from the NetBoot.pkg file.
Warning Do not modify a disk image that is in use by any NetBoot clients. Doing so will
result in unpredictable behavior for the clients. Before modifying a disk image, make sure
no one is using the image or make a copy of the file and modify the copy.498 Chapter 12
To install the preconfigured Mac OS 9 disk image:
m Open NetBoot.pkg on the NetBoot, Mac OS 9 CD.
The Installer installs the Mac OS 9 NetBoot image folder in the /Library/NetBoot/
NetBootSPx/DefaultMacOS92.nbi/ directory (where x is the volume number).
Modifying the Mac OS 9 Disk Image
To install software on or change the preconfigured Mac OS 9 disk image, you need to start up
from a NetBoot client computer, connect to the NetBoot server volume, and open the
NetBoot Desktop Admin program, as described in the following steps. Your changes are not
available to you or other users until after the NetBoot client computer running NetBoot
Desktop Admin restarts the last time.
Before you start, you need the following information:
m Name and password of a user with read and write access privileges to the NetBoot server
volume (for example, the administrator of the Mac OS X Server).
The following procedure requires the you restart the client computer several times.
If you are using Macintosh Manager with NetBoot client computers, each time you start or
restart the client computer, you need to log in as a Macintosh Manager administrator who
belongs to the System Access workgroup.
1 Log in to the server volume as a user with read and write access privileges (for example, as an
administrator of the Mac OS X Server).
2 Using the Chooser, log in to all the server volumes on the client.
3 Copy the NetBoot Desktop Admin application to your server hard disk then open the
application.
NetBoot Desktop Admin is supplied on the NetBoot, Mac OS 9 CD.
4 Click Make Private Copy.
Important Be careful if there is more than one NetBoot server on your network. The client
may start up automatically from a disk image on a server other than the one you are working
on.NetBoot 499
NetBoot Desktop Admin creates a copy of the disk image. This may take several minutes, and
you should not interrupt the process. When it finishes, your NetBoot client computer
restarts automatically.
5 If you are installing a new version of the Mac OS or adding system extensions, you may need
to increase the size of the disk image.
Make sure the disk image is large enough to accommodate the size of the new system and
extensions you are installing. You cannot reduce the size of an image without reverting to a
smaller backup copy.
6 If you are installing a new application software, you may need to increase the size of the
application disk image.
Be sure the disk image has enough space for the software you want to install. However,
increase the size of an image only as much as needed. You cannot reduce the size of an
image without reverting to a smaller backup copy.
7 Install the software or make changes to the system configuration.
Make sure to install the latest updates for the system software.
If you are installing software, follow the installation instructions that came with the software.
If necessary, restart the computer.
After installing an application, open it. Doing so lets you enter a registration number, if
necessary. If you don’t enter the number now, every time users open the application they will
need to enter the registration number. In addition, most applications create a preferences file
in the System Folder. If you don’t open the application, users may not be able to open the
application because the preferences won’t exist.
8 Be sure there aren’t any files in the Trash that you want to save. (The Trash is emptied
automatically after the next step.)
Note: If you cannot empty the Trash because it contains files that are in use, you may need
to restart the computer.
9 User the Chooser, log back in to all the server volumes.
10 Open the NetBoot Desktop Admin application, then click Save. The computer restarts
automatically.
If you need to make other changes, click Quit and return to Step 7.
Important Because the copy of a disk image is associated with the NetBoot client computer
you used to create it, you must make the changes to the image using the same computer. If
you change computers, you will not be able to see the changes you have made and your
changes will not be available to users. In addition, you increase the risk of unauthorized users
making changes to the disk image.500 Chapter 12
Clicking Discard removes the changes you’ve made to the disk image.
11 Start the NetBoot client computer again, and log back in to all the server volumes.
12 Open NetBoot Desktop Admin.
If you want to keep a backup copy of the old disk image, leave the “Keep previous disks as
backup” option selected. Backup copies are stored in the Backup Images folder in the Shared
Images folder on the NetBoot server.
Note: Because there is only one Backup folder, the backup image saved at this time will
overwrite any backup image in the folder from a previous session.
13 If you clicked Save in Step 10, click Restart. Otherwise, click OK.
If you click Restart, NetBoot Desktop Admin saves your changes, deletes the old disk image,
and then restarts the computer. Changes are available the next time a NetBoot client
computer restarts. If you click OK, NetBoot Desktop Admin deletes the old disk image.
Specifying the Default NetBoot Disk Image
The default disk image is the NetBoot disk image used when a user starts a client computer
using the N key. See “Starting Up Using the N Key” on page 507. If you’ve created more than
one startup disk image, use the Configure DHCP/NetBoot pane to select the default startup
image.
Note: If you have more than one NetBoot server on the network, there is no way to control
which disk image is used by client computers looking for the default disk image. The default
image of the first server to respond to the client’s NetBoot request is the one that will be used.
To specify the default NetBoot disk image:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the Image tab.
4 Select the image you want to be the default.
Setting Up Multiple Disk Images
You can create as many Mac OS X disk images as you want using the Network Image Utility.
To create more than one Mac OS 9 disk image, make copies of the preconfigured disk image
you installed from the NetBoot, Mac OS 9 CD into the /Library/NetBoot/NetBootSP0
directory. Then use NetBoot Desktop Admin to modify the Mac OS 9 disk images as desired.
Use Server Settings to enable disk images and select the default disk image. See “Enabling
NetBoot Disk Images” on page 502 and “Specifying the Default NetBoot Disk Image” on
page 500.NetBoot 501
Configuring NetBoot on Your Server
You use DHCP/NetBoot module of Server Settings to configure your Mac OS X Server to
provide NetBoot services to client computers.
Note: In the previous release of Mac OS X Server, “Static” was referred to as NB 1.0 and
“Dynamic” as NB 2.0.
To configure NetBoot:
1 Open Server Settings and click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the Logging tab and choose the level of logging you want: “Warning and errors
(normal)” or “Serious errors only (quiet).”
4 Click the NetBoot tab and select an Ethernet port to use for NetBoot.
You can select multiple ports to configure them simultaneously.
5 Select Static, Dynamic, or both.
“Static” provides NetBoot service for NetBoot 1.0 clients.
“Dynamic” provides NetBoot service for NetBoot 2.0 and NetBoot 3.0 clients.
If you chose Dynamic and have an existing DHCP infrastructure, skip the following four steps
and continue with Step 10.
6 For each Ethernet port you want to set up for NetBoot, repeat step 5.
7 If you chose Static or Both, click the Subnets tab and choose the matching port name.
8 Click Edit, then create an IP address range for the port. Make sure that the Enable DHCP
option is selected.
9 Repeat Steps 7 and 8 for each port over which you’re serving NetBoot.
10 Click the Image tab.
Select the Enable checkbox of the images that you want to make available to client
computers for startup, then click Apply Now.
Starting NetBoot on Your Server
You turn on NetBoot by starting DHCP.
Note: You must also enable one or more images on your server before client computers can
use NetBoot.
Important Make sure that you set up only one static server on a network. Setting up
multiple static servers may prevent NetBoot 1.0 clients from being able to start up over
the network.502 Chapter 12
To start DHCP:
1 Open Server Settings and click the Network tab.
2 Click DHCP/NetBoot and choose Start DHCP Service.
Enabling NetBoot Disk Images
You must enable one or more disk images on your server to make the images available to
client computers for NetBoot startups.
Note: You must also start DHCP on the server before client computers can use NetBoot.
To enable disk images:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the Image tab.
4 Select the Enable checkbox for the images you want to make available for NetBoot clients.
Managing NetBoot
This section describes how to manage the ongoing use of a NetBoot installation.
Turning Off NetBoot
The best way to prevent clients from using NetBoot on the server is to disable NetBoot
service on all Ethernet ports.
Note: You can also stop NetBoot by disabling all disk images on the server.
To disable NetBoot on Ethernet ports:
1 Open Server Settings and click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the NetBoot tab and make sure no Ethernet ports are selected.
Disabling Disk Images
Disabling a disk image prevents client computers from using the image to start up over the
network.
To disable a NetBoot disk image:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the Image tab.NetBoot 503
4 Select an image and deselect the Enable checkbox.
Updating Mac OS X Disk Images
Because Network Image Utility works by creating disk images from installation files on a
CD-ROM disc, you cannot update a Mac OS X disk image. You must create a new disk image
using a current Mac OS X installation CD.
Monitoring the Status of Mac OS X NetBoot Clients
Server Status lets you monitor all services on a Mac OS X server.
To monitor NetBoot service:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select DHCP/NetBoot in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Overview tab to see if DHCP/NetBoot is running.
3 Click the NetBoot Clients tab to see a list of client computers that have started up from the
server, the hardware addresses of the clients, and the clients’ system type.
Note: This is historical information—a list of clients that are currently connected or have
connected in the past. It is not a list of currently connected clients only.
Monitoring the Status of Mac OS 9 NetBoot Clients
Server Status lets you monitor all services on a Mac OS X server.
To monitor NetBoot service:
1 In Server Status, locate the name of the server you want to monitor in the Devices & Services
list and select AppleFile in the list of services under the server name.
If the services aren’t visible, click the arrow to the left of the server name.
2 Click the Overview tab to see if DHCP/NetBoot is running.
3 Click the Connections tab to see a list of client computers currently connected to the server,
their types, IP addresses, how long the computers have been connected, and how long the
computers have been idle.
Filtering NetBoot Client Connections
The filtering feature of NetBoot lets you allow or deny NetBoot access by client computer
hardware addresses. Client hardware addresses are added to the filter list automatically the
first time clients start up from a NetBoot disk image and are allowed access by default, so it is
usually not necessary to enter hardware addresses manually. 504 Chapter 12
To allow or deny client access to the NetBoot service:
1 Open Server Settings and click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the Filter tab.
4 Select the clients you want to allow access and which you want to deny access to the NetBoot
service.
Load Balancing
NetBoot provides a significant benefit to those system administrators tasked with
maintaining a large number of Macintosh computers by having all of those computers boot
from the same system software image. This feature, however, makes it critical that the
NetBoot server remain available to the client computer relying upon it. To provide
responsive and reliable NetBoot service, you should set up redundant NetBoot servers in
your network infrastructure.
Most sites using NetBoot achieve acceptable responsiveness by staggering the boot times of
client computers in order to reduce network load. Generally, there isn’t a need to boot all
client computers at exactly the same time; rather, client computers are booted early in the
morning and just remain booted throughout the work day. For clients computers running
Mac OS 9, you can program staggered startup times using the Energy Saver control panel.
(There is no equivalent feature in Mac OS X, however.)
If heavy usage and simultaneous client startups are overloading the NetBoot server and causing
delays, you may want to consider adding additional NetBoot servers to distribute the demands
of the client computers across multiple servers (load balancing). When incorporating multiple
NetBoot servers, it is important to use switches, as the shared nature of hubs creates a single
shared network on which additional servers would have to vie for time.
Enabling Server Selection
If you add a second NetBoot server to a network that has a single server already in use, you
will need to delete the bsdpd_clients file (located in the directory path /var/db/) from the
existing NetBoot server. This enables clients to select which server they will use as their
NetBoot server. Similarly, if you are recovering from a server or infrastructure failure, and
your clients have been booting from a reduced number of NetBoot servers, you will need to
delete the bsdpd_clients file from the running servers so that clients can once again spread
out across the entire set of servers. NetBoot 505
The bsdpd_clients file on any given server holds the Ethernet Media Access Control (MAC)
addresses of the machines that have selected this server as their NetBoot server. As long as a
client has an entry in an available server bsdpd_client file, it will always boot from that server.
If that server should become unavailable to those clients, they will locate and associate
themselves with an available server until such time as you remove their entries (or the entire
files) from their servers. (If a client ends up being registered on more than one server
because an unavailable server comes back on line, the client boots from the server with the
fewest number of clients booted off of it.)
Using Share Points to Spread the Load
By default, NetBoot creates share points for client shadow images on all server volumes in
order to spread the load across multiple drive mechanisms. You can use Workgroup Manager
to see these share points. They are named NetBootSPx where x is the share point number—
the share points are numbered starting with zero. For instance, if your server has two
volumes installed (NetBootSP0 and NetBootSP1), NetBoot stores the first client’s shadow
image on NetBootSP0, the second client’s shadow image on NetBootSP1, the third client’s
shadow image on NetBootSP0, and so on. Likewise, with three volumes installed and eight
clients, the first, fourth, and seventh clients will use the first volume; the second, fifth, and
eighth clients will use the second volume; and the third and sixth clients will use the third
volume.This load balancing is automatic and usually ensures optimal performance.
With drive sizes getting larger and larger, some sites elect to partition their drives. An
example would be partitioning a 60GB drive into a 10GB boot partition and a 50GB data
partition, with the intention of keeping just your operating system and associated
configuration files on the boot partition, and all user data (such as client shadow images) on
the data partition. After installation of the NetBoot software, however, there will be a
NetBootSP0 on the boot partition and a NetBootSP1 on the data partition.
Supporting Client Computers
See “Client Computer Requirements” on page 487 for a list of supported Macintosh
computers and the client system requirements for using NetBoot.
Updating the Startup Disk Control Panel
You need to replace the Startup Disk control panel for client computers running Mac OS 9 in
order for the control panel to be able to display the available NetBoot disk images.
Version 9.2.4 of the Startup Disk control panel is located on the NetBoot, Mac OS 9 CD.
m Drag the new version of the control panel to the System Folder of each client computer
running Mac OS 9 locally.506 Chapter 12
Setting Up “System-Less” Clients
NetBoot makes it possible to configure client computers without locally installed operating
systems. “System-less” clients can start up from a NetBoot server using the N key method.
(See “Starting Up Using the N Key” on page 507.)
After the client computer has started up, you can use the Startup Disk control panel
(Mac OS 9) or preference pane (Mac OS X) to select the NetBoot disk images as the default
startup disk for the client. That way you no longer need to use the N key method to start up
the client from the server.
Removing the system software from client computers gives you additional control over users’
environments. By forcing the client to boot from the server and using client management to
deny access to the client computer’s local hard disk, you can prevent users from saving files
to the local hard disk.
Selecting a NetBoot Startup Image (from Mac OS X)
If your computer is running Mac OS X version 10.2 or later, you use the Startup Disk System
Preferences pane to select a NetBoot startup disk image.
To select a NetBoot startup image from Mac OS X:
1 In System Preferences select the Startup Disk pane.
2 Select the network disk image you want to use to start up the computer.
3 Click Restart.
The NetBoot icon appears, and then the computer starts up from the selected NetBoot disk
image.
Selecting a NetBoot Startup Image (from Mac OS 9)
If your computer is running Mac OS 9, you use the Startup Disk control panel to select a
NetBoot startup disk image.
Note: You must update the Startup Disk control panel on client computers running
Mac OS 9 from their local hard disks in order to be able to view NetBoot disk images in the
control panel. See “Updating the Startup Disk Control Panel” on page 505.
To select a NetBoot startup image from Mac OS 9:
1 Open the Startup Disk control panel.
2 Select the network disk image you want to use to start up the computer.
3 Click Restart in the warning dialog box that appears.
The NetBoot icon appears, and then the computer starts up from the selected NetBoot disk
image.NetBoot 507
The network disk image appears with a distinctive icon.
Starting Up Using the N Key
You can use this method to start up any supported client computer from a NetBoot disk
image. When you start up with the N key, the client computer starts up from the default
NetBoot disk image. (If there are multiple servers present, then the client starts up from the
default image of the first server to respond.)
If you have an older client computer that requires BootP for IP addressing, you must use this
method for starting up from a NetBoot disk image. These older computers do not support
selecting a NetBoot startup disk image from the Startup Disk control panel or preferences pane.
The N key also provides a way to start up client computers running Mac OS 8 or that do not
have system software installed. See “Setting Up “System-Less” Clients” on page 506.
To start up from a NetBoot disk image using the N key:
1 Turn on (or restart) your computer while holding the N key down on your keyboard.
Hold the N key down until the NetBoot icon appears in the center of the screen or an arrow
appears in the upper left corner of the screen.
2 If a login window appears, enter your name and password.
The network disk image has an icon typical of server volumes.
Solving Problems
A NetBoot Client Computer Won’t Start Up
m Sometimes a computer may not start up immediately because other computers are
putting a heavy demand on the network. Wait a few minutes and try starting up again.
m Make sure that all the cables are properly connected and that the computer and server are
getting power.
m If you installed memory or an expansion card in the client computer, make sure it is
installed properly.
m If the server has more than one Ethernet card, or you are using more than one port on a
multiport Ethernet card, check to see if other computers using the same card or port can
start up. If they can’t, check to be sure the Ethernet port you set up on the server is the
same port to which the client computer is connected. It’s easy to mistake Ethernet port 1
for Ethernet port 4 on a multiport card. On the cards that come preinstalled in Macintosh
servers, the ports are numbered 4, 3, 2, 1 (from left to right), if you’re looking at the back
of the computer. 508 Chapter 12
m If the computer has a local hard disk with a System Folder on it, disconnect the Ethernet
cable and try to start up the computer from the local hard disk. Then reconnect the
Ethernet cable and try to start up the computer from the network.
You Are Using Macintosh Manager and a User Can’t Log In to a NetBoot Client
m Check to see if the user can log in to other computers. If the user can log in to other
computers, then the computer the user can’t log in to may be connected to a Macintosh
Manager server on which the user does not have an account. If there is more than one
Macintosh Manager server, make sure the user has selected a server on which he or she
has an account.
m Open Macintosh Manager and make sure the user is a member of at least one workgroup.
m Open Macintosh Manager and reset the user’s password.509
C H A P T E R
13
13 Network Install
Network Install lets you install Mac OS X system and other software onto client computers
over the network. Network Install is similar to NetBoot. Instead of using start-up disk images
on the server, however, client computers start up from installer disk images. An installer disk
image looks and behaves like an installer CD. Client computers can start up from the installer
disk image on Mac OS X server. After a client has started up, system software, application
software, or both can be installed on the client. Installations can be set up to run unattended
(“automated”) or to require user interaction, allowing users to specify installation options.
Note: Network Install only installs Mac OS X system software on client computers. You
cannot use Network Install to install Mac OS 9.
If you haven’t done so already, read Chapter 12, “NetBoot,” before continuing. In addition to
describing how NetBoot works, Chapter 12 includes important prerequisites for anyone
attempting to use NetBoot or Network Install.
You use the following Mac OS X Server applications to set up and administer Network Install:
m Network Image Utility—to create Mac OS X installer disk images.
m Package Maker—to create package files that can be included on disk images.
m PropertyListEditor—to edit property list (.plist) files to include packages in an installer
disk image.
The Mac OS X Server product includes the following CD that contains applications you use to
set up Network Install:
m Mac OS X Server Administration Tools CD
NetBoot, Network Install ƒ—includes Network Image Utility (in Image Creation ƒ) and
Package Maker and PropertyListEditor (in Image Manipulation ƒ)
Understanding Packages
If you plan to use Network Install to install application software, you need to know what
packages are and how they work. 510 Chapter 13
A package is a collection of compressed files and other information used to install software
onto a computer. The contents of a package are contained within a single file, which has the
extension .pkg. The following table shows the components of a package file.
The contents of a package can be viewed by selecting the package and holding down the
Command, Shift, and O keys. This opens a viewer window in which the contents of the
package are displayed.
You use Package Maker, available on the Mac OS X Server Administration Tools CD, to create
application software packages to use with Network Install. Additional information about
Package Maker is available at the following Web site:
http://developer.apple.com/techpubs/macosx/DeveloperTools/PackageMaker/
PackageMaker.help/Contents/Resources/English.Iproj/
Setup Overview
Here are the basic steps for creating installer disk images.
Step 1: Read the NetBoot chapter and enable NetBoot on your server
Chapter 12, “NetBoot,” provides important information, such as system requirements and
configuration procedures that you’ll need to know to use Network Install. Follow the
instructions in “Starting NetBoot on Your Server” on page 501 to turn on NetBoot and
Network Install.
File Description
product.pax.gz The files to be installed, compressed with gzip and archived with
pax. (See man pages for more information about gzip and pax.)
product.bom Bill of Materials: a record of where files are to be installed. This is
used in the verification and uninstall processes.
product.info Contains information to be displayed during installation.
product.sizes Text file; contains the number of files in the package.
product.tiff Contains custom icon for the package.
product.status Created during the installation, this file will either say “installed”
or “compressed.”
product.location Shows location where the package will be installed.
software_version (Optional) Contains the version of the package to be installed.Network Install 511
Step 2: Create a Mac OS X installer disk image
Use Network Image Utility to create one or more Mac OS X installer images. See “Creating a
Network Install Disk Image” on page 511.
Step 3: (Optional) Create an application software package
Use Package Maker to create packages if you want to install application software over the
network. Application software packages can be used by themselves or in conjunction with
Mac OS X system software. See “Creating Custom Packages for Network Install” on page 512.
To include the packages in an installer disk image you must edit the image’s property list
(.plist) file using PropertyListEditor. See “Including Packages in an Installer Disk Image” on
page 512.
Step 4: Enable installer disk images on your server
You enable installer disk images in the DHCP/NetBoot pane in Server Settings. See “Enabling
Installer Disk Images” on page 513.
Setting Up Network Install
This section tell you how to create network installer disk images and enable them on your
server.
Creating a Network Install Disk Image
You use Network Image Utility to create installer disk images. Network Image Utility is
included with the Mac OS X Server product on the Mac OS X Server Administration Tools
CD, at the following location:
NetBoot, Network Install ƒ/ImageManipulation ƒ
Network Image Utility creates an installer disk image by using the files on a Mac OS X install
disc. Have the install CD ready—you’ll need to insert the disc into the CD drive during this
procedure.
To create a Mac OS X installer disk image:
1 Open Network Image Utility.
2 Enter a name for the disk image you are creating.
3 Select Network Install from the Image Type pop-up menu.
To create an image for installing application software packages only (no system software),
choose Empty Image from the Image Type pop-up menu.
Network Image Utility automatically adjusts the size of the disk image depending on the type of
image you create. NetBoot disk images are 2 GB and Network Install disk images are 1.4 GB.512 Chapter 13
4 Enter an Image ID.
The Image ID lets you mount multiple identical disk images (on multiple servers) without
each of them showing up in a client’s Startup Disk control panel or pane. All the images with
the same image name and ID will be listed only once.
5 Choose the default language for the system: English, French, German, or Japanese.
6 (Optional) Enter the default user name, short name, and password (in both the Password
and Verify fields) to create a default user account.
Entering a default name and password creates a user account that anyone can use to log in to
the disk image. Users that have their own accounts can also log in with their own names and
passwords. The default user is created with administrator privileges for the client computer.
7 Click Create Image.
If you haven’t inserted a Mac OS X installer CD, you will be prompted to do so.
The image file is created and saved in a NetBoot image folder in the following location,
where x is the volume number and imagename is the Image Name you provided:
/Library/NetBoot/NetBootSPx/imagename.nbi/
Creating Custom Packages for Network Install
You can use Package Maker to create additional packages to include with an installer disk
image. Package Maker is included with the Mac OS X Server product on the Mac OS X Server
Administration Tools CD, at the following location:
NetBoot, Network Install ƒ/ImageManipulation ƒ
Use PropertyListEditor to update the property list file to include your custom packages. See
“Including Packages in an Installer Disk Image” on page 512.
Including Packages in an Installer Disk Image
Use PropertyListEditor to update the property list (.plist) file of the installer disk image to
include packages with the installer. PropertyListEditor is included with the Mac OS X Server
product on the Mac OS X Server Administration Tools CD, at the following location:
NetBoot, Network Install ƒ/ImageManipulation ƒ
To update the property list to include packages in an installer disk image:
1 Make sure the disk image file (.dmg) is unlocked.
In the Finder, select the image file and choose Show Info from the File menu. If the file is
locked, click the Locked checkbox to unlock it.
2 Double-click the image file to mount the Mac OS X image on your server.Network Install 513
3 On the volume that gets mounted, Control-click the OSInstall.mpkg file at the following
location:
volume/System/Installation/Packages/
4 Choose Show Package Contents to open a viewer window showing the package’s contents.
5 Double-click the Contents folder, then double-click the Resources folder.
6 Open the Packages.plist.
PropertyListEditor should open. If not, open PropertyListEditor and open the property list
file from within the application.
7 Create a new package in the Package list under Root.
8 Define the new package as a Dictionary using the Class pop-up menu.
9 Create a child labeled “packageName” of type String and enter the package name in the
Value field.
10 Create a second child labeled “required” of type String and type YES in the Value field.
11 Repeat steps 7 through 10 for each package you want to add.
12 Save the updated property list and close PropertyListEditor.
13 In the Finder, copy the package files that correspond to the entries you just made in the
property list into the following folder:
volume/System/Installation/Packages
14 Eject the image.
15 (Optional) Lock the image file if you want to protect against inadvertent changes.
Enabling Installer Disk Images
You must enable one or more of your installer disk images on your server to make the images
available to client computers on the network.
You must also start DHCP on the server before client computers can use Network Install. See
“Starting NetBoot on Your Server” on page 501.
Warning If an installer disk image is the only image you enable, it will become the
default NetBoot image. Clients that start up using the N key will boot from and run the
installer image instead of booting from a startup disk image.514 Chapter 13
To enable installer disk images:
1 In Server Settings, click the Network tab.
2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.
3 Click the Image tab.
4 Select the Enable checkbox for the images you want to make available for Network Install.515
C H A P T E R
14
14 DNS Service
When your clients want to connect to a network resource such as a Web or file server, they
typically request it by its domain name (such as www.example.com) rather than by its IP
address (such as 192.168.12.12). The Domain Name System (DNS) is a distributed database
that maps IP addresses to domain names so your clients can find the resources by name
rather than by numerical address.
A DNS server keeps a list of domain names and the IP addresses associated with each name.
When a computer needs to find the IP address for a name, it sends a message to the DNS
server (also known as a name server). The name server looks up the IP address and sends it
back to the computer. If the name server doesn’t have the IP address locally, it sends
messages to other name servers on the Internet until the IP address is found.
Setting up and maintaining a DNS server is a complex process. Therefore many
administrators rely on their Internet service provider (ISP) for DNS services. In this case, you
only have to configure your network preferences with the name server IP address provided
by your ISP.
If you don’t have an ISP to handle DNS requests for your network and either of the following
is true, you need to set up DNS service:
m You do not have the option to use DNS from your ISP or other source.
m You plan on making frequent changes to the namespace and want to maintain it yourself.
m You have a mail server on your network and you have difficulties coordinating with the
ISP that maintains your domain.
Mac OS X Server uses Berkeley Internet Name Domain (BIND) for its implementation of
DNS protocols. BIND is an open-source implementation and is used by the majority of name
servers on the Internet.516 Chapter 14
Before You Set Up DNS Service
This section contains information you should consider before setting up DNS on your
network. The issues involved with DNS administration are complex and numerous. You
should only set up DNS service on your network if you are an experienced DNS administrator.
DNS and BIND
You should have a thorough understanding of DNS before you attempt to set up your own
DNS server. A good source of information about DNS is DNS and BIND, 4th edition, by Paul
Albitz and Cricket Liu (O’Reilly and Associates, 2001).
Note: Apple can help you locate a network consultant to implement your DNS service. You
can contact Apple Professional Services and Apple Solutions Experts at:
http://www.apple.com/services/
http://experts.apple.com/
Setting Up Multiple Name Servers
You should set up at least one primary and one secondary name server. That way, if the
primary name server unexpectedly shuts down, the secondary name server can continue to
provide service to your users. A secondary server gets its information from the primary
server by periodically copying all the domain information from the primary server.
Once your name server learns a name/address pair of a host in another domain (outside the
domain it serves), the information is cached, which ensures DNS services are available. DNS
information is usually cached on your name server for a set time, referred to as a time-to-live
(TTL) value. When the TTL for a domain name/IP address pair has expired, the entry is
deleted from the name server’s cache and your server will request the information again as
needed. (The entry is never deleted from the domain owner’s DNS server.)
Using DNS With Mail Service
If you plan to provide mail service on your network, you must set up DNS so that incoming
mail is sent to the appropriate mail host on your network. When you set up mail service, you
define a series of hosts, known as mail exchangers or MX hosts, with different priorities. The
host with the highest priority gets the mail first. If that host is unavailable, the host with the
next highest priority gets the mail, and so on.
For example, let’s say your mail server’s host name is “reliable” in the “example.com”
domain. Without an MX record, your users’ mail addresses would include the name of your
mail server computer, like this:
user-name@reliable.example.com DNS Service 517
If you want to change your mail server or redirect mail, you have to notify potential senders
of a new address for your users. Or, you can create an MX record for each domain that you
want handled by your mail server and direct the mail to the correct computer.
When you set up an MX record, you should include a list of all possible computers that can
receive mail for a domain. That way, if your server is busy or down, mail is sent to another
computer. Each computer on the list is assigned a priority number. The one with the lowest
number is tried first. If that computer isn’t available, the computer with the next lowest
number is tried, and so on. When a computer is available, it holds the mail and sends it to
the main mail server when the main server becomes available, and then the server delivers
the mail. A sample list might look like this:
example.com
10 reliable.example.com
20 our-backup.example.com
30 last-resort.example.com
MX records are used for outgoing mail, too. When your mail server sends mail, it looks at the
MX records to see whether the destination is local or somewhere else on the Internet. Then
the same process happens, in reverse. If the main server at the destination is not available,
your mail server tries every available computer on that destination’s MX record list, until it
finds one that will accept the mail.
If you don’t enter the MX information into your DNS server correctly, mail won’t work. For
more information about MX records, see the resources listed at the end of this chapter.
Setting Up DNS Service for the First Time
If you are using an external DNS name server and you entered its IP address in the Setup
Assistant, you don’t need to do anything else. If you are setting up your own DNS server,
follow the steps in this section.
Step 1: Register your domain name
Domain name registration is managed by a central organization, the Internet Assigned
Numbers Authority (IANA). IANA registration makes sure domain names are unique across
the Internet. (See www.iana.org for more information.) If you don’t register your domain
name, your network won’t be able to communicate over the Internet.
Once you register a domain name, you can create subdomains within it as long as you set up
a DNS server on your network to keep track of the subdomain names and IP addresses. 518 Chapter 14
For example, a server in a domain would be host1.example.com, a server in a subdomain
would be host2.good.example.com. The DNS server for example.com keeps track of
information for its subdomains, such as host (or computer) names, static IP addresses,
aliases, and mail exchangers.
The range of IP addresses for use with a given domain must be clearly defined before setup.
These addresses are used exclusively for one specific domain (never by another domain or
subdomain). The range of addresses should be coordinated with your network administrator
or ISP.
Step 2: Configure BIND
BIND is the name of the program included with Mac OS X Server that implements DNS. It is
also called the name daemon, or named, when the program is running. To set up and
configure BIND, you need to modify the configuration file and the zone file.
The configuration file is located in this directory:
/etc/named.conf
The zone file name is based on the IP address of the server and begins with “db.” For
example, the zone file db.192.168.12 is located in this directory:
/var/named/db.192.168.12
See “Inside DNS Service (Configuring BIND)” on page 520 for more information.
Step 3: Set up a mail exchange (MX) record (optional)
If you provide mail service over the Internet, you need to set up an MX record for your
server. For more information about this, read the next section.
Step 4: Start DNS service
Mac OS X Server includes GUI tools to start and stop DNS service.
See “Starting and Stopping DNS Service” on page 518 for more information.
Managing DNS Service
Mac OS X Server provides a simple interface for starting and stopping DNS service as well as
viewing logs and status. Changing DNS settings requires configuring BIND from the
command line and is not covered here.
Starting and Stopping DNS Service
Use this procedure to start or stop DNS Service.DNS Service 519
To start or stop DNS service:
1 In Server Settings, click the Network tab.
2 Click DNS Service and choose Start DNS or Stop DNS.
When the service is turned on, a globe appears on the DNS Service icon. The service may
take a moment to start (or stop).
Viewing DNS Log Entries
DNS service creates entries in the system log for error and alert messages.
To see DNS log entries:
1 In Server Status, click the server name in the Devices and Services list.
2 Click the Logs tab.
3 Choose System Log from the Show pop-up menu and look for entries that begin with
“named.”
Viewing DNS Service Status
You can check the DNS Status window to see
m whether the service is running
m the version of BIND (the underlying software for DNS) that is running
m when the service was started and stopped
m the number of zones allocated
m the number of transfers running and deferred
m whether the service is loading the configuration file
m if the service is priming
m whether query logging is turned on or off
m the number of Start of Authority (SOA) queries in progress
To view DNS service status:
1 In Server Status, click DNS in the Devices and Services list.
2 Click the Overview tab for general DNS service information.
3 Click the Activity tab to view operations currently in progress.
Viewing DNS Usage Statistics
You can check the DNS Statistics window to see statistics on common DNS queries.
m Name Server (NS): Asks for the authoritative name server for a given zone.
m Address (A): Asks for the IP address associated with a domain name.520 Chapter 14
m Canonical Name (CName): Asks for the “real name” of a server when given a “nickname”
or alias. For example, mail.apple.com might have a canonical name of
MailSrv473.apple.com.
m Pointer (PTR): Asks for the domain name of a given IP address (reverse lookup).
m Mail Exchanger (MX): Asks which computer in a zone is used for email.
m Start Of Authority (SOA): Asks for name server information shared with other name
servers and possibly the email address of the technical contact for this name server.
m Text (TXT): Asks for text records used by the administrator.
To see DNS usage statistics:
1 In Server Status, click DNS in the Devices and Services list.
2 Click the Activity tab to view operations currently in progress and usage statistics.
Inside DNS Service (Configuring BIND)
In order to set up and use DNS service on Mac OS X Server you need to configure BIND.
Configuring BIND requires making changes to UNIX configuration files in the Terminal
application. To configure BIND, you must be comfortable with typing UNIX commands and
using a UNIX text editor. Only manipulate these settings if you have a thorough
understanding of DNS and BIND, preferably as an experienced DNS administrator.
What Is BIND?
As stated at the beginning of this chapter, BIND stands for Berkeley Internet Name Domain.
BIND runs on UNIX-based operating systems and is distributed as open-source software.
BIND is used on the majority of name servers on the Internet today.
BIND is configured by editing text files containing information about how you want BIND to
behave and information about the servers on your network. If you wish to learn more about
DNS and BIND, resources are listed at the end of this chapter.
BIND on Mac OS X Server
Mac OS X Server uses BIND version 8.2.3. You can start and stop DNS service on Mac OS X
Server using the Server Settings application. You can use Server Status to view DNS status
and usage statistics.
BIND Configuration File
By default, BIND looks for a configuration file labeled “named.conf ” in the /etc directory.
This file contains commands you can use to configure BIND’s many options. It also specifies
the directory to use for zone data files.
Warning Incorrect BIND configurations can result in serious network problems.DNS Service 521
Zone Data Files
Zone data files consist of paired address files and reverse lookup files. Address records link
host names (host1.example.com) to IP addresses. Reverse lookup records do the opposite,
linking IP addresses to host names. Address record files are named after your domain name–
for example, db.example.com. Reverse lookup file names look like part of an IP address, such
as db.192.168.12.
By default, the zone data files are located in
/var/named/
Practical Example
The following example allows you to create a basic DNS configuration using BIND for a
typical network behind a Network Address Translation (NAT) device that connects to an ISP.
The port (cable modem/DSL/dial-up/etc.) that is connected to your ISP is referred to here as
the WAN port. The port that is connected to your internal network is referred to here as the
LAN port. The sample files you need are installed with Mac OS X Server in the directories
listed in the steps below. This example also assumes the following:
m The IP address of the WAN port is determined by your ISP.
m The IP address of the LAN port is 10.0.1.1
m The IP address of the Mac OS X or Mac OS X Server machine that will be used as the DNS
server is 10.0.1.2.
m The IP addresses for client computers are 10.0.1.3 through 10.0.1.254.
If IP address assignment is provided by the NAT device via DHCP, it needs to be configured
with the above information. Please consult your router or gateway manual for instructions on
configuring its DHCP Server.
If your NAT device connects to the Internet, you also need to know the DNS server addresses
provided by your ISP.
Setting Up Sample Configuration Files
The sample files can be found in:
/usr/share/named/examples
The sample files assume a domain name of example.com behind the NAT. This may be
changed, but must be changed in all modified configuration files. This includes renaming
/var/named/db.example.com to the given domain name, for example,
/var/named/db.foo.org.
To set up the sample files:
1 Log in to the DNS server machine as root.
2 Choose Go To Folder from the Go menu.522 Chapter 14
3 In the “Go to the folder:” sheet, enter “/etc” (no quotation marks) and click the Go button.
4 Locate the file named.conf and rename it named.conf.OLD.
5 Launch the TextEdit application located in /Applications.
6 Copy the contents of /usr/share/named/examples/db.10.0.1.sample into a new file. Save the
file as /var/named/db.10.0.1.
7 Copy the contents of /usr/share/named/examples/db.example.com.sample into a new file.
Save the file as /var/named/db.example.com.
8 Copy the contents of /usr/share/named/examples/named.conf.sample into a new file.
9 Follow the instructions in the sample file to apply edits appropriate to your specific
installation, then save the file as /etc/named.conf.
10 Log out and log back in as an administrator user.
11 Using Server Settings, via the Network tab, start the DNS service.
12 In the Network preference pane of System Preferences, change the domain name servers to
list only the IP address of the new DNS server, 10.0.1.2.
Configuring Clients
If the IP addresses of your client computers are statically assigned, change the domain name
servers of their Network preference panes to only list the new server’s IP address, 10.0.1.2.
If you are using Mac OS X Server as your DHCP Server:
1 In Server Settings, choose Configure DHCP from the Network tab.
2 On the Subnet tab, edit the built-in Ethernet port (default).
3 In the General tab, enter the following information:
Start: 10.0.1.3
End: 10.0.1.254
Subnet Mask: 255.255.255.0
Router: 10.0.1.1
4 Select the DNS tab and enter the following information:
Default Domain: example.com
DNS Servers: 10.0.1.2
5 Click the Save button and log out of Server Settings.
Note: The client computers may not immediately populate with the new IP configuration
information. This will depend upon when their DHCP leases expire. It may be necessary to
restart the client computers for the changes to populate.DNS Service 523
Check Your Configuration
To verify the steps were successful, launch the Terminal application located in /Applications/
Utilities and enter the following commands (substituting the local domain name for
“example.com” if different):
nslookup server.example.com
nslookup 10.0.1.2
Note: If this generic configuration example does not meet your needs, Apple recommends
that you do not attempt to configure DNS on your own and seek out a professional
consultant or additional documentation.
Load Distribution With Round Robin
BIND allows for simple load distribution using an address shuffling method called round
robin. You set up a pool of IP addresses for several hosts mirroring the same content, and
BIND cycles the order of these addresses as it responds to queries. Round robin has no
capability to monitor current server load or processing power. It simply cycles the order of an
address list for a given host name.
You enable round robin by adding multiple address entries in your zone data file for a given
host. For example, suppose you want to distribute Web server traffic between three servers
on your network that all mirror the same content. Suppose the servers have the IP addresses
192.168.12.12, 192.168.12.13, and 192.168.12.14. You would add these lines to the zone data
file db.example.com:
www.example.com 60 IN A 192.168.12.12
www.example.com 60 IN A 192.168.12.13
www.example.com 60 IN A 192.168.12.14
When BIND encounters multiple entries for one host, its default behavior is to answer
queries by sending out this list in a cycled order. The first request gets the addresses in the
order A, B, C. The next request gets the order B, C, A, then C, A, B, and so on. Notice that the
TTL is set quite short to mitigate the effects of local caching.
Setting Up a Private TCP/IP Network
If you have a local area network that has a connection to the Internet, you must set up your
server and client computers with IP addresses and other information that’s unique to the
Internet. You obtain IP addresses from your Internet service provider (ISP).524 Chapter 14
If it’s unlikely that your local area network will ever be connected to the Internet and you
want to use TCP/IP as the protocol for transmitting information on your network, it’s possible
to set up a “private” TCP/IP network. When you set up a private network, you choose IP
addresses from the blocks of IP addresses that the IANA (Internet Assigned Numbers
Authority) has reserved for private intranets:
m 10.0.0.0–10.255.255.255 (10/8 prefix)
m 172.16.0.0–172.31.255.255 (172.16/12 prefix)
m 192.168.0.0–192.168.255.255 (192.168/16 prefix)
If you set up a private TCP/IP network, you can also provide DNS service. By setting up TCP/IP
and DNS on your local area network, your users will be able to easily access file, Web, mail, and
other services on your network.
Where to Find More Information
For more information on DNS and BIND, see the following:
m DNS and BIND, 4th edition, by Paul Albitz and Cricket Liu (O’Reilly and Associates, 2001)
m The International Software Consortium Web site:
www.isc.org
Important If you think you might want to connect to the Internet in the future, you should
register with an Internet registry and use the IP addresses provided by the registry when
setting up your private network. Otherwise, when you do connect to the Internet, you’ll
need to reconfigure every computer on your network.525
C H A P T E R
15
15 Firewall Service
Firewall service is software that protects the network applications running on your
Mac OS X Server. Turning on Firewall service is similar to erecting a wall to limit access.
Firewall service scans incoming IP packets and rejects or accepts these packets based on the
set of filters you create. You can restrict access to any IP service running on the server, and
you can customize filters for all incoming clients or for a range of client IP addresses.
Services such as Web and FTP are identified on your server by a Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) port number. When a computer tries to
connect to a service, Firewall service scans the filter list for a matching port number.
m If the port number is in the filter list, the filter applied is the one that contains the most
specific address range.
m If the port number is not in the list, the Any Port filter that contains the most specific
address range is used.526 Chapter 15
The picture below illustrates this process.
The port filters you create are applied to TCP packets and can also be applied to User
Datagram Protocol (UDP) packets. In addition, you can set up filters for restricting Internet
Control Message Protocol (ICMP), Internet Group Management Protocol (IGMP), and
NetInfo data.
If you plan to share data over the Internet, and you do not have a dedicated router or firewall
to protect your data from unauthorized access, you should use Firewall service. This service
works well for small to medium businesses, schools, and small or home offices.
Large organizations with a firewall can use Firewall service to exercise a finer degree of
control over their servers. For example, individual workgroups within a large business, or
schools within a school system, may want to use Firewall service to control access to their
own servers.
Mac OS X Server uses the ipfw software for firewall service.
Is there a filter
for port 80?
Locate the
Any Port filter
with the most
specific range
that includes
the address
10.221.41.33.
A computer with IP
address 10.221.41.33
attempts to connect to
the server over the
Internet (port 80).
The server begins
looking for filters.
Is there a filter
containing
IP address
10.221.41.33?
Yes
Connection
is refused.
Yes
What does the
filter specify?
Connection
is made.
Allow
No
Deny
Important When you start Firewall service the first time, all incoming TCP packets are
denied until you change the filters to allow access. By default, all addresses that are not
specifically allowed are denied. Therefore, you must create filters if you want to allow access to
your server. If you turn Firewall service off, all addresses are allowed access to your server.Firewall Service 527
Before You Set Up Firewall Service
When you start Firewall service, the default configuration denies access to all incoming
packets from remote computers. This provides the highest level of security. You can then
add new IP filters to allow server access to those clients who require access to services.
First, think about the services that you want to provide on your server. Mail, Web, and FTP
services generally require access from computers on the Internet. File and print services will
most likely be restricted to your local subnet.
Once you decide which services you want to protect using Firewall service, you need to
m determine which IP addresses you want to allow access to your server
m determine which IP addresses you want to deny access to your server
Then you can create the appropriate filters.
To learn how IP filters work and how to create them, read the sections that follow.
What Is a Filter?
A filter is made up of an IP address and a subnet mask, and sometimes a port number and
access type. The IP address and the subnet mask together determine the range of IP
addresses to which the filter applies, and can be set to apply to all addresses.
IP Address
IP addresses consist of four segments with values between 0 and 255, separated by dots (for
example, 192.168.12.12). The segments in IP addresses go from general to specific (for
example, the first segment might belong to all the computers in a whole company, and the
last segment might belong to a specific computer on one floor of a building).
Subnet Mask
The subnet mask, like the IP address, consists of up to four segments. You enter a mask to
indicate which segments in the specified IP address can vary and by how much. The only
values you can use in a subnet mask segment are
m 0
m 128
m 192
m 224
m 240
m 248
m 252
m 254
m 255528 Chapter 15
The segments in a mask go from general to specific, so the earlier a zero appears in the
segments of the subnet mask, the wider the resulting range of addresses. A subnet mask of
255.255.255.255 is the narrowest and indicates a single IP address.
Any value except 255 in a segment of the subnet mask must be followed by zero segments.
The following subnet mask examples are invalid, because in each case, a value other than 255
is followed by a non-zero value:
m 255.255.128.255
m 255.0.128.128
m 255.255.252.255
Using Address Ranges
When you create filters using Server Settings, you enter an IP address and a subnet mask.
Server Settings shows you the resulting address range, and you can change the range by
modifying the subnet mask. When you indicate a range of possible values for any segment of
an address, that segment is called a wildcard. The following below gives examples of address
ranges created to achieve specific goals.
Goal
Sample
IP address Subnet mask Address range
Create a filter that specifies a
single IP address.
10.221.41.33 255.255.255.255 10.221.41.33
(single address)
Create a filter that leaves the
last segment of the IP address
range as a wildcard.
10.221.41.33 255.255.255.0 10.221.41.0 to
10.221.41.255
Create a filter that leaves part of
the third segment and all of the
fourth segment as a wildcard.
10.221.41.33 255.255.252.0 10.221.40.0 to
10.221.43.255
Create a filter that applies to all
incoming addresses.
Select “All IP
addresses”
All IP addressesFirewall Service 529
IP Address Precedence
If you create multiple filters for a port number, the filter that contains the most specific
address range has precedence. The table below illustrates how this works. If a request comes
in from an address that falls within the range specified on the first line, access is allowed. If
the request doesn’t fall within that address range, the second line is checked. The last line,
All, denies access. You cannot set both Deny and Allow for the exact same range of addresses.
Multiple IP Addresses
A server can support multiple homed IP addresses, but Firewall service applies one set of
filters to all server IP addresses. If you create multiple alias IP addresses, then the filters you
create will apply to all of those IP addresses.
Practical Examples
The IP filters you create work together to provide security for your network. The examples
that follow show you how to use filters to achieve some specific goals.
Block Access to Internet Users
To allow users on your subnet access to your server’s Web service, but deny access to the
general public on the Internet:
Port IP address Mask Access mode Result
80 ( Web) 10.221.41.33 255.255.255.255 Allow Address
10.221.41.33
is allowed.
80 ( Web) 10.221.41.33 255.255.252.0 Allow Address in range
10.221.40.0 to
10.221.43.255 is
allowed.
80 ( Web) All Deny All addresses are
denied.
Access Port IP address
Allow 80 ( Web) In Server Settings, select “a
range of IP addresses” and
click Use My Subnet in the IP
filter window.
Deny 80 ( Web) All530 Chapter 15
Block Junk Mail
To reject email from a junk mail sender with an IP address of 17.128.100.0 and accept all
other Internet email:
Allow a Customer to Access the Apple File Server
To allow a customer with an IP address of 10.221.41.33 to access an Apple file server:
Setting Up Firewall Service for the First Time
Once you’ve decided which filters you need to create, follow these overview steps to set up
Firewall service. If you need more help to perform any of these steps, see “Managing Firewall
Service” on page 531 and the other topics referred to in the steps.
Step 1: Configure Firewall service
Configure Firewall service in Server Settings.
To configure Firewall service:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
You can configure Firewall service to log denied and allowed packets, start up automatically,
specify how rejections are handled, apply TCP port filters to UDP and other packets, and set
up access for NetInfo.
For more information about the settings, see “Managing Firewall Service” on page 531.
Access Port IP address
Deny 25 (SMTP) 17.128.100.0
Allow 25 (SMTP) All
Important Set up very specific address ranges in filters you create to block incoming SMTP
mail. For example, if you set a filter on port 25 to deny mail from all addresses, you will
prevent any mail from being delivered to your users.
Access Port IP address
Allow 548 (AFP/TCP) 10.221.41.33
Deny 548 (AFP/TCP) AllFirewall Service 531
Step 2: Add filters to the IP filter list
Read “Before You Set Up Firewall Service” on page 527 to learn how IP filters work and how
to create them.
To add IP filters:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Show Firewall List.
3 Click New and create a filter.
For more information about creating a new filter, see “Creating an IP Filter” on page 532.
Step 3: Start Firewall service
m In Server Settings, click Firewall and choose Start Firewall.
Managing Firewall Service
Check this section to find step-by-step instructions for setting up and configuring Firewall
service.
Starting and Stopping Firewall Service
By default, Firewall service blocks all incoming TCP connections and allows all UDP
connections. Before you turn on Firewall service, make sure you’ve set up filters allowing
access from IP addresses you choose – otherwise, no one will have access to your server.
To start or stop Firewall service:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Start Firewall or Stop Firewall.
Setting Firewall Service to Start Automatically
If you plan to use Firewall service regularly, you should set the service to start automatically
on startup. This ensures that your firewall is in place after a system restart or power outage.
Important If you add or change a filter after starting Firewall service, the new filter will
affect connections already established with the server. For example, if you deny all access to
your FTP server after starting Firewall service, computers already connected to your FTP
server will be disconnected.
Important If you add or change a filter after turning on Firewall service, the new filter will
affect connections already established with the server. For example, if you deny all access to
your file server, computers already connected to your file server will be disconnected.532 Chapter 15
To set Firewall service to start automatically each time your computer starts
up:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Select “Start Firewall at system startup,” then click Save.
Editing IP Filters
If you edit a filter after turning on Firewall service, your changes affect connections
already established with the server. For example, if any computers are connected to your
Web server, and you change the filter to deny all access to the server, connected computers
will be disconnected.
If you delete a port from the filter list, all IP filters for that port will also be deleted.
To edit IP filters:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Show Firewall List.
3 Select a filter and click Duplicate, Edit, or Delete. If you are deleting a filter, you’ve finished.
4 Make any changes to the settings, then click Save.
Creating an IP Filter
IP filters contain an IP address and a subnet mask. You can apply a filter to all IP addresses, a
specific IP address, or a range of IP addresses.
To create an IP filter:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Show Firewall List.
3 Click New, or select a port or address that has a filter similar to the one you want to create,
and click Duplicate.
4 Select whether this filter will allow or deny access.
5 Choose a port number from the pop-up menu, or enter the port number.
If you select a nonstandard port, you can enter a name that indicates the port’s use, such as
Web or Apple file service.
6 Select the IP addresses that you want to filter.
If you choose a range of addresses, enter the beginning IP address for the range.
If you don’t know the IP address, click Find IP Address to search for an IP address. A search
returns one IP address from the domain name you specified.Firewall Service 533
7 If you choose “a range of IP addresses,” enter a subnet mask or click Use My Subnet to use
the computer’s subnet mask.
The resulting address range is displayed at the bottom of the window.
8 Click Save.
Searching for IP Filters
You can use the Find button in the IP Filter List window to search for filters that match
specific criteria. For example, you may want to see what filters you have set up for a specific
IP address.
To search the IP filter list:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Show Firewall List.
3 Click the Find button.
4 Choose your search criteria from the pop-up menus.
5 Click Find.
The search results appear in the bottom half of the window.
Viewing the Firewall Log
Each filter you create in Server Settings corresponds to one or more “rules” in the underlying
firewall software. Log entries show you the rule applied, the IP address of the client and
server, and other information.
To view the log for Firewall service:
1 In Server Status, click your server in the Devices and Services list.
2 Click the Log tab and choose System Log.
3 Look for log entries with the prefix “ipfw.”
Configuring Firewall Service
By default, Firewall service blocks all incoming TCP connections and allows all UDP
connections. Before you turn on Firewall service, make sure you’ve set up filters allowing
access from IP addresses you choose; otherwise, no one will have access to your server.
Important If you add or change a filter after turning on IP filtering, the new filter will affect
connections already established with the server. For example, if you deny all access to your
file server, computers already connected to your file server will be disconnected.534 Chapter 15
To configure Firewall service:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Select “Start Firewall at system startup” if you want the service to start whenever the server
starts up.
4 Select “Send rejection to client if connection is denied” if you want your server to respond to
denied connection attempts (this is on by default).
5 Choose which connections (allowed or denied) you want to log.
6 Click the NetInfo and Advanced tabs if you want to make configuration settings for UDP,
ICMP, IGMP, and NetInfo.
7 Click Save, then restart Firewall service.
Setting Up Logs for Firewall Service
You can log only the packets that are denied by the filters you set, only the packets that are
allowed, or both. Both logging options can generate a lot of log entries, which can fill up disk
space and degrade the performance of the server. You should use “Log all allowed packets”
only for limited periods of time.
To set up logs:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Select the logging options you want, then click Save.
4 Restart Firewall service.
Server Status provides access to all of Mac OS X Server’s service logs. Click your server in the
Devices and Services list, then choose System Log and look for entries that begin with “ipfw.”
The filters you create in Server Settings correspond to one or more rules in the underlying
filtering software. Log entries show you the rule applied, the IP address of the client and
server, and other information. For more information about rules and what they mean, see
“Creating IP Filter Rules Using ipfw” on page 538.
Here are some examples of firewall log entries and how to read them.
Log Example 1
Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP
10.221.41.33:2190 192.168.12.12:80 in via en0
This entry shows that Firewall service used rule 65000 to deny (unreach) the remote client at
10.221.41.33:2190 from accessing server 192.168.12.12 on Web port 80 via Ethernet port 0.Firewall Service 535
Log Example 2
Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP
10.221.41.33:721 192.168.12.12:515 in via en0
This entry shows that Firewall service used rule 100 to allow the remote client at
10.221.41.33:721 to access the server 192.168.12.12 on the LPR printing port 515 via
Ethernet port 0.
Log Example 3
Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP
192.168.12.12:49152 192.168.12.12:660 out via lo0
This entry shows that Firewall service used rule 10 to send a packet to itself on port 660 via
the loopback device 0.
Viewing Denied Packets
Viewing denied packets can help you identify problems and troubleshoot Firewall service.
To view denied packets:
1 Turn on logging of denied packets in the Configure Firewall window.
2 To view log entries in Server Status, click your server in the Devices and Services list.
3 Click the Log tab and choose System Log from the pop-up menu.
Filtering UDP Ports in Firewall Service
Many services use User Datagram Protocol (UDP) to communicate with the server. By
default, all UDP connections are allowed. You should apply filters to UDP ports sparingly, if at
all, because “deny” filters could create severe congestion in your server traffic.
If you filter UDP ports, don’t select the “Log all allowed packets” option in the General pane.
Since UDP is a “connectionless” protocol, every packet to a UDP port will be logged if you
select that option.
You should also create allow filters for specific services, including
m DNS on port 53
m DHCP on port 67
m SLP on port 427
m Windows Name Service browsing on ports 137 and 138
m Network Assistant on port 3283
m NFS on port 2049
m NetInfo536 Chapter 15
UDP ports above 1023 are allocated dynamically by certain services, so their exact port
numbers may not be determined in advance.
To set up UDP port filters:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Click the Advanced tab and select “Apply filters in IP filter list to UDP ports.”
4 Click “all UDP ports” or enter a range of port numbers to filter in the “in range” fields.
5 Click Save, then restart Firewall service.
Blocking Multicast Services in Firewall Service
Some hosts and routers use Internet Gateway Multicast Protocol (IGMP) to send packets to
lists of hosts. Keep in mind that denying IGMP packets may prevent services that use
multicast addressing from running correctly. QuickTime Streaming uses multicast
addressing, as does Service Location Protocol (SLP).
To block IGMP connections:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Click the Advanced tab and select Deny Internet Gateway Multicast Protocol (IGMP).
4 Click Save, then restart Firewall service.
Allowing NetInfo Access to Certain IP Addresses
Any information stored in a shared NetInfo domain needs to be accessed by multiple
Mac OS X computers on the network. You can use Firewall service to control which IP
addresses can access a particular shared domain.
To allow NetInfo access:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Click the NetInfo tab and select a shared domain from the “Network visible domain” pop-up
menu.
4 Choose “everyone” to allow all IP addresses to access the domain.
To restrict access to certain IP addresses, enter IP addresses in the text field, pressing Return
between entries.
To enter a range of IP addresses, type a slash (/) after the IP address.
For example, 192.168.33.3/24 means the range 192.168.33.0 to 192.168.33.255.Firewall Service 537
5 Click Save, then restart Firewall service.
Any IP filters you create allow NetInfo access for the IP addresses you specify. By default,
NetInfo dynamically chooses a TCP or UDP port from the 600 through 1023 range, but you
can configure a shared domain to be accessible using one port or using a port for TCP and a
second port for UDP packets.
If you choose to allow access to all IP addresses, you should have a firewall that protects your
internal network from the Internet and blocks external traffic targeted at the ports used for
NetInfo. If you don’t have a separate firewall, selecting all IP addresses could compromise
your server’s security.
Changing the Any Port (Default) Filter
If the server receives a packet using a port or IP address to which none of your filters apply,
Firewall service uses the Any Port (default) filter. You can set the Any Port (default) filter to
either deny or allow these packets for specific IP addresses. By default the Any Port filter
denies access.
If you need to change the All filter to allow access, you can. However, you should not take
this action lightly. Changing the default to allow means you must explicitly deny access to
your services by setting up specific port filters for all the services that need protection.
To change the default Any Port setting:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Show Firewall List.
3 Select Any Port and click New, or select an IP address under Any Port and click Edit.
4 Make any changes to the settings, then click Save.
Preventing Denial-of-Service Attacks
When the server receives a TCP connection request from a client to whom access is denied,
by default it sends a reply rejecting the connection. This stops the denied client from
resending over and over again. However, a malicious user could generate a series of TCP
connection requests from a denied IP address and force the server to keep replying, locking
out others who are trying to connect to the server. This is one type of denial-of-service attack.
To prevent denial-of-service attacks:
1 In Server Settings, click the Network tab.
2 Click Firewall and choose Configure Firewall.
3 Make sure “Send rejection to client if connection is denied” is not checked.
4 Click the Advanced tab and select “Deny ICMP echo (ping) reply.”538 Chapter 15
5 Click Save, then restart Firewall service.
Creating IP Filter Rules Using ipfw
You can use the ipfw command in conjunction with the Firewall module of Server Settings
when you want to
m Display rules created by the Firewall module. Each filter translates into one or more rules.
m Create filters with characteristics that cannot be defined using the Firewall module. For
example, you may want to use rules specific to a particular kind of IP protocol. Or you
may want to filter or block outgoing packets.
m Count the number of times rules are applied.
If you use ipfw, make sure you do not modify rules created using the Firewall module.
Changes you make to Firewall module rules are not permanent. Firewall service recreates any
rules defined using the Firewall module whenever the service is restarted. Here is a summary
of how the Firewall module assigns rule numbers:
Important Denial-of-service attacks are somewhat rare, so make these settings only if you
think your server may be vulnerable to an attack. If you don’t send rejection replies to clients,
some clients may retry connections, resulting in server congestion. Also, if you deny ICMP
echo replies, services that use pinging to locate network services will be unable to detect
your server.
Rule number Used by Firewall module for
10 Loop back.
20 Discarding any packet from or to 127.0.0.0/8 (broadcast).
30 Discarding any packet from 224.0.0.0/3 (broadcast).
40 Discarding TCP packets to 224.0.0.0/3 (broadcast).
100–64000 User-defined port-specific filters.
63200 Denying access for icmp echo reply. Created when “Deny ICMP echo reply” is
selected in the Advanced pane of the Configure Firewall window.
63300 Denying access for igmp. Created when Deny IGMP is selected in the
Advanced pane of the Configure Firewall window.
63400 Allowing any TCP or UDP packet to access port 111 (needed by NetInfo).
Created when a shared NetInfo domain is found on the server.Firewall Service 539
Reviewing IP Filter Rules
To review the rules currently defined for your server, use the Terminal application to submit
the ipfw show command. The show command displays four columns of information:
When you type:
ipfw show
You see information similar to this:
0010 260 32688 allow log ip from any to any via lo*
0020 0 0 deny log ip from 127.0.0.0/8 to any in
0020 0 0 deny log ip from any to 127.0.0.0/8 in
0030 0 0 deny log ip from 224.0.0.0/3 to any in
0040 0 0 deny log tcp from any to 224.0.0.0/3 in
00100 1 52 allow log tcp from 111.222.33.3
to 111.222.31.3 660 in
...
Creating IP Filter Rules
To create new rules, use the ipfw add command. The following example defines rule 200, a
filter that prevents TCP packets from a client with IP address 10.123.123.123 from accessing
port 80 of the system with IP address 17.123.123.123:
ipfw add 200 deny tcp from 10.123.123.123 to 17.123.123.123 80
Deleting IP Filter Rules
To delete a rule, use the ipfw delete command. This example deletes rule 200:
ipfw delete 200
63500 Allowing user-specified TCP and UDP packets to access ports needed for
NetInfo shared domains. You can configure NetInfo to use a static port or to
dynamically select a port from 600 through 1023. Then use the Configure
Firewall window to allow all or specific clients to access those ports.
64000–65000 User-defined filters for Any Port.
Rule number Used by Firewall module for
Column Information
1 The rule number. The lower the number, the higher the priority of the rule.
2 The number of times the filter has been applied since it was defined
3 The number of bytes to which the filter has been applied
4 A description of the rule540 Chapter 15
For more information, consult the man pages for ipfw.
Port Reference
The following tables show the TCP and UDP port numbers commonly used by Mac OS X
computers and Mac OS X Servers. These ports can be used when you are setting up your
IP filters.
Note: See www.faqs.org/rfcs to view the RFCs referenced in the tables.
TCP port Used for Reference
7 echo RFC 792
20 FTP data RFC 959
21 FTP control RFC 959
22 ssh (secure shell)
23 Telnet RFC 854
25 SMTP (email) RFC 821
53 DNS RFC 1034
79 Finger RFC 1288
80 HTTP ( Web) RFC 2068
88 Kerberos RFC 1510
110 POP3 (email) RFC 1081
111 Remote Procedure Call (RPC) RFC 1057
113 AUTH RFC 931
115 sftp
119 NNTP (news) RFC 977
137 Windows Names
138 Windows Browser
139 Windows file and print (SMB) RFC 100
143 IMAP (email access) RFC 2060Firewall Service 541
389 LDAP (directory) RFC 2251
427 SLP (service location)
443 SSL (HTTPS)
514 shell
515 LPR (printing) RFC 1179
532 netnews
548 AFP (AppleShare)
554 Real-Time Streaming Protocol (QTSS) RFC 2326
600–1023 Mac OS X RPC-based services (for example, NetInfo)
625 Remote Directory Access
626 IMAP Administration (Mac OS X mail service and AppleShare
IP 6.x mail)
636 LDAP SSL
660 Server Settings
985 NetInfo (when a shared domain is created using NetInfo
Domain Setup)
1220 QTSS Admin
1694 IP Failover
1723 PPTP VPN
2049 NFS
3283 Apple Remote Desktop
7070 Real-Time Streaming Protocol (QTSS)
8000–8999 Web service
16080 Web service with performance cache
2236 Macintosh Manager
24000–24999 Web service with performance cache
TCP port Used for Reference542 Chapter 15
UDP port Used for Reference
7 echo
53 DNS
67 DHCP server (BootP)
68 DHCP client
69 Trivial File Transfer Protocol (TFTP)
111 Remote Procedure Call (RPC)
123 Network Time Protocol
137 Windows Name Service ( WINS)
138 Windows Datagram Service
161 Simple Network Management Protocol (SNMP)
427 SLP (service location)
497 Retrospect
513 who
514 Syslog
554 Real-Time Streaming Protocol (QTSS)
600–1023 Mac OS X RPC-based services (for example, NetInfo)
985 NetInfo (when a shared domain is created using NetInfo
Domain Setup)
2049 Network File System (NFS)
3283 Apple Network Assistant
6970 and up QTSS
7070 Real-Time Streaming Protocol alternate (QTSS)Firewall Service 543
Solving Problems
This section reviews some common Firewall service issues and provides possible solutions.
You Can’t Access the Server Over TCP/IP
m Check the filters in the filter list. If you started Firewall service, but have not added any
additional filters, all TCP access to your server is denied by default.
m Stop Firewall service. Add new filters to your filter list that allow access to computers that
have the IP addresses you specify. Then restart Firewall service.
You Can’t Locate a Specific Filter
m Use the Find button in the IP Filter List window to locate specific filters by IP address,
port, or access type.
Where to Find More Information
Request for Comments (RFC) documents provide an overview of a protocol or service and
details about how the protocol should behave. If you are a novice server administrator, you’ll
probably find some of the background information in an RFC helpful. If you are an
experienced server administrator, you can find all the technical details about a protocol in its
RFC document. You can search for RFC documents by number at this Web site:
www.faqs.org/rfcs
m See RFC 792 for information on ICMP.
m IGMP is documented in Appendix I of RFC 1112.
m Important multicast addresses are documented in the most recent Assigned Numbers
RFC, currently RFC 1700.545
C H A P T E R
16
16 SLP DA Service
Service Location Protocol Directory Agent (SLP DA) provides structure to the services (or
resources) available on a network and gives users easy access to them. Anything that can be
accessed using a URL—including file servers, WebDAV servers, NFS servers, printers, and
personal Web servers—can be a network service.
When a service is added to your network, it uses SLP to “register” itself—or make its
presence known and identify the service it provides—on the network. You don’t have to
configure the service manually. When a client computer needs to locate a network service, it
uses SLP to look for that type of service. All registered services that match the client
computer’s request are displayed to the user, who can then choose which one to use.
SLP Directory Agent (DA) is an improvement on basic SLP, storing registered network services
in a central repository. You can set up a directory agent to keep track of services for one or
more scopes (groups of services). When a client computer looks for network services, the
directory agent for the scope in which the client computer is located responds with a list of
available services. Because a client computer only needs to look locally for services, network
traffic is kept to a minimum and users can connect to network services more quickly.
SLP DA Considerations
Normally, SLP service sends requests to all SLP services on a network, which can substantially
increase network traffic. If you have a large network, SLP communications can slow network
performance and increase the amount of time users must wait to locate network services.
You can improve SLP performance by setting up SLP DA service. You should also consider
setting up more than one directory agent, so client computers can contact the directory
agent closest to them for services, and services can be registered with more than one
directory agent.
Before You Begin
Before you set up SLP DA service, read these overview steps to learn about defining scopes
and making sure of client and router compatibility.546 Chapter 16
Step 1: Define scopes
To define scopes, you need to decide how you want to organize the computers on your
network. A scope can be a logical grouping of computers, such as all computers used by the
production department, or a physical grouping, such as all computers located on the first
floor. You can define a scope as part or all of your network. Even if you don’t plan to divide
your network into scopes, you still need to set up at least one scope to use SLP DA service.
Step 2: Check client and router compatibility
Your client computers must be using Mac OS 9.1 or later to use SLP DA service. Versions of
SLP on Mac OS 9.0 will continue to use IP multicast. If your network uses routers that are not
capable of IP multicast, you will need to upgrade them or set up tunneling. When tunneling
is set up, the router passes along IP multicast packets. See the documentation that came with
your routers for information on tunneling.
Step 3: Configure logging settings
You can log events to help you monitor SLP DA activity. If problems occur, or if you want to
improve service performance, the entries in the log can provide important diagnostic
information. SLP DA service errors are logged automatically, but you can configure the
service to log other types of events as well.
To configure logging settings, click the Network tab, then click SLP Service and choose
Configure SLP DA. Then choose the settings you want. You can find more information about
the settings in “Managing Service Location Protocol (SLP) Directory Agent (DA) Service” on
page 547.
Step 4: Create scopes for your network
When you start SLP service, one scope already exists, named Default. You can change that
name or add more scopes to your network.
To create scopes:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Show Registered Services.
The Registered Services window appears.
3 Click New Scope and type the name of the scope you are creating in the Add Scope dialog
box.
SLP DA service converts the name you type to the correct format and adds it to the list in the
Registered Services window.SLP DA Service 547
Step 5: Assign network services to each scope
Once you’ve created a scope, you can assign network services to it.
1 In the Registered Services window, click New Service.
2 In the Add Proxied Service dialog box, choose the scope and add the service you want.
For more information about adding services to a scope, see “Registering a Service With SLP
DA” on page 548.
Step 6: Start SLP DA service
To start SLP DA service:
1 Click SLP Service.
2 Choose Start SLP DA.
When the service is turned on, a globe appears on the service icon. As services on the
network register with the directory agent, they appear in the Registered Services window
under the appropriate scope.
Managing Service Location Protocol (SLP) Directory Agent
(DA) Service
This section describes day-to-day management tasks for SLP DA service.
Starting and Stopping SLP DA Service
Use Server Settings to start and stop SLP DA service.
To start or stop SLP DA service:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Start SLP DA or Stop SLP DA.
When the service is running, a globe appears on the SLP icon. It may take a moment for the
service to start (or stop).
Viewing Scopes and Registered Services in SLP
You can view scopes and the services registered within the scopes in the Registered Services
window of SLP DA service. This window also shows the name, IP address and service type for
each service in the list.
To view scopes and registered services:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Show Registered Services.548 Chapter 16
3 Choose a service type from the Show pop-up menu.
4 Click the disclosure triangle next to a scope name to see the services registered within it.
5 Double-click a service to see more detailed information about the service.
You can change the way the list is sorted by clicking a column heading.
Creating New Scopes in SLP DA Service
Scopes are groups of services available on the network, organized in a way that works best
for your network.
To create a new scope and add services to it:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Show Registered Services.
3 Click New Scope.
4 Type a name for the scope and click OK.
5 Click New Service.
6 Choose the scope you just created from the pop-up menu, then type the URL of the service
you’re adding in the URL field.
7 Click OK.
You can also enter information about the service in the Attribute List field. If you enter
attributes, they must be in the correct format, or SLP DA service may not recognize the service.
Registering a Service With SLP DA
You can register services available on the network with SLP DA to make them easily
discoverable by client users.
To register a service:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Show Registered Services.
3 Click New Service and choose a scope from the pop-up menu.
4 Type the URL of the service you’re adding in the URL field.
5 If you want to use an attributes list, type the attributes in the Attribute List text box.
6 Click OK.
Important If you enter information about the service in the Attribute List field, make sure
the attributes are in the correct format or SLP DA may not recognize the service.SLP DA Service 549
Deregistering Services in SLP DA Service
If a service is no longer available to network clients you must manually remove the service
from the SLP DA registered service list.
To deregister a service:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Show Registered Services.
3 Select a service and click Remove.
Setting Up Logs for SLP DA Service
SLP DA errors are logged automatically in the system log file. You can choose other events to
log when you configure SLP DA service.
To set SLP DA logging options:
1 In Server Settings, click the Network tab.
2 Click SLP Service and choose Configure SLP DA.
3 Select the types of events you want to log and click Save.
Logging Debugging Messages in SLP DA Service
In addition to the basic logging options available in the Configure SLP window, you can
choose to log all messages, including debugging messages. These messages are useful to
advanced system administrators.
To log debugging messages:
1 In Server Settings, click the Network tab.
2 Click SLP Service.
3 Hold down the Option key and choose Configure SLP DA.
4 Click All Messages and click Save.
Viewing SLP DA Log Entries
You can view the system log for SLP event messages.
To view log entries for SLP DA service:
1 In Server Status, click the Log tab.
2 Choose System Log from the pop-up menu and look for entries in the log that include
“slpd:”.550 Chapter 16
Each SLP log entry includes a code that indicates the type of event that has occurred.
Using the Attributes List
Services may advertise their presence on the network along with a list of attributes. These
attributes are listed as a string encoding that follows a specific format. Directory agents use
the attributes list to help match client requests with appropriate services.
Here is an example of an attributes list for a network printer named Amazon. It’s an LPR
printer located in the Research scope. The attributes list entered by the administrator might
look like this:
(Name=Amazon),(Description=For research dept only),(Protocol=LPR),(locationdescription=bldg 6),(media-size=na-letter),(resolution=res-600),x-OK
The directory agent must scan any included attributes lists when it’s looking for services. So,
if you create an attributes list that is incorrectly formatted, you could inadvertently block the
directory agent from using a service.
Where to Find More Information
Request for Comments (RFC) documents provide an overview of a protocol or service and
details about how the protocol should behave. If you are a novice server administrator, you’ll
probably find some of the background information in an RFC helpful. If you are an
experienced server administrator, you can find all the technical details about a protocol in its
RFC document. You can search for RFC documents by number at this Web site:
www.faqs.org/rfcs
m For SLP DA, see RFC 2608.
Code Event type
REG Service registrations and deregistrations
EXP Service deregistrations only
SR Service requests
DA Directory agent information requests
ERR SLP errors551
C H A P T E R
17
17 Tools for Advanced Users
This chapter describes tools, and techniques intended for use by experienced server
administrators. The following table summarizes them.
Tool or technique Use to
For more
information, see
Terminal Run command-line tools page 552
Secure shell (SSH) Use Terminal to run command-line tools for
remote servers
page 553
dsimportexport Import and export user and group accounts
using XML or text files
page 555
log rolling scripts Periodically roll, compress, and delete server
log files
page 555
diskspacemonitor Monitor percentage-full disk thresholds and
execute scripts that generate email alerts and
reclaim disk space when thresholds are
reached
page 556
diskutil Manage Mac OS X Server disks and volumes
remotely
page 557
installer Install software packages remotely page 558
softwareupdate Find new versions of software and install them
remotely on a server
page 561
systemsetup Configure system preferences on a remote
server
page 561
networksetup Configure network services for a particular
network hardware port on a remote server
page 562552 Chapter 17
Terminal
You use the Terminal application to run command-line tools. Most of the tools described in
this chapter are command-line tools, such as dsimportexport, systemsetup, networksetup,
and diskutil.
Using the Terminal Application
Terminal lets you open a UNIX shell command-line session on your server or a remote server
you are administering. You’ll find Terminal in /Applications/Utilities/.
When you open Terminal, you see a prompt that usually includes the name of the local host,
the directory you’re using, your user name, and a symbol (for example, “[patsy6:/usr/sbin]
liz%”). In this example, patsy6 is the server’s host name, the directory you are working in is
/usr/sbin, and the user name is liz.
The percent symbol (%) is called the prompt. It indicates that you can enter a command.
Press the Return key after you type a command. Depending on what you typed, you could
see a list of information followed by another prompt, or your command will execute and give
you some type of feedback and a prompt, or you will receive no feedback and another
prompt. No feedback usually means that the command was executed properly.
MySQL Manager Manage the version of MySQL that is installed
with Mac OS X Server
page 565
Simple Network
Management Protocol
(SNMP) administration
tools
Monitor your server using the SNMP interface page 566
diskKeyFinder Verify the physical location of a remote
headless server volume that you want to
manage
page 566
Enabling IP failover Set up a standby server that takes over if the
primary server fails
page 567
Tool or technique Use to
For more
information, seeTools for Advanced Users 553
Understanding UNIX Command-Line Structure
UNIX commands share some basic conventions. First you enter the name of the tool, then
any information the tool needs to carry out your request. Most tools come with help or man
(short for “manual”) pages that describe how to use the tool. Help pages give an overview of
arguments (also known as options or parameters) that the tool understands. Man pages give
more detail and examples:
m To find help pages, type the name of the tool and then the argument “-help” (for example,
“dsimportexport -help”).
m To find man pages for a tool, type “man”, followed by the tool name (for example, “man
ssh”).
When you supply information in a command, enclose location or item names that include
spaces in quotation marks (“like this”).
Secure Shell (SSH) Command
Secure Shell (SSH) lets you send secure, encrypted commands over a network. With SSH
turned on, you can use the Terminal application to open an SSH session and use commandline tools to securely configure a remote server. You can also connect a terminal to a headless
server through the serial port and log in using SSH.
For complete information about SSH, type “man ssh” in Terminal.
Enabling and Disabling SSH Access
Access to Mac OS X computers using SSH is enabled by default.
You can disable SSH access to a Mac OS X computer locally or remotely:
m When logged in locally to a Mac OS X computer, make sure that “Remote login” in the
Sharing pane is not selected.
m To disable SSH access to a remote server, while in an SSH session with the remote
computer, type “systemsetup -setremotelogin off ”.
You can reenable SSH access only locally.
Opening an SSH Session
Open an SSH session and log into a remote server when you manage the remote server
using command-line tools.
To open an SSH session and log in to the server:
1 Open Terminal.554 Chapter 17
2 At the prompt, type ssh, then a hyphen, the flag “l” (lower case L, for “login”) followed by the
user name of an administrator of the remote server and the server’s IP address or host name.
Press Return when you’re finished (for example, “ssh -l jsmith 192.168.100.100”).
If you’re not sure of the administrator’s name, you can also type “ssh
admin@192.168.100.100”.
If you don’t enter an administrator name (or “admin”), SSH will use the user name of the
person currently logged in to the computer you are using. If this user doesn’t have
administrator access to the server, you must enter the appropriate administrator name.
3 At the prompt, type the administrator password and press Return.
If everything is entered correctly, the prompt identifies the remote server (for example,
[192.168.100.100:~] jsmith%”).
If you started the remote server up from a CD and logged in as root, you will see a number
sign (#) instead of the remote server identifier.
Executing Commands in an SSH Session
Once you are logged in using SSH, you can use command-line tools to execute commands
on the remote server.
If you want to execute a single command on the server and then immediately log out of
the server, you can do it in one step. Type your login information and the command, then
press Return.
For example, the command to log in to a remote server and remove a file called “Test Data”
looks like this: “ssh -l root 192.168.100.100 rm "/Documents/Test Data"”. The server asks for
the password, and then executes the command.
Closing an SSH Session
When you have finished with a SSH session, you should close the session, especially if you
are logged in as the root administrator with root privileges, so that no one else can make
changes on the server. To log out, simply type “exit”, then press Return.
Understanding Key Fingerprints
The first time you log in to a server using SSH, your local computer adds a “fingerprint” from
the remote server to a list of known remote host computers and displays a message:
The authenticity of host ‘192.168.12.12’ can’t be established.
RSA key fingerprint is a8:0d:27:63:74:00:f1:04:bd:6a:e4:0d:a3:47:a8:f7.
Are you sure you want to continue connecting (yes/no)?
Enter “yes” and press Return to finish authenticating.Tools for Advanced Users 555
If you see a warning message about a “man in the middle attack” when you try to connect
using SSH, the RSA key fingerprint on the remote server and the computer you are using to
administer it no longer match. This can happen if you use command-line tools to administer
a remote server, establish an RSA key fingerprint, and later change your SSH configuration,
perform a clean install of system software, or start up from the Mac OS X Server CD.
To connect to the remote server again using SSH, you need to edit the entries corresponding
to the hosts (which can be stored by both name and IP number) in this file: ~/.ssh/
known_hosts. You can use TextEdit or another editor to find the host name or IP address and
then delete the key. The key is a long string that may wrap to several lines. In TextEdit you
can press the Control key and type K to delete the line, and then delete the blank line that
the deletion creates.
dsimportexport
Use dsimportexport to import user and group accounts from a file or export them to a file. It
is a useful tool when you want to
m Create a large number of users or groups in a batch.
m Migrate user or group accounts from another server. You can import users and groups
from AppleShare IP 6.3 or Mac OS X Server version 10.1 and earlier.
m Update a large number of user or group accounts with new information.
See “Importing and Exporting User and Group Information” on page 178 for more
information about dsimportexport.
Log Rolling Scripts
Three predefined scripts are executed automatically to reclaim space used on your server for
log files generated by
m Apple file service
m Windows service
m Web service
m Web performance cache
m Mail service
m Print service
The scripts use values in predefined configuration files to determine whether and how to
reclaim space:
m The script /etc/periodic/daily/600.daily.server runs daily. Its configuration file is
/etc/diskspacemonitor/daily.server.conf.556 Chapter 17
m The script /etc/periodic/weekly/600.weekly.server is intended to run weekly, but is
currently empty. Its configuration file is /etc/diskspacemonitor/weekly.server.conf.
m The script /etc/periodic/monthly/600.monthly.server is intended to run monthly, but is
currently empty. Its configuration file is /etc/diskspacemonitor/monthly.server.conf.
As configured, the scripts specify actions that complement the log file management
performed by the services listed above, so do not modify them. All you need to do is log in as
an administrator and use a text editor to define thresholds in the configuration files that
determine when the actions are taken:
m the number of megabytes a log file must contain before its space is reclaimed
m the number of days since a log file’s last modification that need to pass before its space
is reclaimed
Specify one or both thresholds. The actions are taken when either threshold is exceeded.
There are several additional parameters you can specify. Refer to comments in the
configuration files for information about all the parameters and how to set them. The scripts
ignore all log files except those for which at least one threshold is present in the
configuration file.
To configure the scripts on a server from a remote Mac OS X computer, open a Terminal
window and log in to the remote server using ssh. Then open a text editor and edit the scripts.
You can also use the diskspacemonitor command-line tool to reclaim disk space.
diskspacemonitor
When you need more vigilant monitoring of disk space than the log rolling scripts provide,
you can use the diskspacemonitor command-line tool. It lets you monitor disk space and
take action more frequently than once a day when disk space is critically low, and gives you
the opportunity to provide your own action scripts.
diskspace monitor is disabled by default. You can enable diskspacemonitor by opening a
Terminal window and typing “sudo diskspacemonitor on”. You may be prompted for your
password. Type “man diskspacemonitor” for more information about the command-line
options.
When enabled, diskspacemonitor uses information in a configuration file to determine when
to execute alert and recovery scripts for reclaiming disk space:
m The configuration file is /etc/diskspacemonitor/diskspacemonitor.conf. It lets you specify
how often you want to monitor disk space and thresholds to use for determining when to
take the actions in the scripts. By default, disks are checked every 10 minutes, an alert
script executed when disks are 75% full, and a recovery script executed when disks are
85% full. To edit the configuration file, log in to the server as an administrator and use a
text editor to open the file. See the comments in the file for additional information. Tools for Advanced Users 557
m By default, two predefined action scripts are executed when the thresholds are reached.
The default alert script is /etc/diskspacemonitor/action/alert. It runs in accord with
instructions in configuration file /etc/diskspacemonitor/alert.conf. It sends email to
recipients you specify.
The default recovery script is /etc/diskspacemonitor/action/recover. It runs in accord with
instructions in configuration file /etc/diskspacemonitor/recover.conf.
See the comments in the script and configuration files for more information about these
files.
m If you want to provide your own alert and recovery scripts, you can. Put your alert
script in /etc/diskspacemonitor/action/alert.local and your recovery script in
/etc/diskspacemonitor/action/recovery.local. Your scripts will be executed before
the default scripts when the thresholds are reached.
To configure the scripts on a server from a remote Mac OS X computer, open a Terminal
window and log in to the remote server using SSH.
diskutil
This Mac OS X tool is especially useful in a server environment, because it offers a wide
variety of commands for managing and repairing disks. For example:
m To list the disks and partitions on the Mac OS X computer you are logged into, type
“diskutil list” in a Terminal window.
m To create a Redundant Array of Independent Disks (RAID) set on multiple disks, type
“sudo diskutil createRAID mirror MirrorDisk BootableHFS+ disk1 disk2”. Root access
is required.
m To verify the disk structure of a volume, type “sudo diskutil verifyDisk /Volumes/
SomeDisk”. To repair the disk structure, type “sudo diskutil repairDisk /Volumes/
SomeDisk”. Root access is required.
m To verify permissions of a Mac OS X boot volume, type “sudo diskutil verifyPermissions /”.
Root access is required.
Type “man diskutil” in a Terminal window for complete information about this command.
To run diskutil on a Mac OS X computer from a remote Mac OS X computer, open a Terminal
window and log in to the remote computer using SSH.558 Chapter 17
installer
You can use the installer tool to install software packages from a CD-ROM on a mounted
remote server volume. This tool doesn’t perform any authentication, so if a package needs
authentication (set in the package’s .info file), you must log in as root or use the sudo
command.
Remember that copyright laws may prevent certain programs from being shared. Before
putting programs inside shared folders, check the applicable licensing agreements and follow
their requirements.
Using installer
Here are the parameters that installer accepts. Parameters are delimited using angle brackets
(<>) if they are required and square brackets ([]) if they are optional:
installer [-volinfo] [-pkginfo] [-allow] [-dumplog]
[-help] [-verbose] [-vers] [-config] [-plist]
[-file pathToFile] [-lang isoLanguageCode]
<-pkg pathToPackage> <-target pathToDestinationVolume>
where
-volinfo
displays a list of mounted volumes into which the software package can be installed.
-pkginfo
displays a list of packages that can be installed onto the target volume. If a metapackage is
specified, all of its subpackages are listed.
-allow
installs an older version over a newer version if the software package supports this.
-dumplog
sends the standard installer log to StdOut.
-help
displays a list of parameters you can use with the installer tool.
-verbose
displays more information than the default output, which is formatted for scripting. Use
this parameter in conjunction with information requests.
-vers
displays the version of the tool.Tools for Advanced Users 559
-config
formats the command-line installation arguments for later use. You can redirect the
output to a configuration file. Then you can use the -file parameter to perform multiple
identical installs.
-plist
formats the installer tool’s output into an XML file, which is sent by default to StdOut. You
use this parameter with -pkginfo and -volinfo.
-file pathToFile
specifies the path to an XML file containing parameter information. This file can be used
instead of the command-line parameters and supersedes any parameters on the
command-line (for example, “installer -file /temp/configfile.plist”).
-lang isoLanguageCode
specifies the default language of the installed system. You need this parameter only if you
perform a full system install. You specify the language in ISO language code format: EN
for English, JA for Japanese, FR for French, and DE for German.
-pkg pathToPackage
specifies where to find the package you want to install. Don’t end the pathname string
with a forward slash (/) or the command will not execute.
-target pathToDestinationVolume
specifies where to install the package. Don’t end the pathname string with a forward slash
(/) or the command will not execute.
To use installer to install software on a server:
1 Insert the application disk in the optical drive of the remote server on which you want to
install the software.
2 Open an SSH connection in Terminal and log in to the remote server.
3 Type an installer command.
4 If the software package you’re installing requires that you restart the server, type “/sbin/
reboot” or /sbin/shutdown -r”.
Full Operating System Installation
If you have to install the operating system on a remote Mac OS X Server, you can use the
installer tool to do so.
To use installer to install a full operating system:
1 Insert a bootable CD and start up the server from the CD. ( You can’t install an operating
system onto the current startup volume.)560 Chapter 17
2 Open Terminal on another Mac OS X Server or administrator computer and log in to the
server as root using SSH. For example, type:
ssh -l root
3 Mount volumes using the autodiskmount tool. To do this, type:
autodiskmount
4 List the volumes available to install the software on and specify the package you want to
install. For example, type:
/usr/sbin/installer -volinfo -pkg /System/Installation/Packages/
OSInstall.mpkg
and get a list. The information displayed reflects your particular environment, but here’s an
example:
/private/var/tmp/Mount01
/private/var/tmp/Mount1
/private/var/tmp/Mount02
5 Install the operating system on a volume from the list. For example, to use Mount01 in the
example in step 4, type:
/usr/sbin/installer -pkg /System/Installation/Packages/OSInstall.mpkg
-target /private/var/tmp/Mount01 -lang en -verbose
to get this result:
installer: Package name is Mac OS X
installer: Installing onto volume mounted at
/private/var/tmp/Mount01.
installer: The install was successful.
6 Type one of these commands to restart the server:
/sbin/reboot
/sbin/shutdown -r
Important Don’t use the disk utility and installer applications after you use autodiskmount
to manually mount volumes until after you have restarted your server. Otherwise, you will
get unreliable results.
Important Apple strongly recommends that you not store data on the hard disk or hard
disk partition where the operating system is installed. With this approach, you will not risk
losing data should you need to reinstall or upgrade system software.Tools for Advanced Users 561
softwareupdate
You use softwareupdate to find new versions of software and install them on a remote server.
To use softwareupdate:
1 Open Terminal on a Mac OS X Server or administrator computer and log in to the remote
server using SSH.
2 At the prompt, type “softwareupdate”. Available updates are listed.
3 Type “softwareupdate” followed by the items you want to install (for example,
“softwareupdate PrintingEpsonUS Printing EpsonEU”). The tool downloads and installs the
software on the remote server.
4 If the new software requires you to restart the remote server, type “/sbin/reboot” or “/sbin/
shutdown -r”.
systemsetup
You use systemsetup to remotely configure these system preferences: sleep settings; remote
login (SSH); startup disk; computer name; and date, time, and time-zone settings.
To use systemsetup, open Terminal on a server or administrator computer and open an SSH
session on the remote server whose preferences you want to set up. Type one of the
following commands to review complete information about systemsetup:
m “systemsetup -printcommands” displays all the available commands.
m “systemsetup -help” displays commands plus explanations of them.
m “man systemsetup” displays the most complete information, including examples.
You use “get” options to retrieve settings and “set” options to change them:
m “systemsetup -getusingnetworktime” may display “Network Time: Off ”.
m “systemsetup -setusingnetworktime on” starts a network time server.
Working With Server Identity and Startup
You can use systemsetup to set information about a remote server and specify how to handle
its startup:
m To set the computer name, which is used by file sharing and AppleTalk, type “systemsetup
-setcomputername ”.
m To retrieve the current startup disk for the server, type “systemsetup -getstartupdisk”.
Type “systemsetup -liststartupdisks” to list all available disks.
Type “systemsetup -setstartupdisk ” to set the startup disk, specifying the
disk name exactly as formatted in the list.562 Chapter 17
m Type “systemsetup -setrestartpowerfailure on” to restart the server automatically after a
power failure.
m To restart the server automatically if it freezes, type “systemsetup -setrestartfreeze on”.
m To enable the server to respond to events sent by other computers, such as AppleScript
programs, type “systemsetup -setremoteappleevents on”.
Working With Date and Time Preferences
You can use systemsetup to set up date and time preferences for a remote server:
m To set the current month, day, and year, type “systemsetup -setdate ”.
m To set the current hour, minutes, and seconds, type “systemsetup -settime
”.
m To set the server’s time zone, type “systemsetup -settimezone ”. To
determine which timezone values are valid, type “systemsetup -listtimezones”.
m To designate a network time server, type “systemsetup -setnetworktimeserver ”.
m To turn network time on, type “systemsetup -setusingnetworktime on”.
Working With Sleep Preferences
You can use systemsetup to set when a remote server sleeps and whether the server wakes
for different types of network activity. Remember, however, that while a server is asleep, you
can’t administer it remotely:
m To specify how many minutes the server can be inactive before going to sleep, type
“systemsetup -setsleep ”. If you don’t want the server to sleep, type “0”
or “never”.
m To specify that the server should wake from sleep when modem activity is detected, type
“systemsetup -setwakeonmodemactivity on”.
m To specify that the server should wake from sleep when a network admin packet is sent to
it, type “systemsetup -setwakeonnetworkaccess on”.
networksetup
Use networksetup to configure network services on a remote Mac OS X Server. A network
service is a complete collection of settings for a specific network hardware port. “Built-in
Ethernet” is an example of a network service.
You may have one or several network services for a given hardware port. With networksetup
you can
m enable or disable network servicesTools for Advanced Users 563
m create new network services
m set the order of network services
m configure the TCP/IP options of the network services
m set other networking options for the services, such as proxy server information
To use networksetup, open Terminal on a server or administrator computer and open an SSH
session on the remote server whose preferences you want to set up. Type one of the
following commands to review complete information about networksetup:
m “networksetup -printcommands” displays all the available commands.
m “networksetup -help” displays commands plus explanations of them.
m “man networksetup” displays the most complete information, including examples.
Reverting to Previous Network Settings
When you change your network preference settings with networksetup, your previous
settings are saved to the com.apple.preferences.xml.old file located in
/var/db/SystemConfiguration/com.apple.preferences.xml.old
Note that if you make changes to network settings locally using Network preferences, the
settings in the com.apple.preferences.xml.old file will not match the settings you make using
networksetup.
If you want to revert to your previous settings, rename the file “com.apple.preferences.xml”
and then restart the server.
If network settings prevent you from accessing a server using SSH, log in to the server locally
as root and rename the file “com.apple.preferences.xml” (replacing the current file). Restart
the server to apply the settings.
Retrieving Your Server’s Network Configuration
You can use networksetup to find out about the network services on a remote server:
m To display a list of network services in the order in which they are contacted for a
connection along with the corresponding ports and devices, type “networksetup -
listnetworkserviceorder”. An asterisk (*) next to a service means the service is inactive.
m To display a list of all network services, type “networksetup -listallnetworkservices”. An
asterisk (*) next to a service means the service is inactive.
m To display a list of hardware ports with corresponding device names and Ethernet
addresses, type “networksetup -listallhardwareports”.
m To detect new hardware and create a default network service on the hardware, type
“networksetup -detectnewhardware”.
m To display the IP address, subnet mask, router, and Ethernet address for a particular
network service, type “networksetup -getinfo ”. 564 Chapter 17
Configuring TCP/IP Settings
You can use networksetup to configure TCP/IP settings:
m To specify a manual configuration for a network service, type “networksetup -setmanual
”.
m To set the TCP/IP configuration for a specified network service to use DHCP, type
“networksetup -setdhcp [client id]”.
m To specify an address to use for DHCP, type “networksetup -setmanualwithdhcprouter
”.
m To set the TCP/IP configuration for the specified network service to use BOOTP, type
“networksetup -setbootp ”.
Configuring DNS Servers and Search Domains
You can use networksetup to specify how you want network services to use Domain Name
System (DNS):
m To specify the IP addresses of servers you want a network service to use to resolve
domain names, type “networksetup -setdnsservers
[dns server2] [...]”. To clear all entries for the network service, type “empty” in place of a
DNS server name.
m Type “networksetup -setsearchdomains [domain2]
[...]” to designate the search domain for the network service. To clear all search domain
entries for the network service, type “empty” in place of the domain name.
Managing Network Services
You can use networksetup to create or rename network services, turn them on or off,
remove them, and change the order in which they’re contacted. This application is also
useful for displaying the names of hardware ports:
m To display all hardware port names, type “networksetup -listallhardwareports”.
m To create a new network service on a port, type “networksetup -createnetworkservice
”.
m To duplicate an existing network service, type “networksetup -duplicatenetworkservice
”.
m To rename a network service, type “networksetup -renamenetworkservice ”.
m To delete a network service, type “networksetup -removenetworkservice ”. If there is only one network service for a port, you can’t delete it using this
option. Instead, use -setnetworkserviceenabled to turn a network service off.
m To turn a network service on, type “networksetup -setnetworkserviceenabled on”.Tools for Advanced Users 565
m To turn AppleTalk on, type “networksetup -setappletalk on”.
m To turn passive FTP on, type “networksetup -setpassiveftp on”.
m To set the order in which network services are contacted on a particular port, type
“networksetup -ordernetworkservices [...]”.
Designating Proxy Servers
You can use networksetup to designate servers to be used as proxies for some services:
m To set up proxy servers, use these networksetup commands:
-setftpproxy
-setwebproxy
-setsecurewebproxy
-setstreamingproxy
-setgopherproxy
-setsocksfirewallproxy
m To enable or disable the proxy settings, use these networksetup commands:
-setftpproxystate
-setwebproxystate
-setsecurewebproxystate
-setstreamingproxystate
-setgopherproxystate
-setsocksfirewallproxystate
m To designate bypass domains that you want to use for a network service, type
“networksetup -setproxybypassdomains
[...]”. To clear all bypass domain entries for the network service, type “empty” in place of a
domain name.
MySQL Manager
You use MySQL Manager to manage the version of MySQL that is installed with Mac OS X
Server. MySQL provides a relational database management system for hosting information
you want to make available and manage using a Web site.
It lets you
m initialize the MySQL database
m start the MySQL process and make sure it starts automatically when the server restarts
m shut down the MySQL process and keep it from starting when the server restarts
You’ll find MySQL Manager in /Applications/Utilities/MySQL Manager.app. 566 Chapter 17
Simple Network Management Protocol (SNMP) Tools
SNMP is a set of standard protocols used to manage and monitor multiplatform computer
network devices.
SNMP uses agents to contact network devices such as routers and servers. SNMP interacts
with these devices using virtual databases known as management information bases (MIBs).
Vendors provide MIBs that describe their devices so that they can be monitored using SNMP
applications.
Mac OS X Server comes with a MIB that lets you use SNMP tools to view a server’s system
and network usage statistics. To use SNMP on your server, use a graphical browser (not
supplied with your server) or the SNMP command-line tool available in /usr/sbin.
SNMP support in Mac OS X Server is turned off by default. To turn it on, use TextEdit or
another application to edit the /etc/hostconfig file on the server. If you turn SNMP on, you
should run the snmpconf command to enter site-specific information, such as system
location and admin email address. Type “man snmpconf ” in a Terminal window to learn
about snmpconf.
You can find SNMP information and tools on the Net-SNMP Home Page, located at
www.net-snmp.com
diskKeyFinder
You can use the diskKeyFinder tool to verify the physical location of a remote headless server
volume that you want to manage. When you specify the bsd file system name for a volume
using diskKeyFinder, you’ll see the drive bay where the volume is located (for example, Bay 2).
To find the bsd file system name of a volume, log in to the server using SSH and type “df -l”.
The output from this command shows the bsd file name and volume path. For example:
Filesystem Mounted On
/dev/disk0s13 /
/dev/disk0s9 /Volumes/Spare3
/dev/disk0s10 /Volumes/Holding
/dev/disk0s11 /Volumes/Spare1
/dev/disk0s12 /Volumes/Spare2
In this example, disk0 has five partitions (also known as slices) named 9, 10, 11, 12, and 13. If
you want to know the physical location of partition 10, type “/System/Library/ServerSetup/
diskKeyFinder /dev/disk0s10”.
The tool returns the drive bay number where the volume is located. Headless server drive
bays are numbered in ascending order from left to right. Tools for Advanced Users 567
Enabling IP Failover
IP failover allows a secondary server to acquire the IP address of a primary server if the
primary server ceases to function. Once the primary server returns to normal operation, the
secondary server relinquishes the IP address. This allows your Web site to remain available
on the network even if the primary server is temporarily offline.
Note: IP failover only allows a secondary server to acquire a primary server’s IP address. You
need additional software tools such as rsync to provide capabilities such as mirroring the
primary server’s data on the secondary server. See rsync’s man pages for more information.
Requirements
IP failover is not a complete solution, rather one tool you can use to increase your server’s
availability to your clients. In order to use IP failover you will need to set up the following
hardware and software.
Hardware
IP failover requires the following hardware setup:
m primary server
m secondary server
m public network (servers must be on same subnet)
m private network between the servers (additional network interface card)
See “Setting Up a Private TCP/IP Network” on page 523 for more information on private
networks.
Note: Because IP failover uses broadcast messages, both servers must have IP addresses on
the same subnet of the public network. In addition, both servers must have IP addresses on
the same subnet of the private network.
Software
IP failover requires the following software setup:
m unique IP addresses for each network interface (public and private)
m software to mirror primary server data to secondary server
m scripts to control failover behavior on secondary server (optional)
Failover Operation
When IP failover is active, the primary server periodically broadcasts a brief message
confirming normal operation on both the public and private networks. This message is
monitored by the secondary server.
m If the broadcast is interrupted on both public and private networks, the secondary server
initiates the failover process.m If status messages are interrupted on only one network, the secondary server sends email
notification of a network anomaly, but does not acquire the primary server’s IP address.
Email notification is sent when the secondary server detects a failover condition, a network
anomaly, and when the IP address is relinquished back to the primary server.
Normal operation and failover operation are illustrated in the following two diagrams.
Crossover Cable
en1 en1
en0 en0
100.0.0.10 100.0.0.11
10.0.0.1 10.0.0.2
Primary server
(Web server)
Secondary server
(mirrors primary
content, but not
running Web
server software)
Normal Operation
Network
Hub
Failover Operation
en0
en1 en1
en0
100.0.0.10 100.0.0.10 and 100.0.0.11)
10.0.0.1 10.0.0.2
Primary server
(Web server)
Secondary server
(acquires primary
IP address and
starts Web
server software)
Network
HubTools for Advanced Users 569
Enabling IP Failover
You enable IP failover by adding command lines to the file /etc/hostconfig on the primary
and the secondary server. Be sure to enter these lines exactly as shown with regard to spaces
and punctuation marks.
To enable IP failover:
1 At the primary server, add the following line to /etc/hostconfig:
FAILOVER_BCAST_IPS=”10.0.0.255 100.0.255.255”
Substitute the broadcast addresses used on your server for the public and private networks.
This tells the server to send broadcast messages over relevant network interfaces that the
server at those IP addresses is functioning.
2 Restart the primary server so that your changes can take effect.
3 At the secondary server, add the following lines to /etc/hostconfig:
FAILOVER_PEER_IP=”10.0.0.1”
FAILOVER_PEER_IP_PAIRS=”en0:100.0.0.10”
FAILOVER_EMAIL_RECIPIENT=”admin@example.com”
In the first line substitute the IP address of the primary server on the private network.
In the second line enter the local network interface that should adopt the primary server’s
public IP address, a colon, then the primary server’s public IP address.
(Optional) In the third line, enter the email address for notification messages regarding the
primary server status. If this line is omitted, email notifications are sent to the root account
on the local machine.
4 Restart the secondary server so that your changes can take effect.
Configuring IP Failover
You configure failover behavior using scripts. The scripts must be executable (for example,
shell scripts, Perl, compiled C code, or executable AppleScripts). You place these scripts in a
directory named “IPFailover” in the Library directory of the secondary server. Check the
IPFailover directory for sample scripts.
You need to create a directory named with the public IP address of the primary server to
contain the failover scripts for that server. For example:
/Library/IPFailover/100.0.0.10
Important Always be sure that the primary server is up and functioning normally before
you activate IP failover on the secondary server. If the primary server is not sending
broadcast messages, the secondary server will initiate the failover process and acquire the
primary’s public IP address.570 Chapter 17
Notification Only
You can use a script named “Test” located in the failover scripts directory to control whether,
in the event of a failover condition, the secondary server acquires the primary’s IP address,
or simply sends an email notification. If no script exists, or if the script returns a zero result,
then the secondary server acquires the primary’s IP address. If the script returns a non-zero
result, then the secondary server skips IP address acquisition and only sends email
notification of the failover condition. The test script is run to determine whether the IP
address should be acquired and to determine if the IP address should be relinquished when
the primary server returns to service.
A simple way to set up this notification-only mode is to copy the script located at
/usr/bin/false to the directory named with your primary server IP address and then change
the name of the script to “Test”. This script always returns a non-zero result.
Using the Test script, you can configure the primary server to monitor the secondary server,
and send email notification if the secondary server becomes unavailable.
Pre And Post Scripts
You can configure the failover process with scripts that can run before acquiring the primary
IP address (preacquisition), after acquiring the IP address (postacquisition),
before relinquishing the primary IP address (prerelinquish) and after relinquishing the
IP address back to the primary server (postrelinquish). These scripts reside in the
/Library/IPFailover/ directory on the secondary server, as previously
discussed. The scripts use these four prefixes:
m PreAcq–run before acquiring IP address from primary server
m PostAcq–run after acquiring IP address from primary server
m PreRel–run before relinquishing IP address back to primary server
m PostRel–run after relinquishing IP address back to primary server
You may have more than one script at each stage. The scripts in each prefix group are run in
the order their file names would appear in a directory listing using the ls command.
For example, your secondary server may perform other services on the network such as
running a statistical analysis application and distributed image processing software. A
preacquisition script quits the running applications to free up the CPU for the Web server. A
postacquisition script starts the Web server. Once the primary is up and running again, a
prerelinquish script quits the Web server, and a postrelinquish script starts the image
processing and statistical analysis applications. The sequence of scripted events might look
like this:
Test (if present)
PreAcq10.StopDIPTools for Advanced Users 571
PreAcq20.StopSA
PreAcq30.CleanupTmp
PostAcq10.StartTimer
PostAcq20.StartApache
PreRel10.StopApache
PreRel20.StopTimer
PostRel10.StartSA
PostRel20.StartDIP
PostRel30.MailTimerResultsToAdmin573
A P P E N D I X
A
A Open Directory Data Requirements
This appendix contains tables that specify the data requirements of Open Directory domains.
Use the information in the following tables when mapping Mac OS X data types to attributes
in LDAP or Active Directory domains:
m User Data That Mac OS X Server Uses (p. 573)
m Standard Data Types in User Records (p. 574)
m Format of the MailAttribute Data Type (p. 577)
m Standard Data Types in Group Records (p. 580)
User Data That Mac OS X Server Uses
The following table describes how your Mac OS X Server uses data from user records in
directory domains. Consult this table to determine the data items that your server’s various
services need to retrieve from directory domains. Note that “All services” in the far-left
column include AFP, SMB, FTP, HTTP, NFS, WebDAV, POP, IMAP, Workgroup Manager, Server
Settings, Server Status, the Mac OS X login window, and Macintosh Manager.
Server component Data item used Dependency
All services RecordName Required for authentication
All services RealName Required for authentication
All services Password Required for authentication
If the LDAP server contains a crypt password,
it is retrieved and used for authentication.
Otherwise, the LDAP server validates the
password using the LDAP BIND command.
All services UniqueID Required for authorization (for example, file
permissions and mail accounts)574 Appendix A
Standard Data Types in User Records
The following table specifies the standard data types found in Open Directory user records.
All services PrimaryGroupID Optional, but recommended. Used for
authorization (for example, file permissions
and mail accounts).
FTP service
Web service
Apple file service
NFS service
Macintosh Manager
Mac OS X login window
Application and system
preferences
HomeDirectory
NFSHomeDirectory
Optional
Mail service MailAttribute Required for login to mail service on your
server
Mail service EMailAddress Optional
Server component Data item used Dependency
Important When mapping attributes of a read/write directory domain (a domain that is not
read-only), do not map the distinguished name and the first short name to the same data
type. If these attributes are mapped to the same data type, serious problems will occur when
you try to edit the distinguished name in Workgroup Manager.
Data type Format Sample values
RecordName:
a list of names
associated with a user;
all attributes used for
authentication must
map to this data type
ASCII characters
A-Z, a-z, 0-9, _,-,.
Dave
David Mac
DMacSmith
Non-zero length, at least one instance. Maximum
255 characters (127 double-byte characters) per
instance, 16 instances per record.
RealName:
a single name, usually
the user’s full name; not
used for authentication
ASCII David L. MacSmith, Jr.
Non-zero length, maximum 255 characters (127
double-byte characters).Open Directory Data Requirements 575
UniqueID:
a unique user identifier,
used for access privilege
management
Unsigned 32-bit
ASCII string of
digits 0–9
Range is 100 to 4,294,967,295.
Values below 100 are typically used for system
accounts. Zero is reserved for use by the system.
Normally unique among entire population of
users, but sometimes can be duplicated.
Warning: A non-integer value is interpreted as 0,
which is the UniqueID of the root user.
Password:
the user’s password
UNIX crypt
PrimaryGroupID:
a user’s primary group
association
Unsigned 32-bit
ASCII string of
digits 0–9
Range is 1 to 4,294,967,295.
Normally unique among entire population of
group records.
Comment:
any documentation you
like
ASCII John is in charge of product marketing.
UserShell:
the location of the
default shell for
command-line
interactions with the
server
Path name /bin/tcsh
/bin/sh
None (this value prevents users with accounts in
the directory domain from accessing the server
remotely via a command line)
Non-zero length.
AuthenticationHint:
text set by the user to be
displayed as a password
reminder
ASCII Your guess is as good as mine.
Maximum 255 bytes.
NFSHomeDirectory:
local file system path to
the user’s home
directory
ASCII /Network/Servers/example/Users/K-M/Tom King
Non-zero length. Maximum 255 bytes.
Picture:
file path to a recognized
graphic file to be used
as a display picture for
the user
ASCII Maximum 255 bytes.
Data type Format Sample values576 Appendix A
MCXSettings:
stores preferences for a
managed user
Mac OS X
property list
AuthenticationAuthority:
an XML description of
the user’s defined
method for
authentication.
ASCII Values are used to describe SASL server
authentication, Kerberos authentication,
directory-based authentication, or crypt and
replacement crypt authentication. Absence of this
data type signifies legacy authentication/password
management.
MailAttribute:
a user’s mail service
configuration (refer to
“Format of the
MailAttribute Data Type”
on page 577 for
information on
individual fields)
Mac OS X
property list
kAttributeVersion
Apple Mail 1.0
kAutoForwardValue
user@example.com
kIMAPLoginState
IMAPAllowed
kMailAccountLocation
domain.example.com
kMailAccountState
Enabled
kNotificationState
NotificationStaticIP
kNotificationStaticIPValue
[1.2.3.4]
kPOP3LoginState
POP3Allowed
kSeparateInboxState
OneInbox
kShowPOP3InboxInIMAP
HidePOP3Inbox
Data type Format Sample valuesOpen Directory Data Requirements 577
Format of the MailAttribute Data Type
Ensure that each MailAttribute data type you configure your server to retrieve from an LDAP or
Active Directory server is in the format described in the following table. If any field contains an
incorrect value, the MailAttribute is ignored (in other words, treated as if MailAccountState
were “Off ”).
EMailAddress:
an email address to
which mail should be
automatically forwarded
when a user has no
MailAttribute defined
Any legal RFC
822 email
address or a valid
“mailto:” URL
user@example.com
mailto:user@example.com
HomeDirectory:
the location of an
AFP-based home
directory
Mac OS X
property list
afp://server/sharepoint
usershomedirectory
In the following example, Tom King’s home
directory is K-M/Tom King, which resides beneath
the share point directory, Users:
afp://example.com/Users
K-M/Tom King
Data type Format Sample values
MailAttribute field Format Sample values
AttributeVersion A required caseinsensitive value that
must be set to
“AppleMail 1.0.”
kAttributeVersion
AppleMail 1.0
MailAccountState A required caseinsensitive keyword
describing the state of
the user’s mail. It must
be set to one of these
values: “Off,” “Enabled,”
or “Forward.”
kMailAccountState
Enabled578 Appendix A
POP3LoginState A required caseinsensitive keyword
indicating whether the
user is allowed to access
mail via POP. It must be
set to one of these
values: “POP3Allowed”
or “POP3Deny.”
kPOP3LoginState
POP3Deny
IMAPLoginState A required caseinsensitive keyword
indicating whether the
user is allowed to access
mail using IMAP. It must
be set to one of these
values: “IMAPAllowed”
or “IMAPDeny.”
kIMAPLoginState
IMAPAllowed
MailAccountLocation A required value
indicating the domain
name or IP address of
the Mac OS X Server
responsible for storing
the user’s mail.
kMailAccountLocation
domain.example.com
AutoForwardValue A required field only if
MailAccountState has the
value “Forward.” The
value must be a valid
RFC 822 email address.
kAutoForwardValue
user@example.com
NotificationState An optional keyword
describing whether to
notify the user whenever
new mail arrives. If
provided, it must be set
to one of these
values: “NotificationOff,”
“NotificationLastIP,” or
“NotificationStaticIP.”
If this field is missing,
“NotificationOff ” is
assumed.
kNotificationState
NotificationOff
MailAttribute field Format Sample valuesOpen Directory Data Requirements 579
NotificationStaticIPValue An optional IP address,
in bracketed, dotted
decimal format
([xxx.xxx.xxx.xxx]).
If this field is missing,
NotificationState is
interpreted as
“NotificationLastIP.”
The field is used only
when NotificationState
has the value
“NotificationStaticIP.”
kNotificationStaticIPValue
[1.2.3.4]
SeparateInboxState An optional caseinsensitive keyword
indicating whether
the user manages POP
and IMAP mail using
different inboxes. If
provided, it must be
set to one of these
values: “OneInbox” or
“DualInbox.”
If this value is missing,
the value “OneInbox” is
assumed.
kSeparateInboxState
OneInbox
ShowPOP3InboxInIMAP An optional caseinsensitive keyword
indicating whether POP
messages are displayed
in the user’s IMAP folder
list. If provided, it must
be set to one of these
values: “ShowPOP3Inbo
x” or “HidePOP3Inbox.”
If this field is missing,
the value
ShowPOP3Inbox is
assumed.
kShowPOP3InboxInIMAP
HidePOP3Inbox
MailAttribute field Format Sample values580 Appendix A
Standard Data Types in Group Records
The following table specifies the standard data types found in Open Directory group records.
Data type Format Sample values
RecordName:
name associated
with a group
ASCII characters A-Z, a-z,
0-9, _,-,.
Science
Science_Dept
Science.Teachers
Non-zero length, maximum 255 characters
(127 double-byte characters).
RealName:
usually the group’s
full name
ASCII Science Department Teachers
Non-zero length, maximum 255 characters
(127 double-byte characters).
PrimaryGroupID:
a user’s primary
group association
Unsigned 32-bit ASCII
string of digits 0–9
Range is 0 to 4,294,967,295.
Normally unique among entire population of
group records.
GroupMembership:
a list of short names
of user records that
are considered part
of the group
ASCII characters A-Z, a-z,
0-9, _,-,.
bsmith, jdoe
Can be an empty list (normally for users
primary group).
HomeDirectory:
the location of an
AFP-based home
directory for the
group
Mac OS X
property list
afp://server/sharepoint
grouphomedirectory
In the following example, the Science group’s
home directory is K-M/Science, which resides
beneath the share point directory, Groups:
afp://example.com/Groups
K-M/Science
MCXSettings:
stores preferences
for a workgroup (a
managed group)
Mac OS X
property list581
Glossary
This glossary defines terms and spells out abbreviations you may encounter while working
with online help or the “Mac OS X Server Administrator’s Guide.” References to terms
defined elsewhere in the glossary appear in italics.
A, B
administrator A user with server or directory domain administration privileges.
Administrators are always members of the predefined “admin” group.
administrator computer A Mac OS X computer onto which you have installed the server
applications from the Mac OS X Server Admin CD.
AFP (Apple Filing Protocol) A client/server protocol used by Apple file service on
Macintosh-compatible computers to share files and network services. AFP uses TCP/IP and
other protocols to communicate between computers on a network.
authentication authority attribute A value that identifies the password validation
scheme specified for a user and provides additional information as required.
BIND (Berkeley Internet Name Domain) The program included with Mac OS X Server
that implements DNS. The program is also called the name daemon, or named, when the
program is running.
boot ROM Low-level instructions used by a computer in the first stages of starting up.
BSD (Berkeley System Distribution) A version of UNIX on which Mac OS X software
is based.
C
canonical name The “real” name of a server when you’ve given it a “nickname” or alias.
For example, mail.apple.com might have a canonical name of MailSrv473.apple.com.582 Glossary
CGI (Common Gateway Interface) A script or program that adds dynamic functions to
a Web site. A CGI sends information back and forth between a Web site and an application
that provides a service for the site. For example, if a user fills out a form on the site, a CGI
could send the message to an application that processes the data and sends a response back
to the user.
child A computer that gets configuration information from the shared directory domain of
a parent.
computer account A list of computers that have the same preference settings and are
available to the same users and groups.
D, E
DHCP (Dynamic Host Configuration Protocol) A protocol used to distribute IP
addresses to client computers. Each time a client computer starts up, the protocol looks for a
DHCP server and then requests an IP address from the DHCP server it finds. The DHCP
server checks for an available IP address and sends it to the client computer along with a
lease period—the length of time the client computer may use the address.
directory domain A specialized database that stores authoritative information about users
and network resources; the information is needed by system software and applications. The
database is optimized to handle many requests for information and to find and retrieve
information quickly. Also called a directory node or simply a directory.
directory domain hierarchy A way of organizing local and shared directory domains. A
hierarchy has an inverted tree structure, with a root domain at the top and local domains at
the bottom.
directory node See directory domain.
directory services Services that provide system software and applications with uniform
access to directory domains and other sources of information about users and resources.
disk image A file that when opened (using Disk Copy) creates an icon on a Mac OS
desktop that looks and acts like an actual disk or volume. Using NetBoot, client computers
can start up over the network from a server-based disk image that contains system software.
DNS (Domain Name System) A distributed database that maps IP addresses to domain
names. A DNS server, also known as a name server, keeps a list of names and the IP addresses
associated with each name.
drop box A shared folder with privileges that allow other users to write to, but not read, the
folder’s contents. Only the owner has full access. Drop boxes should only be created using
AFP. When a folder is shared using AFP, the ownership of an item written to the folder is
automatically transferred to the owner of the folder, thus giving the owner of a drop box full
access to and control over items put into it.Glossary 583
dynamic IP address An IP address that is assigned for a limited period of time or until the
client computer no longer needs the IP address.
everyone Any user who can log in to a file server: a registered user or guest, an
anonymous FTP user, or a Web site visitor.
export The Network File System (NFS) term for sharing.
F, G
filter A “screening” method used to control access to your server. A filter is made up of
an IP address and a subnet mask, and sometimes a port number and access type. The IP
address and the subnet mask together determine the range of IP addresses to which the
filter applies.
firewall Software that protects the network applications running on your server. IP Firewall
service, which is part of Mac OS X Server software, scans incoming IP packets and rejects or
accepts these packets based on a set of filters you create.
FTP (File Transfer Protocol) A protocol that allows computers to transfer files over a
network. FTP clients using any operating system that supports FTP can connect to a file
server and download files, depending on their access privileges. Most Internet browsers and
a number of freeware applications can be used to access an FTP server.
group A collection of users who have similar needs. Groups simplify the administration of
shared resources.
group directory A directory that organizes documents and applications of special interest
to group members and allows group members to pass information back and forth among
them.
guest computer An unknown computer that is not included in a computer account on
your server.
guest user A user who can log in to your server without a user name or password.
H
home directory A folder for a user’s personal use. Mac OS X also uses the home directory,
for example, to store system preferences and managed user settings for MacOS X users.
HTML (Hypertext Markup Language) The set of symbols or codes inserted in a file to
be displayed on a World Wide Web browser page. The markup tells the Web browser how to
display a Web page’s words and images for the user.
HTTP (Hypertext Transfer Protocol) An application protocol that defines the set of
rules for linking and exchanging files on the World Wide Web.584 Glossary
I, J, K
IANA (Internet Assigned Numbers Authority) An organization responsible for
allocating IP addresses, assigning protocol parameters, and managing domain names.
ICMP (Internet Control Message Protocol) A message control and error-reporting
protocol used between host servers and gateways. For example, some Internet software
applications use ICMP to send a packet on a round-trip between two hosts to determine
round-trip times and discover problems on the network.
idle user A user who is connected to the server but hasn’t used the server volume for a
period of time.
IGMP (Internet Group Management Protocol) An Internet protocol used by hosts and
routers to send packets to lists of hosts that want to participate, in a process known as
multicasting. QuickTime Streaming Server (QTSS) uses multicast addressing, as does Service
Location Protocol (SLP).
IMAP (Internet Message Access Protocol) A client-server mail protocol that allows
users to access their mail from anywhere on the Internet. Mail remains on the server until the
user deletes it.
IP (Internet Protocol) A method used with Transmission Control Protocol (TCP) to send
data between computers over a local network or the Internet. IP delivers packets of data,
while TCP keeps track of data packets.
ISP (Internet service provider) A business that sells Internet access and often provides
Web hosting for ecommerce applications as well as mail services.
L
LDAP (Lightweight Directory Access Protocol) A standard client-server protocol for
accessing a directory domain.
lease period A limited period of time during which IP addresses are assigned. By using
short leases, DHCP can reassign IP addresses on networks that have more computers than
available IP addresses.
load balancing The process of distributing the demands by client computers for network
services across multiple servers in order to optimize performance by fully utilizing the
capacity of all available servers.
local domain A directory domain that can be accessed only by the computer on which it
resides.
local home directory A home directory for a user whose account resides in a local
NetInfo or LDAPv3 directory domain.
long name See user name.
LPR (Line Printer Remote) A standard protocol for printing over TCP/IP.Glossary 585
M
mail host The computer that provides your mail service.
managed client A user, group, or computer whose access privileges and/or preferences
are under administrative control.
managed preferences System or application preferences that are under administrative
control. Server Manager allows administrators to control settings for certain system
preferences for Mac OS X managed clients. Macintosh Manager allows administrators to
control both system preferences and application preferences for Mac OS 9 and Mac OS 8
managed clients.
MBONE (multicast backbone) A virtual network that supports IP multicasting. An
MBONE network uses the same physical media as the Internet, but is designed to repackage
multicast data packets so they appear to be unicast data packets.
MIBS (management information bases) Virtual databases that allow various devices to
be monitored using SNMP applications.
MIME (Multipurpose Internet Mail Extension) An Internet standard for specifying
what happens when a Web browser requests a file with certain characteristics. A file’s suffix
describes the type of file it is. You determine how you want the server to respond when it
receives files with certain suffixes. Each suffix and its associated response make up a MIME
type mapping.
MTA (mail transfer agent) A mail service that sends outgoing mail, receives incoming
mail for local recipients, and forwards incoming mail of nonlocal recipients to other MTAs.
multihoming The ability to support multiple network connections. When more than one
connection is available, Mac OS X selects the best connection according to the order
specified in Network preferences.
MX record (mail exchange record) An entry in a DNS table that specifies which
computer manages mail for an Internet domain. When a mail server has mail to deliver to an
Internet domain, the mail server requests the MX record for the domain. The server sends
the mail to the computer specified in the MX record.
N
name server See DNS (Domain Name System).
NetBIOS (Network Basic Input/Output System) A program that allows applications
on different computers to communicate within a local area network.
NetBoot server A Mac OS X server on which you have installed NetBoot software and
have configured to allow clients to start up from disk images on the server.
NetInfo The Apple protocol for accessing a directory domain.586 Glossary
Network File System (NFS) A client/server protocol that uses TCP/IP to allow remote
users to access files as though they were local. NFS exports shared volumes to computers
according to IP address, rather than user name and password.
network installation The process of installing systems and software on Mac OS X client
computers over the network. Software installation can occur with an administrator attending
the installations or completely unattended.
nfsd daemon An NFS server process that runs continuously behind the scenes and
processes reading and writing requests from clients. The more daemons that are available,
the more concurrent clients can be served.
NSL (Network Service Locator) The Apple technology that simplifies the search for
TCP/IP-based network resources.
O
Open Directory The Apple directory services architecture, which can access authoritative
information about users and network resources from directory domains that use LDAP,
NetInfo, or Active Directory protocols; BSD configuration files; and network services.
open relay A server that receives and automatically forwards mail to another server. Junk
mail senders exploit open relay servers to avoid having their own mail servers blacklisted as
sources of spam.
ORBS (Open Relay Behavior-modification System) An Internet service that blacklists
mail servers known to be or suspected of being open relays for senders of junk mail. ORBS
servers are also known as “black-hole” servers.
owner The person who created a file or folder and who therefore has the ability to assign
access privileges for other users. The owner of an item automatically has read and write
privileges for an item. An owner can also transfer ownership of an item to another user.
P, Q
parent A computer whose shared directory domain provides configuration information to
another computer.
percent symbol (%) The command-line prompt in the Terminal application. The prompt
indicates that you can enter a command.
PHP (PHP: Hypertext Preprocessor) A scripting language embedded in HTML that is
used to create dynamic Web pages.
POP (Post Office Protocol) A protocol for retrieving incoming mail. After a user retrieves
POP mail, it is stored on the user’s computer and usually is deleted automatically from the
mail server.
predefined accounts User accounts that are created automatically when you install
Mac OS X. Some group accounts are also predefined. Glossary 587
preferences cache A storage place for computer preferences and preferences for groups
associated with that computer. Cached preferences help you manage local user accounts on
portable computers.
presets Initial default attributes you specify for new accounts you create using Server
Manager. You can use presets only during account creation.
primary group A user’s default group. The file system uses the ID of the primary group
when a user accesses a file he or she doesn’t own.
primary group ID A unique number that identifies a primary group.
privileges Settings that define the kind of access users have to shared items. You can
assign four types of privileges to a share point, folder, or file: read and write, read only, write
only, and none (no access).
proxy server A server that sits between a client application, such as a Web browser, and a
real server. The proxy server intercepts all requests to the real server to see if it can fulfill the
requests itself. If not, it forwards the request to the real server.
QTSS (QuickTime Streaming Server) A technology that lets you deliver media over the
Internet in real time.
R
realm See WebDAV realm.
relay point See open relay.
Rendezvous A protocol developed by Apple for automatic discovery of computers,
devices, and services on IP networks.
RTP (Real-Time Transport Protocol) An end-to-end network-transport protocol
suitable for applications transmitting real-time data (such as audio, video, or simulation data)
over multicast or unicast network services.
RTSP (Real Time Streaming Protocol) An application-level protocol for controlling the
delivery of data with real-time properties. RTSP provides an extensible framework to enable
controlled, on-demand delivery of real-time data, such as audio and video. Sources of data can
include both live data feeds and stored clips.
S
scope A group of services. A scope can be a logical grouping of computers, such as all
computers used by the production department, or a physical grouping, such as all computers
located on the first floor. You can define a scope as part or all of your network.
SDP (Session Description Protocol) A file used with QuickTime Streaming Server that
provides information about the format, timing, and authorship of a live streaming broadcast.
search path See search policy.588 Glossary
search policy A list of directory domains searched by a Mac OS X computer when it needs
configuration information; also the order in which domains are searched. Sometimes called a
search path.
shadow image A file, hidden from regular system and application software, used by
NetBoot to write system-related information while a client computer is running off a serverbased system disk image.
share point A folder, hard disk (or hard disk partition), or CD that is accessible over the
network. A share point is the point of access at the top level of a group of shared items.
Share points can be shared using AFP, Windows SMB, NFS (an “export”), or FTP protocols.
short name An abbreviated name for a user. The short name is used by Mac OS X for home
directories, authentication, and email addresses.
Simplified Finder A user environment featuring panels and large icons that provide novice
users with an easy-to-navigate interface. Mounted volumes or media to which users are
allowed access appear on panels instead of on the standard desktop.
SLP (Service Location Protocol) DA (Directory Agent) A protocol that registers
services available on a network and gives users easy access to them. When a service is added
to the network, the service uses SLP to register itself on the network. SLP/DA uses a
centralized repository for registered network services.
SMB (Server Message Block) A protocol that allows client computers to access files
and network services. It can be used over TCP/IP, the Internet, and other network protocols.
Windows services use SMB to provide access to servers, printers, and other network resources.
SMTP (Simple Mail Transfer Protocol) A protocol used to send and transfer mail. Its
ability to queue incoming messages is limited, so SMTP usually is used only to send mail, and
POP or IMAP is used to receive mail.
SNMP (Simple Network Management Protocol) A set of standard protocols used to
manage and monitor multiplatform computer network devices.
spam Unsolicited email; junk mail.
SSL (Secure Sockets Layer) An Internet protocol that allows you to send encrypted,
authenticated information across the Internet.
static IP address An IP address that is assigned to a computer or device once and is
never changed.
subnet A grouping on the same network of client computers that are organized by location
(different floors of a building, for example) or by usage (all eighth-grade students, for
example). The use of subnets simplifies administration.
System-less clients Computers that do not nave operating systems installed on their
local hard disks. System-less computers can start up from a disk image on a NetBoot server.Glossary 589
T
TCP (Transmission Control Protocol) A method used along with the Internet Protocol
(IP) to send data in the form of message units between computers over the Internet. IP takes
care of handling the actual delivery of the data, and TCP takes care of keeping track of the
individual units of data (called packets) into which a message is divided for efficient routing
through the Internet.
Tomcat The official reference implementation for Java Servlet 2.2 and JavaServer Pages 1.1,
two complementary technologies developed under the Java Community Process.
TTL (time-to-live) The specified length of time that DNS information is stored in a cache.
When a domain name–IP address pair has been cached longer than the TTL value, the entry
is deleted from the name server’s cache (but not from the primary DNS server).
U
UDP (User Datagram Protocol) A communications method that uses the Internet
Protocol (IP) to send a data unit (called a datagram) from one computer to another in a
network. Network applications that have very small data units to exchange may use UDP
rather than TCP.
UID (user ID) A number that uniquely identifies a user. Mac OS X computers use the UID
to keep track of a user’s directory and file ownership.
Unicode A standard that assigns a unique number to every character, regardless of
language or the operating system used to display the language.
URL (Uniform Resource Locator) The address of a computer, file, or resource that can
be accessed on a local network or the Internet. The URL is made up of the name of the
protocol needed to access the resource, a domain name that identifies a specific computer
on the Internet, and a hierarchical description of a file location on the computer.
USB (Universal Serial Bus) A standard for communicating between a computer and
external peripherals using an inexpensive direct-connect cable.
user name The long name for a user, sometimes referred to as the user’s “real” name. See
also short name.
V
virtual user An alternate email address (short name) for a user.
VPN (Virtual Private Network) A network that uses encryption and other technologies to
provide secure communications over a public network, typically the Internet. VPNs are generally
cheaper than real private networks using private lines but rely on having the same encryption
system at both ends. The encryption may be performed by firewall software or by routers.590 Glossary
W
WebDAV (Web-based Distributed Authoring and Versioning) A live authoring
environment that allows client users to check out Web pages, make changes, and then check
them back in while a site is running.
WebDAV realm A region of a Website, usually a folder or directory, that is defined to
provide access for WebDAV users and groups.
wildcard A range of possible values for any segment of an IP address.
WINS (Windows Internet Naming Service) A name resolution service used by
Windows computers to match client names with IP addresses. A WINS server can be located
on the local network or externally on the Internet.
workgroup A set of users for whom you define preferences and privileges as a group. Any
preferences you define for a group are stored in the group account.
X, Y, Z591
Index
A
access logs 227
access privileges
about 124, 205
administrator 206
copying 217
directory services and 71
everyone 207
explicit vs. inherited 206, 207
group 206
guests 210
guest users 129
hierarchy 207
managing share points 217
of administrators 125
owner 206
restricting 222
role of group ID 125
role of UID in 124, 125
security guidelines 222
setting for WebDAV 339
setting in AppleShare client software 219
setting in Windows 219
setting share points 211
user categories 206
Web sites 340, 342
accounts
Guest Computers 277
managing preferences, Mac OS X 282
Active Directory
ADSI (Active Directory Services
Interface) 104
configuring 104–105
creating server configuration 104
directory service protocol 74
Open Directory support 104
populating domains with data 105
search policies and 105
adding users to groups 148
admin group 125, 129, 131
administration
planning 92
remote 58
administrative data
how used by server 573
mapping 573–580
administrative data. See directory domains
administrator
access privileges 206
access to mail database 394
choosing for directory services 92
defined 581
modifying account 137
passwords 137
administrator accounts
backing up 202
administrator computer
defined 58, 581
administrator privileges
directory domain 126, 145
local computer 126
server 145
server administration 125
AFP
defined 581
home directories in 165592 Index
AFP (Apple Filing Protocol) 224
AirPort base stations
DHCP service and 477
All Other Computers account 429, 452
All Other Users account 429, 430
anonymous FTP 249
Anonymous FTP User predefined account 130
Apache 365
Apache modules 365–367
Apache Web server
configuration 338
resources 64
APOP (Authenticated POP) 384
Apple Fileing Protocol (AFP)
setting up sharing 212
Apple file server 530
Apple file service
access log 232
Access settings 226
allowing guest access 234
archiving logs 233
automatically disconnecting idle users 234
automounting share point in Mac OS X 260
automounting share point on Mac OS 8 or 9
client 261
changing language 418
changing server name 231
configuring 225
connecting to server in Mac OS 8 and 9 261
connecting to server in Mac OS X 259
described 221
enabling AppleTalk browsing 232
features 224
General settings 225
Idle Users settings 228
limiting connections 232
Logging settings 227
login greeting 234
Mac OS 8 and 9 client software
requirements 260
Mac OS X client software requirements 259
monitoring 229
planning 225
problems with 263
registering with NSL 231
sending users messages 235
solving problems 263
specifications 224
starting 229
starting automatically 231
stopping 230
viewing logs 230
Apple file services
See also Apple Filing Protocol (AFP)
Apple Filing Protocol (AFP)
defined 581
home directories in 160
key features of 49
Macintosh Manager 446
resharing NFS mounts in 215
AppleShare 263
AppleShare IP 6.3
AFP compared to 224
AppleTalk 224, 226, 263
enabling and disabling for Open Directory 93
file service protocol 72
attributes, directory domain
about 71
adding 102
mapping LDAPv3 101
attributes list 550
authentication
Apple file service 224
directory data and 70
FTP service 254
Kerberos 224, 248, 254
mail service 381, 384, 385, 389
NFS service 222
Password Server 88
planning 91
protocols supported 88
search policy 94
solving problems 203
Windows services 236
authentication authority attribute 192
defined 581
Authentication Manager 237, 264
backing up 119
automatic search policy
See also search policiesIndex 593
about 83
adding Active Directory server to 105
adding LDAPv2 server to 107
adding LDAPv3 server to 99, 100
LDAPv3 mappings supplied by 103
using 95
automounting
directory services and 71
share points 207
available directory domains
listing accounts in 174
B
backing up
directory services 119
Password Server 201
root and administrator user accounts 202
BCC 382
Berkeley Internet Name Domain (BIND)
defined 581
Berkeley System Distribution (BSD)
defined 581
.bin (MacBinary) format 247
bin (predefined group account) 131
BIND 515, 516, 518, 520–523
about 520
configuration File 520
configuring 520–523
defined 520, 581
example 521–523
load distribution 523
zone data files 521
binding
configuring NetInfo 111
kinds of NetInfo 111
machine records for 113
black-hole servers 375
blind carbon copies 382
BootP protocol 476
boot ROM
defined 581
Boot Server Discovery Protocol (BSDP) 491
broadcast binding, configuring Netinfo 112
BSD
defined 581
BSD configuration files
DSFFPlugin.plist file for 115
enabling and disabling 93
history of 67
mapping data 115
Open Directory and 74, 115
populating with data 118
bsdpd_client 493
C
CA certificate 361
cache. See proxy cache
canonical name
defined 581
capacity planning
NetBoot 488
certificate file 361–363
CGI
defined 582
CGI programs
problems with 364
CGI scripts
enabling 354–355
installing 354
solving problems 364
child computer
defined 582
child NetInfo domain 110
Chooser
setting up printing via AppleTalk 324
Classic
installing on Mac OS X disk image 497
client computers
customizing 45, 52
encoding for older clients 226
installing software over the network 509
SLP DA service 546
startup up using N key 507
system requirements 488
client computers (Mac OS 8 and 9)
using Apple file service 260
client computers (Mac OS X)
using Apple file service 259
client computers ( Windows)
using file services 261594 Index
using Windows services 262
client computers, Mac OS 8 and 9
setting up printing 324
client computers, Mac OS 9
selecting NetBoot startup image 506
client computers, Mac OS X
selecting NetBoot startup image 506
setting up printing 323
client computers, UNIX
print service 325
client computers, Windows
print service 325
client management, Mac OS 9 and 8 411
See also Macintosh Manager
about 411
access privileges 440
administrator computer requirements 415
application settings 457
benefits of 414
client computer requirements 414
copying Mac OS 8 preferences 464
guest access 429
making items available to users 438, 440
Managed Preferences folder 466
managing portable computers 461
media access 465
more information 473
mounting volumes 446
planning 414
printing 448
setting access privileges 442
setting login options 460
setting up administration computer 416
setting up computer lists 451
setting up Mac OS 9 client computers 416,
417
setting up printing 447
setting up workgroups 436, 438
setup overview 424
sharing information 443, 444
solving problems 470, 471, 472
transition strategies 412
upgrading 412
user experience 412
using NetBoot 423
using update package 417
client management, Mac OS X
See also Workgroup Manager 267
about 267
administrator computer requirements 269
administrators 270
benefits of 269
client computer requirements 269
computer accounts 271, 272
group accounts 271
guest computers 277
managing preferences 282
planning 269
presets 273
transition strategies 268
user accounts 270
user experience 268
code page 238
command-line tools. See Terminal
Common Gateway Interface (CGI)
defined 582
compressed files 247
computer accounts
about 128
adding to 274
changing information 274
creating 272
defined 582
deleting 276
deleting computers from 275
Guest Computer 277
moving computers between 275
presets 273
searching for 276
computer accounts, Mac OS 9 and 8. See
Macintosh Manager
computer list, Mac OS 9 and 8 425
computer list, Mac OS X. See computer accounts
computer lists, Mac OS 9 and 8
See also Macintosh Manager
computer preferences
managing, Mac OS X 286
computers, Mac OS X
controlling access to 278
configuration files. See BSD configuration filesIndex 595
Configure Web Service window 342
CRAM-MD5 385, 389
cross-platform issues for file service 236
CSR (certificate signing request) 361–362
custom FTP root 253
custom root in FTP 248
D
daemon (predefined group account) 131
database
directory domain 66
mail service 373
Password Server 88
data types
group records 580
MailAttribute 577–579
user records 574–577
Desktop Printer Utility
setting up LPR printing 324
DHCP
about 54
defined 582
DHCP servers 476
interactions 477
network location 476
DHCP service 475–484
AirPort base stations 477
automatic search policy and 84
deleting subnets 480
described 475
DNS options for subnets 482
DNS Server for DHCP Clients 479
LDAP auto-configuration 477
LDAP server for DHCP clients 479
logs 480, 483
logs for 478
managing 478–484
managing subnets 481–483
monitoring clients 481
more information 484
NetInfo binding 112
NetInfo options for subnets 482
planning 475–477
preparing for setup 475–477
setting up 477–478
solving Problems 484
starting 478
stopping 478
subnet IP addresses lease times,
changing 480
subnets 476
subnets, creating 481
uses for 475
viewing client lists 483
dialer (predefined group account) 131
Directory Access application 59
Active Directory server, adding 104
automatic search policy, using 95
BSD configuration files, mapping 116
custom search policies, defining 96
enabling and disabling protocols 94
LDAPv2 106–110
LDAPv2 access, changing 107
LDAPv2 configuration, adding 106
LDAPv2 search bases and data mapping,
editing 108
LDAPv3 97–103
LDAPv3 access via DHCP 97
LDAPv3 configuration, adding 98
LDAPv3 configuration, changing 99
LDAPv3 configuration, deleting 100
LDAPv3 configuration, duplicating 99
LDAPv3 configurations, showing and
hiding 97
LDAPv3 connections, changing 100
LDAPv3 search bases and mappings,
editing 101
local domain search policy 96
NetInfo binding, configuring 112
remote administration 118
search policies 94–96
Directory Agent (DA) 547
directory domain
defined 582
user accounts in 122
directory domain hierarchies
about 78–84
data visibility in 81, 86
examples 79–80, 81
NetInfo 110, 111596 Index
planning 82, 85–87, 91
search policies for 82–84
directory domain hierarchy
defined 582
directory domains
See also BSD configuration files, LDAPv2,
LDAPv3, local directory domains,
NetInfo, shared directory domains
about 73
administrative data in 86
defined 45
information storage in 66, 71
limiting users in 91
mail service configuration in 376
security 87
simplifying changes to 86
tools for managing 89
user accounts in 66–67
directory node
defined 582
directory services
See also Open Directory
about 47
administrators for 92
authentication 67
backing up 119
benefits of 65
defined 45, 582
information storage in 65
logs 119
network role of 66
planning 90, 91
setup overview 90
status 119
tools summary 89
disconnect messages 229
disk images 485, 492
disk images, Network Install
creating 511
enabling 514
diskKeyFinder 566
disk space
monitoring 555
reclaiming logs’ use of 555
diskspacemonitor 556
diskutil 557
DNS (Domain Name System)
defined 582
Rendezvous 72
DNS server
default for DHCP 479
DNS servers 516
DNS service 515–524
A records 396
configuring BIND 520–523
described 515
junk mail prevention with 375, 399
load distribution 523
mail service and 372, 377
managing 518–520
more information 524
MX records 372, 377, 381, 396
planning 516–517
preparing for setup 516
problems with 264
reverse lookups 396
setting up 517
setup overview 517–518
starting 518, 519
stopping 518
strategies 516–517
usage statistics 519
uses for 515
with mail service 516
Documents folder 341
domain browsing services 240
domain names
registering 517
Domain Name System (DNS)
about 54
defined 582
DoS (Denial of Service) attacks
preventing 537
DOS prompt 264
drop box 205
defined 582
DSFFPlugin.plist file 115
dsimportexport 555
exporting users and groups 184
export parameters 184Index 597
importing users and groups 181
import parameters 181
status information and logs 179
Dynamic Host Configuration Protocol. See DHCP
dynamic IP address
defined 583
dynamic IP addresses 476
E
eMac 487
email client software 406
email service. See mail service
enabling 346
error logs 228, 233
Ethernet networks 488
Ethernet ports 489, 502
everyone
access privileges 207
defined 583
explicit privileges 206
export
defined 583
extensions, filename 248
F
file compression 247–248
file name extensions 248
files
compressed 247
conversion in FTP 247–248
file services
See also Apple Filing Protocol (AFP),
Windows service, Network File System
(NFS) service, File Transfer Protocol
(FTP)
applications for 221
more information 265
options 48
planning 221–223
security guidelines 222
setup overview 223
types of 221
file sharing
about 48
key features of 44
organizing 210
planning 209–211
security 210
setup overview 208–209
File Transfer Protocol (FTP) 247–248
about 50, 244
anonymous FTP 249
connections 264
custom root 248
defined 583
guest access 249
planning 248–249
security of 244
setting up sharing 213
setup overview 249–250
specifications 248
user environments 245–247
filters
defined 583
editing 532
examples 529–530
junk mail 373–375
filters, IP
adding 531
described 527–528
problems locating 543
Finder workgroup 436
firewall
defined 583
filtering SMTP connections 401
sending mail through 390
firewall, NFS 256
Firewall service 525–543
about 525
adding filters 531
Any Port filter 537
benefits 526
blocking multicast services 536
configuring 530, 533–534
creating filters 532
default filter 537
described 525
editing filters 532
example filters 529–530598 Index
filtering UDP ports 535–536
filters 527–529
IP address precedence 529
IP filter rules 538–540
logs, setting up 534–535
managing 531–538
more information 543
multiple IP addresses 529
NetInfo Access, controlling 536
port reference 540–542
preparing for setup 527–529
preventing denial-of-service attacks 537
problems with 543
setting up 530–531
solving problems 543
starting 531
starting automatically 531
stopping 531
uses for 526
viewing logs 533
folder access privileges 444
folders
Documents folder 341
fonts
adding to client systems via network 208
FTP
defined 583
FTP passive mode 265
FTP root and share points user environment 245
FTP servers
security of 244, 249
FTP service 244–248
Access settings 251
Advanced settings 252
anonymous 253
anonymous uploads folder 253
authentication method 254
custom root 253
described 221, 244–248
displaying messages 255
displaying user messages 255
General settings 250
Logging settings 251
preparing for setup 248
README messages 255
security limitations 50
setup overview 256–257
solving problems 264
specifications 248
starting 252
stopping 252
user environment 254
viewing logs 254
G
Getting Started With Mac OS X Server 41
group
defined 583
group accounts
about 127
access privileges 125, 127, 206
adding users 148, 168
administering 165
automatic group directory 171
changing 167
creating in Mac OS X Server directory
domain 165
creating in read-write LDAPv3 domains 166
defined 121
deleting 173
directories for 128, 170
in directory domains 71
finding 173
group ID 170
names for 169
planning 136
predefined, list of 131
read-only 167
removing users 149, 168
reviewing memberships 149
using presets 177
where they’re stored 165
group directories 171
group directory
defined 583
group names 169
group preferences
managing, Mac OS X 286
groups
characteristics of 127Index 599
data types 580
preparing for setup 135
guest (predefined group account) 131
guest access
allowing 238
FTP service 249
restricting 210
Windows 263
Windows services 243
guest accounts
access guidelines 210
security guidelines 222
guest computer
defined 583
guests
restricting access 210
guests users
limiting connections 227
guest user account, Mac OS 9 and 8 429
guest users
about 129
accessing Apple file service 234
access privileges 129
defined 583
described 210
limiting connections 234
maximum connections 227, 234
services available to 154
H
hard disk
capacity of 488
help 41
hierarchies. See directory domain hierarchies
home directories
about 126
advanced 163
AFP share points 160
and disk quotas 164
choosing a protocol 160
creating folders 161
default 165
defined 583
deleting 165
distributing 156
for local users 162
for network users 163
for users in existing directory servers 157
Macintosh Manager and 422
moving 165
NFS share points 160
Open Directory and 71
planning 136
solving problems 204
storage of 155
Home Directory and FTP Root user
environment 246
Home Directory Only user environment 247
HTML
defined 583
HTTP
defined 583
httpd.conf file 358
httpd_macosxserver.conf file 355, 360
Hypertext Markup Language (HTML)
defined 583
Hypertext Transfer Protocol (HTTP)
defined 583
I
IANA
defined 584
IANA registration 517
iBook 487
ICMP
defined 584
idle user
defined 584
IGMP
defined 584
IGMP packets
blocking 536
iMac 487
IMAP
about 371
administrator access 394
case-sensitive folders 386
connections per user 386
ports 387, 394
response name 386600 Index
secure authentication 385
settings 385–387
terminating idle connections 387
IMAP (Internet Message Access Protocol)
defined 584
importing and exporting
creating character-delimited files 187
creating XML files using AppleShare IP 186
creating XML files using Server Admin 186
file formats supported 179
from Workgroup Manager 181
Password Server users 197
with Workgroup Manager 179
importing and exporting users and groups 178
information, finding more 41
installer 558
Internet and Web services
key features of 46
Internet Assigned Numbers Authority (IANA)
defined 584
Internet Control Message Protocol (ICMP)
defined 584
Internet Gateway Multicast Protocol See IGMP
Internet Group Management Protocol (IGMP)
defined 584
Internet Message Access Protocol (IMAP)
defined 584
Internet Message Access Protocol (IMAP). See
IMAP
Internet Protocol (IP)
defined 584
Internet servers. See Web servers
Internet Service Provider (ISP)
defined 584
IP
defined 584
IP address, static
defined 588
IP addresses
assigning 477
DHCP and 475
DHCP lease times, changing 480
dynamic 476
dynamic allocation 476
leasing with DHCP 475
multiple 348, 529
precedence in filters 529
ranges 528
reserved 477
setting up for ports 348
setting up multiple on port 348
static 476
IP failover 567–571
configuring 569
defined 46
enabling 569
requirements 567
scripts 570
IP Filter module 538–540
IP filter rules 538
IP filter service 263, 265
IP firewall service
about 54
ipfw command 538–540
ISP
defined 584
J
Java
JavaServer Pages ( JSP) with Tomcat 347
servlet (with Tomcat) 347
Tomcat and 347
junk mail 373–375, 398–402
approved servers list 374, 398
blacklisted servers 375, 401
disapproved servers list 375, 399
ORBS server 375, 401
rejected SMTP servers 375, 399
restricted SMTP relay 374, 375, 398, 401
reverse DNS lookup 375, 399
SMTP authentication 374, 375, 389
K
Kerberos
enabling for AFP 200
enabling for FTP 200
enabling for login window 200
enabling for mail 200
enabling for Telnet 201Index 601
integrating Mac OS X with Kerberos
server 199
Macintosh Manager 464
mail service authentication 381
services supporting 197
solving problems 204
understanding 198
using 197
Kerberos authentication
Apple file service 224
FTP service 248, 254
kmem (predefined group account) 131
L
LDAP
defined 584
DHCP and 479
LDAP Bind authentication 201
LDAP server
address via DHCP 479
LDAPv2
access settings 107
adding servers 106
configuring 106–110
data mappings 108
enabling and disabling 93
search bases 108
search policies and 107
setting up 106
LDAPv3
adding server configurations 98
automatic search policy and 84
changing server configurations 99
configuring 97–103
connection settings 100
creating group accounts 166
creating user accounts 138
deleting server configurations 100
duplicating server configurations 99
enabling and disabling 94
populating with data 103
port configuration 101
search policies and 99, 100
shared domains 83
showing and hiding configurations 97
SSL encryption 101
lease period
defined 584
Lightweight Directory Access Protocol (LDAP)
defined 584
Lightweight Directory Access Protocol (LDAP).
See LDAPv2, LDAPv3
Line Printer Remote (LPR)
defined 584
load balancing
defined 584
NetBoot and 504–505
load distribution 523
local directory domain
in automatic search policy 83
information storage 74
listing users and groups 174
NetInfo 111
search policy 96
local domain
defined 584
local home directory
defined 584
log files
access logs 227
error logs 228, 233
logging in
solving problems 203, 204
logging items
DHCP activity 478
settings for 546
settings for Windows 239
login settings 146
log rolling scripts 555
logs
access 352
Apple file service 227
Apple file service access 233
Apple file service error 233
DHCP 480, 483
DNS service 519
dsimportexport 179
error 352
Firewall 534
Firewall service 533602 Index
FTP 254
mail service 404
print service 325, 332–334
reclaiming disk space 555
reclaiming space used by 405
Server Monitor 63
SLP DA 549
SSL 357
Web service 348
Windows services 243
LPR
defined 584
M
MacBinary (.bin) format 247
machine record
for NetInfo binding 113
Macintosh Manager 411
about 411
access privileges 442
administrator access to user accounts 464
administrator login 425
All Other Computers account 452
allowing media access 442
allowing multiple logins 434
allowing screen shots 442
allowing system access 434
approved items 442
changing administrator password 433
changing language script 418
changing menu access 443
checking email automatically 451
choosing language 417
computer access 454
computer checkout 423, 461
computer lists 451
computer Security settings 456
copying Mac OS 8 preferences 464
creating administrator accounts 432
creating email addresses 455
creating shortcuts 438
customizing reports 463
customizing workgroup panels 460
desktop environments 436
directory services database 420
disabling extensions 459
disabling login on a computer 453
disconnecting computers automatically 454
duplicating workgroups 437
finding users 429
folder access privileges 444
force-quitting applications 459
Global CD-ROM settings 465
Global settings 462
group documents 444
hand-in folder 445
helper applications 457
home directories 413, 422
importing user accounts 426
importing user information from text 428
installing administrator software 415
Items settings 438
Kerberos verification 464
listing available discs 465
local users and 461
login message 451, 460
Login settings 460
Mac OS X user access 429
managing preferences 422
media access 457, 465
MMLocalPrefs extension 423
modifying workgroups 438
more information 473
mounting volumes automatically 446
Multi-User Items folder 419, 420
naming hard disks 455
Netboot and 423
opening items at startup 450
Options settings 449
preference storage 422, 423
preventing user password changes 464
printing 420
print quotas 448
Privileges settings 440
protecting folders 440
protecting the desktop 440
quitting administrator program
automatically 463
restricting printer access 448
security 418, 462, 463Index 603
setting file-level security 441
setting idle logout 456
setting media access 441
setting preferences 426
setting storage quotas 435
setting up 424
setting up administrator accounts 432
setting up All Other Users 430
setting up workgroups 436
shared folders 443
share point for 419
solving problems 470–472
switching servers 459
synchronizing clocks 455
synchronizing user database 435
system access printer 449
update package 417
user account template 426
user information storage 421
user settings, advanced 434
user settings, basic 433
users working offline 458
using server administrator accounts 432
viewing reports 463
wireless service 462
workgroup printers 447
Workgroup settings 454
workgroup template 437
Macintosh Manager administrator 431, 432
changing password 433
Macintosh Manager application
opening 62
Macintosh Manager User predefined
account 130
Macintosh-specific Web modules 365
Mac OS systems
cross-platform guidelines 236
Mac OS X
data requirements 573
Mac OS X Server
applications summary 56
individual services of 46
key features of 43
more information 64
ports used by 540–542
resources 64
setting up 41
shared directory domains 75–78
Mac OS X systems 540–542
mail
disabling for user 150
enabling user options 150
forwarding for user 151
redirecting 517
mail (predefined group account) 131
MailAttribute data type, format of 577–579
mail database
about 373
administrator access 394
backing up 408
cleaning up 395, 408
converting 393
location of 394
mail exchange (MX) records. See MX records
Mail Exchange. See MX
mail exchange record (MX)
defined 585
mail exchangers 516
mail host 372
defined 585
mail servers 517
mail service
administrator access 394
alternate transfer agent 391
APOP authentication 384
approved servers list 374, 398
authentication 381, 384, 385, 389
backing up 408
blacklisted servers 375, 401
blind carbon copies (BCC) 382
case-sensitive IMAP folders 386
client settings for 406
configuration storage 376
connected users 404
database 373, 393–396
database cleanup 408
deleted users, removing mail of 395
deleting mail automatically 383, 394
disapproved servers list 375, 399
DNS cache 397604 Index
DNS lookup for 396
domain name list 381
features not supported 376
features of 369
filtering SMTP connections 401
forwarding undeliverable mail 402
general settings 380–382
HELO command 400
idle IMAP connections, terminating 387
IMAP (Internet Message Access
Protocol) 371, 385–387, 394
IMAP authentication 385
IMAP connections per user 386
IMAP port 387
IMAP response name 386
incoming mail 378, 382–387
junk mail prevention 373–375, 398–402
Kerberos authentication 381
key features of 51
limiting delivery attempts 402
limiting incoming message size 383
logs 404, 405
maintenance 379
message storage 373, 393–396
monitoring 404
more information 408
MX records 372, 377, 381, 396
network settings 396–397
new mail notification 383
NotifyMail protocol 383
ORBS server 375, 401
outgoing mail 378, 387–393, 402–403
performance tuning 407
planning 379
POP (Post Office Protocol) 370, 384–385
POP port number 385
POP response name 384
postmaster account 379, 402, 403
protocols 370, 382
rejected SMTP servers 375, 399
relay via another server 389
reporting undeliverable mail 402, 403
resources 408–409
restricted SMTP relay 398
reverse DNS lookup 375, 399
sending nonlocal mail 388
sending only local mail 388
Sendmail 371, 373, 392
setup overview 377–379
SMTP (Simple Mail Transfer Protocol) 371,
389–393, 401
SMTP alternate 391
SMTP authentication 389
SMTP ports 391
SMTP relay for backup server 401
SMTP response name 390
SSL (Secure Sockets Layer) 372
starting and stopping 378, 380
status 403–405
suspending outgoing mail 388
timeouts 397
tools overview 376
undeliverable mail 402–403
user accounts 404, 407
user account settings for 373, 379, 405
using DNS service with 516
virtual host list 381
mail settings
creating for users 127
mail transfer agent (MTA) 371, 391
mail transfer agent (MTSA)
defined 585
managed client
defined 585
managed preferences
defined 585
managed preferences. See preference
management
Managed Preferences folder 466
Forced Preferences folder 467
Initial Preferences folder 466
Initial Preferences folder, exceptions 467
Preserved Preferences folder 468
managed users
about 128
management information bases (MIBS)
defined 585
mapping
group records 580
Mac OS X data types 573Index 605
user records 574–577
mappings
BSD configuration files 116
LDAPv2 108
LDAPv3 101
MBONE
defined 585
messages, mail. See mail service
MIBS
defined 585
MIME
defined 585
mappings 343
server response, setting 356
suffixes 340
type mapping 340
types 343
Types pane 343
understanding 340
Web server responses 340
MIME (Multipurpose Internet Mail
Extension) 340–341
MMLocalPrefs extension 423
mod_auth_apple module 365
mod_hfs_apple module 366
mod_macbinary_apple module 365
mod_perl module 366
mod_redirectacgi_apple module 366
mod_sherlock_apple module 365
MTA
defined 585
MTA (mail transfer agent) 371
multicast backbone (MBONE)
defined 585
multicast DNS 72
multicast services
blocking 536
multihoming
changing priority of network connections in
Mac OS X 260
defined 585
Multipurpose Internet Mail Extension (MIME)
defined 585
Multipurpose Internet Mail Extension. See MIME
MX (Mail Exchange) Records
defined 585
MX (Mail Exchange) records 517, 518
MX hosts 516
MX records 372, 377, 381, 396
mysql (predefined group account) 131
MySQL Manager 367, 565
MySQL module 367
My SQL Server predefined account 130
N
named.conf file 520
name servers 516
NAT (Network Address Translation) 390
Neighborhood settings 239
NetBIOS
defined 585
NetBoot 491
“system-less” clients 506
about 52
administration tools for 62
administrator requirements 486
AirPort 493
applications and files for 485
Boot Server Discovery Protocol (BSDP) 491
capacity planning 488
client computer requirements 487
client computers 505, 506
configuring 501
creating Mac OS X disk image 496
default disk image 500
disabling disk images 502
disabling on Ethernet ports 502
disk images 492
enabling 501, 502
filtering clients 503
hard disk name in 455
image folders
image folders, NetBoot 489–490
installing Classic 497
key features of 485
load balancing 504–505
monitoring Mac OS 9 clients 503
monitoring Mac OS X clients 503
network requirements 488
property lists 490606 Index
security 493
server requirements 486
setting up Mac OS 9 disk image 497, 498
setting up on Mac OS X Server 496
setup overview 493–496
shadow images 492
solving problems 507–508
starting up on client computers 495
Trivial File Transfer Protocol (TFTP) 492
updating Mac OS X disk images 503
updating Startup Disk control panel 505
viewing client lists 483
NetBoot client computers 506
NetBoot Desktop Admin 490
NetBoot server
defined 585
NetInfo 264
See also directory domains
access through firewall 536
automatic search policy and 84
binding 111, 482
child 110
client access 482
configuring 110–114
data, changing 114
data, viewing 114
defined 585
directory service protocol 74
enabling and disabling 94
information storage 114
machine record 113
parent 110
port configuration 113
shared domains 83, 110
UNIX tools for 114
NetInfo Manager application
data, viewing 114
machine records, adding 113
ports, configuring 113
network
adding fonts to client systems 208
network (predefined group account) 131
network authentication protocols 88
Network Basic Input/Output System (NetBIOS)
defined 585
Network File Service (NFS)
security limitations 222
Network File System (NFS)
defined 586
exporting share points 215
home directories in 160
resharing in AFP 215
setting up share points 213
Network File System (NFS) service
about 49
security limitations 49
Network Globe
contents 207–208
folders in 208
share points 208
Network Image Utility 489
creating disk image 511
creating Mac OS X disk image 496
Network Install
about 53
about packages 509
applications and files for 509
creating custom packages 512
creating disk image 511
enabling disk images 513
key features of 509
Network Install application 62
network installation
defined 586
network library folder
system resources 208
Network Neighborhood 263
connecting to server without 262
connecting to service with 262
networks
management resources 64
private 523–524
scopes 546, 546–547
sharing printer queues over 317
TCP/IP networks 523–524
Network Service Locator (NSL)
defined 586
registering Apple file servers 231
network services
assigning to scopes 547Index 607
discovery protocols 72
networksetup 562
NFS
defined 586
nfsd daemons 257
defined 586
NFS service
about 256
configuring settings 257
described 221
monitoring 258
planning 256
stopping 258
uses for 256
nobody (predefined group account) 131
nogroup (predefined group account) 131
None privilege 205
NotifyMail protocol 383
NSL
defined 586
O
online help 41
Open Directory
See also directory services
access privileges and 71
authentication 67, 70
automount share points and 71
backing up 119
BSD configuration files and 115
compared to UNIX systems 69
configuring protocols 93
data requirements 573
defined 586
group accounts and 71
home directories and 71
information management 70, 73
information storage in 65, 72
key features of 47
mail settings and 71
overview 45
protocols supported 74
quotas and 71
searching non-Apple domains 78
search policies 82–84
service discovery and 72
UNIX heritage 67
uses of 70–71
Open Directory Assistant
about 92
configuring directory domain 92
connecting to server 92
creating shared NetInfo domain 111
deleting shared directory domain 93
Open Directory Assistant application 58
Open Directory domains
See also directory domains, LDAPv3, NetInfo
deleting 93
setting up 92
Open Directory Password Server. See Password
Server
OpenLDAP
directory service protocol 74
open relay
defined 586
Open Relay Behavior-modification System
(ORBS)
defined 586
open source modules 366–367
operator (predefined group account) 131
ORBS
defined 586
ORBS servers 375, 401
owner
defined 586
owner privileges 206
P
Package Maker application 62
packages 509
Panels workgroup 436
parent computer
defined 586
parent NetInfo domain 110
passwords
administrator 137
file servers 263
migrating 193
problems with readable 194
root 137608 Index
root user 137
validating 189
validation strategies 189
Password Server 264
administration 196
authentication protocols 195
authentication with 87
backing up 201
database contents 88
enabling for a user 196
monitoring 197
protocols supported 88
recommended for Windows 236
securing 197
security benefits 66
security features 195
security guidelines 89
setting up 92
setup 196
solving problems 203
tools for managing 89
Windows validation 202
password validation
authentication authority attribute 192
basic strategy 193
choosing a password 192
for Windows 236
Kerberos 197
options 47, 189
Password Server strategy 195
pros and cons 191
strategies 123
Windows 202
percent symbol
defined 586
performance
mail service 407
Perl
mod_perl 366
PHP 366
defined 586
enabling 357
Hypertext Preprocessor See PHP
PHP Hypertext Preprocessor (PHP)
defined 586
PHP module 366
POP
about 370
authentication 384
port number 385
response name 384
settings 384–385
POP (Post Office Protocol)
defined 586
port 548 263
portable computers, Mac OS 9 and 8 461
wireless service 462
portable computers, Mac OS X
as guest computers 280
individual 280
managing preferences 279
shared 280
ports
Ethernet ports 489
IMAP mail administrator 394
IMAP mail service 387
IP addresses 348
Mac OS X computers 540–542
POP mail service 385
SMTP 391
SMTP mail service 391
TCP ports 540–541
UDP ports 542
Postfix program, configuring 371
postmaster mail account 379, 402
Post Office Protocol (POP)
defined 586
Post Office Protocol (POP). See POP
PowerBook (FireWire) 487
PowerBook G4 487
Power Mac G4 487
Power Mac G4 Cube 487
Power Macintosh G3 (blue and white) 487
predefined accounts
defined 586
preference cache
about 283
how to empty 283
updating 283
preference management, Mac OS 9 and 8 466Index 609
preference management, Mac OS X
about 284
Applications Items settings 288
Applications preference 288
Applications System Preferences settings 290
Classic Advanced preferences 292
Classic preferences 291
Classic settings 291
computer preferences 286
disabling 287
Dock Display settings 294
Dock Items settings 295
Dock preference 294
editing multiple records 287
Finder Commands settings 299
Finder preference 296
Finder Views settings 302
group preferences 286
Internet Email settings 304
Internet preference 304
Internet Web settings 304
local user accounts 279
Login Items settings 307
Login preference 305
Login Window settings 305
Media Access Disk Media settings 308
Media Access Other Media settings 309
Media Access preferences 308
options 284
preference cache 283
Printing preferences 311
Printing Printer List settings 311
Startup settings 291
user preferences 285
preferences, Mac OS 8 464
preferences cache, defined 587
presets
changing 178
creating for groups 177
creating for users 176
defined 176, 587
deleting 178
renaming 178
using to create new accounts 177
primary group 129
defined 148, 587
group ID of 148
primary group ID
defined 587
Print Center
adding print queue from Open Directory
domain 323
adding print queue using AppleTalk 323
adding print queue using LPR 323
printer sharing
key features of 44
print jobs
deleting 332
holding 330
holding new 331
monitoring 329
prioritizing 331–332
restarting 330
stopping 330
print logs
deleting 334
managing 332–334
print queues
about 315
adding from Open Directory domain 323
adding in Mac OS X using AppleTalk 323
adding in Mac OS X using LPR 323
adding to Open Directory domains 321
configuring 320
default 329
deleting 329
holding 327
monitoring 326
reconfiguring 327
renaming 328
restarting 327
print quotas
enforcing 322
managing 332
setting for Mac OS 9 and 8 clients 448
setting up 322
print service
about 315
adding printers 320
applications for 315610 Index
key features of 50
monitoring 325
printers supported 316
protocols supported 317
setting up 319
setting up Mac OS 8 and 9 clients 324
setting up Mac OS X clients 323
setting up on clients 323
setup overview 317–318
solving problems 334–335
starting automatically 326
stopping 326
UNIX clients 325
Windows clients 325
print settings
for users 151
privileges. See access privileges
problems. See troubleshooting
Property List Editor
editing BSD configuration files with 116
editing DSFFPlugin.plist 116
installing 116
protocols
See also specific protocols
directory services 93
mail service 370–371
Open Directory 93
service discovery 72
SSL and mail service 372
proxy 345
blocking Web sites with 345
proxy cache
enabling 345
proxy server 345
defined 587
Q
QTSS (QuickTime Streaming Server)
defined 587
QuickTime Broadcaster
about 55
QuickTime Streaming Server
privileges 206
QuickTime Streaming Server (QTSS)
about 55
defined 587
quotas
about 127
disk 164
mail 151
print 152
user settings 71
R
Read & Write privileges 205
README messages, for FTP 255
Read Only privileges 205
realm, WebDAV
defined 590
realms, WebDAV 339
Real-Time Streaming Protocol (RTSP)
defined 587
Real-Time Transport Protocol (RTTP)
defined 587
record types
about 71
adding 102
group 580
LDAPv2 108
LDAPv3 101
user 574–577
remote administration 58
Directory Access application 118
Rendezvous 72
defined 587
enabling and disabling for Open Directory 94
reports
Macintosh Manager 463
Request for Comments (RFC) documents 409
resources
Apache Web server 64
file services 265
Mac OS X Server 64
mail service 408–409
network management 64
Web service 367
Restricted Finder workgroup 436
RFC (Request for Comments) documents 409
root
password 137Index 611
root domain 77, 111
See also shared directory domains
root password 137
root user account
backing up 202
round robin 523
routers 546
RTSP
defined 587
RTTP
defined 587
rules, IP filter 538–540
S
Samba 235
SASL (Simple Authentication and Security
Layer) 88
schema, directory domain. See mappings
scopes, network 546, 546–547
screen shots 442
scripts See CGI scripts
search bases
BSD configuration files 116
LDAPv2 108
LDAPv3 101
search path directory domains
listing accounts in 174
search policies 202
about 48, 82–83
adding Active Directory server to 105
adding LDAPv2 server to 107
adding LDAPv3 server to 99, 100
authentication 94
automatic 83, 95
custom 84, 95
local domain only 96
setting up 94–95
user accounts in 122
secure shell (SSH) command 553
Secure Sockets Layer (SSL)
defined 588
Secure Sockets Layer. See SSL
Secure Sockets Layer See SSL
security
access privilege guidelines 210
file service guidelines 222
FTP servers 244, 249
key features of 44
limitations of NFS 222
Macintosh Manager 418
NetBoot 493
NFS 256
NFS exports and 256
NFS limitations 210
passwords 194
Password Server 89
root password 137
of server hardware 87, 89
WebDAV 339
Web sites 340
Sendmail program 371, 391, 392
mail folder 373
Sendmail User predefined account 130
server administrators
using Macintosh Manager accounts 432
Server Assistant application 58
server management
more information 64
Server Message Block (SMB)
defined 588
setting up sharing 212
Server Message Block (SMB). See SMB
Server Monitor application
connecting to server 62
task summary 62
servers
Apache Web server 64, 338
enabling SSL on 363
equipment for 92
file servers 263
location for 92
name servers 516
ORBS servers 375
proxy servers 345–346
security of 87, 89
Windows file servers 237
WINS servers 240
Server Settings
adding printers to queue 320612 Index
adding print queues to Open Directory
domains 321
administrator access to mail database 395
allowing guest access to Apple file
service 234
allowing guest access to Windows
services 243
alternate mail transfer agent 391
APOP authentication 384
Apple file service Access settings 226
Apple file service automatic startup 231
Apple file service General settings 225
Apple file service Idle Users settings 228
Apple file service Logging settings 227
approved mail servers list 398
archiving Apple file service logs 233
archiving print logs 333
assigning Windows server to workgroup 244
automatically disconnecting users from Apple
file service 234
blacklisted mail servers 401
blind carbon copies (BCC), configuring 382
blocking Web sites with proxy server 345
CGI script, enabling 355
changing Apple file server name 231
changing print job priority 331
changing print queue quotas 332
changing Windows server name 241
configuring NetBoot 501
configuring print queues 320
creating Apple file service login greeting 234
creating SLP DA scopes 546
custom FTP root 253
default NetBoot disk image 500
deleting DHCP subnets 480
deleting mail automatically 383, 394
deleting print jobs 332
deleting print queues 329
denial-of-service attacks, preventing 537
deregistering a service with SLP DA 549
DHCP client list 481
DHCP logs 480, 484
DHCP subnet IP address lease times,
changing 480
DHCP subnets, creating 481
DHCP subnets, settings 482
disabling DHCP subnets 483
disabling NetBoot disk images 502
disapproved servers list 399
disconnecting users from Apple file
service 233
DNS lookup for mail service 396
DNS options for DHCP subnets 482
DNS server for DHCP clients 479
DNS Service, starting and stopping 519
enabling AppleTalk browsing on Apple file
service 232
enabling disk images 514
enabling NetBoot 502
enabling NetBoot disk images 502
enabling SSL for Web service 346
enabling WebDAV 346
enabling Web site 350
enabling web site logs 352
enabling Windows service domain
browsing 242
enforcing quotas for print queues 322
filtering NetBoot clients 504
filtering SMTP connections 401
filtering UDP ports 536
finding Windows server workgroup
name 241
Firewall, configuring 534
Firewall, starting and stopping 531
Firewall default filter 537
Firewall filters, creating 532
Firewall filters, editing 532
Firewall filters, finding 533
Firewall logs 534
Firewall service, configuring 530
FTP Access settings 251
FTP Advanced settings 252
FTP authentication 254
FTP General settings 250
FTP Logging settings 251
FTP logs 254
FTP user environment 254
FTP user messages 255
holding new print jobs 331
holding print jobs 330Index 613
holding print queues 327
IMAP authentication 385
IMAP case-sensitive folders 386
IMAP connections per user 386
IMAP ports 387
IMAP response name 386
Kerberos for mail service 381
LDAP server address via DHCP 479
limiting Apple file service connections 232
limiting connections to Windows
services 242
limiting incoming message size 383
limiting mail delivery attempts 402
logging SLP DA debugging messages 549
mail database location 394
mail service, starting and stopping 380
mail service DNS cache 397
mail service timeouts 397
mail service virtual host names 381
modifying MIME type mappings 343
monitoring print jobs 329
NetInfo access through Firewall 536
NetInfo options for DHCP subnets 482
new mail notification 383
NFS settings 257
performance cache for Web site 352
POP port number 385
POP response name 384
reconfiguring print queues 327
registering Apple file server with NSL 231
registering a service with SLP DA 548
registering with WINS server 242
renaming print queues 328
reporting undeliverable mail 402
restarting print jobs 330
restarting print queues 327
sending nonlocal mail 388
sending only local mail 388
server response for MIME types 356
setting access port for Web site 351
setting default print job priority 331
setting default Web page 351
setting up anonymous FTP 253
setting up persistent connections 344
SLP DA log options 549
SLP DA scopes, creating 548
SLP DA scopes, viewing 547
SLP DA service, starting and stopping 547
SMTP authentication 389
SMTP name matches IP address 400
SMTP ports 391
SMTP relay, restricting 398
SMTP relay for backup server 401
SMTP relay via another server 390
SMTP response name 390
SMTP servers, rejecting 399
specifying default print queue 329
SSL, enabling 363
SSL, setting up 357
starting Apple file service 229
starting DHCP 478
starting FTP service 252
starting or stopping Web service 343
starting print service automatically 326
starting Tomcat 347
starting Web service automatically 343
starting Windows services 240
stopping Apple file service 230
stopping DHCP 478
stopping FTP service 253
stopping print service 326
suspending outgoing mail 388
terminating idle IMAP connections 387
turning on Apple file service access logs 232
undeliverable mail, forwarding 402
undeliverable mail, reporting 403
viewing client lists 483
viewing Web service status 348
WebDAV, enabling 353
WebDAV realms, setting up 353
Web site indexing, enabling 353
Web sites, monitoring 356
Windows services automatic startup 241
Windows services General settings 237
Windows services Logging settings 239
Windows services logs 243
Windows services Network Neighborhood
settings 239
Server Settings application
connecting to server 60614 Index
opening within Workgroup Manager 60
populating Active Directory domains
with 105
populating LDAPv3 domains with 103
Server Side Includes See SSI
Server Status
Apple file service logs 230
Apple file service status 230
disconnecting users from Windows
services 243
DNS log, viewing 519
DNS service status 519
DNS usage statistics 520
mail service 404, 405
monitoring Mac OS 9 NetBoot clients 503
monitoring Mac OS X NetBoot clients 503
monitoring NFS 258
monitoring print queues 326
monitoring print service 325
monitoring Windows services 241
sending messages to Apple file service
users 235
SLP DA logs, viewing 549
viewing print logs 333
viewing Web service logs 348
Server Status application
directory services information 119
task summary 61
service discovery 72
Service Location Protocol (SLP)
about 54
Service Location Protocol (SLP). See SLP
Service Location Protocol (SLP) Directory Agent
(DA)
defined 588
Service Location Protocol Directory Agent See
SLP DA
services
data items used by 573–574
settings
logging 546
logging for Windows services 239
MIME types 343
Web service 342–349
Web sites 349–358
Shadow Images 492
shared directory domains
deleting 93
information storage 75
NetInfo 110, 111
network printing and 76
resources in 77
share point
defined 48
share points
automounting 207, 214
changing owner and privileges 217
changing protocols 218
creating 211
defined 205
deleting NFS client 218
drop box 218
for Windows users 236
making unavailable 215
removing 216
resharing NFS mounts 215
solving problems 219
viewing 216
sharing
stopping 216
Sherlock
AFP and 224
showmount command 259
Simple Mail Transfer Protocol (SMTP)
defined 588
Simple Mail Transfer Protocol. See SMTP
Simple Network Management Protocol
(SNMP) 566
SLP
discovery protocol 72
enabling and disabling for Open Directory 94
SLP (Service Location Protocol) 226, 231
SLP DA
attributes list 550
defined 588
more information 550
SLP DA service 545–550
creating scopes 548
debugging messages, logging 549
deregistering a service 549Index 615
described 545
managing 547–550
monitoring 549
planning 545
preparing for setup 545
registering a service 548
setting up 545–547
starting 547
stopping 547
uses for 545
viewing scopes 547
SLP Service
managing 547–550
starting 547
stopping 547
SMB
defined 588
enabling and disabling for Open Directory 94
Windows protocol 72
SMB protocol 235
smmsp (predefined group account) 131
SMTP
about 371
alternatives to 371
authentication 374, 375, 389
filtering connections 401
ports 391
rejected servers 375, 399
relay, restricted 374, 375, 398
relay for backup server 401
relay via another server 389
response name 390
settings 389–393
SMTP (Simple Mail Transfer Protocol)
defined 588
SNMP (Simple Network Management Protocol
defined 588
softwareupdate 561
spam
defined 588
spam. See junk mail
specifications
Apple file service 224
FTP service 248
Windows services 236
spoof 256
SQL 367
SquirrelMail See WebMail
SSH
key fingerprints 554
SSH access
enabling and disabling 553
SSH session
closing 554
executing commands 554
opening 553
SSI
enabling 355
SSL
certificate signing request (CSR) 361
enabling 363
mail service and 372
setting up 357, 361
Web site certificate 362
SSL (Secure Sockets Layer)
defined 588
described 338
enabling 363
SSL (Secure Sockets Layer) service 361–363
staff (predefined group account) 131
starting up using N key 507
Startup Disk control panel, updating 505
static addressing 487
static binding, NetInfo 112
static IP addresses 476
defined 588
Streaming Server Admin application
starting 63
task summary 63
subnet 264
subnet masks 527
subnets 239, 476
creating 476, 477–478, 481
defined 588
sys (predefined group account) 131
system access printer 449
System Administrator predefined account 130
system identifier lights
and Server Monitor 63
System-less clients616 Index
defined 588
System Preferences
setting up multiple IP addresses for a
port 348
System Services predefined account 130
systemsetup 561
T
TCP
defined 589
TCP/IP 264
private networks 523–524
unable to access server over 543
TCP/IP, for Windows services 262
TCP ports 540–541
templates, directory domain. See mappings
Terminal application 258, 539, 552
mail database cleanup 395
NetInfo command-line tools in 114
Sendmail, starting 392
SSH command 553
time-to-live (TTL)
defined 589
Tomcat 366
defined 589
Java and 347
Java servlet 347
JSP ( JavaServer Pages) 347
starting 347
Tomcat module 366
TP service
anonymous 249
Transmission Control Protocol (TCP)
defined 589
Trivial File Transfer Protocol (TFTP) 492
troubleshooting
Apple file servers 263
Apple file service 263
Firewall service 543
FTP 264
IP filters 543
NetBoot 507–508
print service 334–335
share points 219
users and groups 202
Web service 364
Windows services 263
TTL
defined 589
tty (predefined group account) 131
tunneling 546
U
UDP
defined 589
UDP (User Datagram Protocol) 258
UDP Ports
filtering 535
UDP ports 542
undeliverable mail
forwarding 402
limiting delivery attempts 402
reporting to postmaster 402, 403
Unicode
defined 589
Uniform Resource Locator (URL)
defined 589
Universal Serial Bus (USB) 316
defined 589
UNIX
commands, understanding 553
finding help 553
UNIX systems
BSD configuration files 74
compared to Open Directory 67, 68, 69
information storage 68, 69
tools for NetInfo 114
unknown (predefined group account) 131
Unknown User predefined account 130
Unprivileged User predefined account 130
unsolicited mail. See junk mail
uploads folder in FTP 253
URL
defined 589
USB
defined 589
USB (Universal Serial Bus) 316
user, virtual
defined 589
user accountsIndex 617
access privileges 125
authenticating 123
authentication 122
changing 138
comments 147
connecting without logging in 123
creating in Mac OS X Server directory
domains 137
creating read-write LDAPv3 user
accounts 138
defined 121
defining a user’s home directory 161
deleted, removing mail of 395
deleting 154
in directory domains 66–67, 91
disabling 155
disabling mail 150
disk quotas 164
enabling mail options 150
finding 173
forwarding mail 151
group settings 147
home directories 126
how they’re used 122
importing into Macintosh Manager 426
kinds of 128
locations of 137
login settings 146
Mac OS 9 and 8 420
mail addresses 407
mail quotas 127
mail settings 127, 150, 373, 379, 405
managed users 128
managing preferences 270
naming guidelines 141
not using a home directory 162
password validation 189
postmaster 379
predefined, list of 130
presets 176
print settings 151
read-only 139
storing preferences 127
user and group accounts
planning 135
role in network 121
setup overview 132
user data
how used by server 573
User Datagram Protocol (UDP)
defined 589
User Datagram Protocol See UDP
user environment in FTP 254
user environments in FTP 245–247
user experience
Mac OS 9 and 8 desktop 436
user ID (UID)
defined 589
guidelines 144
network role of 124
role in access privileges 125
user messages
FTP 255
user messages, for FTP 255
user names
defined 589
long names 139
as mail addresses 407
short names 140
user preferences
managing, Mac OS X 285
Users 364
users
anonymous FTP users 265
categories 206
characteristics of 122
data types 574–577
limiting connections 227, 234
MailAttribute data type 577–579
mail client configuration 406
mapping data 573–579
preparing for setup 135
registered 222
unregistered 210
users and groups
importing and exporting 178
solving problems 202
utilities
advanced, list of 551
utmp (predefined group account) 131618 Index
uucp (predefined group account) 131
V
virtual hosts
mail service 381
Virtual Private Network ( VPN)
defined 589
virtual user
defined 589
VPN
defined 589
W
Web 365
Web-based Distributed Authoring and Versioning
See ( WebDAV )
Web browsers 339
WebDAV
defined 590
privileges 206
WebDAV ( Web-based Distributed Authoring and
Versioning) 346
defining realms 339
described 337
enabling 353
security 339
setting access 354
setting access privileges 339
setting up 346
understanding 339
WebDAV realm
defined 590
WebMail
about 358–361
configuring 360–361
enabling 359
logging in 359
mail server and 359
protocols 359
security limitations 359
SquirrelMail 358
Web modules 365–367
Mac-specific 365
open-source 366
Web pages
default 341
Web servers
Apache Web server 64, 338
certificate for 362–363
Web Service
monitoring 348
Web service 337–367
about 337–367
configuring 338, 342
default page 341
described 337
Documents folder 341
key features of 51
limiting simultaneous 344
monitoring 348
more information 367
MySQL 367
persistent connections 344
preparing for setup 338–340
problems with 364
resources 367
secure transactions 338, 361–363
settings for 342–349
setting up 341–342
setting up Web sites 338
setup overview 341–342
solving problems 364
SSL, enabling 346
starting 343
stopping 343
strategies for 338–341
Tomcat 347
WebDAV 346
WebMail, managing 359–361
Web site privileges 342
Web services
logs, viewing 348
Web site
setting up SSL 357
Web Sites 349–358
monitoring 356
Web sites
access privileges 340
Apache Web server 64Index 619
assigning privileges 342
connecting to 342
connection problems 364
default Page 351
default page 341
default Web Folder 349
directory listing 352
documents Folder 349
enabling 350
hosting 339, 342
improving performance 351
information about 349
logs 352
MIME, configuring 356
security of 340
setting access port 351
settings for 349–358
setting up 338
solving problems 364
wheel (predefined group account) 132
wildcard
defined 590
Windows clients
share points for 210
Windows file servers 237
Windows Internet Naming Service ( WINS) 235
defined 590
registering with 242
servers 240, 264
Windows services 235–236
Access settings 238
assigning server to workgroup 244
authentication 236
automatic startup 240
changing server name 241
connecting to server with Network
Neighborhood 262
connecting to server without Network
Neighborhood 262
cross-platform guidelines 236
described 221
disconnecting users 243
enabling domain browsing 242
finding server workgroup name 241
General settings 237
guest access 243
key features of 49
limiting connections 242
logging settings 239
monitoring 241
Network Neighborhood settings 239
password validation 236
planning 236–237
problems with 263
registering with WINS server 242
Samba 235
services supported 235
setting up logs 243
solving problems 263
specifications 236
starting 240
stopping 240
supported in Mac OS X Server 261
using TCP/IP 262
Windows systems
cross-platform guidelines 236
WINS
defined 590
wireless service 281
workgroup administrator 432
workgroup management, Macintosh
key features of 45, 52
Workgroup Manager
about 267
access for users with local accounts 279
adding Dock items 295
adding to computer accounts 274
adding users to groups 168
allowing access to local applications 289
allowing access to System Preferences 290
allowing burning CDs and DVDs 309
allowing CD and DVD access 308
allowing helper applications 289
allowing special actions during restart 292
allowing users to control Dock 296
approving applications 288
authenticating in 59
automounting share points 214
browsing share point folders 216
changing computer accounts 274620 Index
changing group accounts 167
changing owner and access privileges for
share point 217
changing share points’ protocols 218
changing user accounts 138
computer access settings 278
computer account presets 273
computer accounts, creating 272
configuring an AFP share point 212
configuring an FTP share point 213
configuring an SMB share point 212
controlling computer access 278
copying access privileges 217
creating drop box 218
creating group accounts 166
creating LDAPv3 group accounts 166
creating LDAPv3 user accounts 138
creating printer list 311
creating user accounts 137
deleting computer accounts 276
deleting computers from accounts 275
deleting NFS client from share point 218
disabling preference management 287
editing multiple users 176
ejecting media on logout 310
exporting users and groups in 181
filtering account lists 175
hiding “Connect to Server” command 299
hiding “Go to Folder” command 300
hiding “Go to iDisk” command 299
hiding Burn Disc command 301
hiding Chooser and Network Browser 293
hiding disk and server icons 297
hiding Eject command 300
hiding Restart and Shut Down buttons on
login 306
hiding Restart and Shut Down
commands 301
hiding Trash warning 298
importing users and groups in 179
managing Classic sleep 294
managing computer preferences 286
managing email preferences 304
managing group preferences 286
managing user preferences 285
managing Web preferences 304
moving computers between accounts 275
opening applications on login 307
opening without authenticating 59
populating Active Directory domains
with 105
populating LDAPv3 domains with 103
presets 273
preventing access to control panels 292
refreshing account lists 175
removing share points 216
removing users from groups 168
resharing NFS mounts in AFP 215
restricting access to printers 314
restricting changes to printer list 312
restricting direct-connect printing 312
restricting hard disk access 310
searching for computer accounts 276
setting default and computer views 303
setting default printer 313
setting desktop view 302
setting Dock appearance 294
setting Finder window display 297
setting preferences 60
setting up Guest Computers account 277
setting up login window 305
setting up share points 211, 213
shortcuts 176
showing Apple menu items 293
showing file extensions 298
showing password hint 306
solving problems 202
sorting account lists 175
specifying a Classic System Folder 291
starting Classic at login 291
stopping sharing an item 216
system preferences and 281
task summary 60
updating managed preference cache 283
viewing access privileges for share points 217
viewing read-only group accounts 167
viewing read-only user accounts 139
viewing share points 217
workgroups
See also Macintosh ManagerIndex 621
about 128
defined 590
Mac OS 9 and 8 436
planning 136
World privileges for NFS 210
World Wide Web Server predefined account 130
Write Only privileges 205
www (predefined group account) 132
X
Xserve 487
AppleCare
Protection Plan
Getting Started Guide
for Apple TVContents
5 Fact Sheet
7 Quick Reference Guide
9 Terms and Conditions
39 Fiche d’informations
42 Guide de référence rapide
44 ModalitésEnglish 5
AppleCare Protection Plan for Apple TV
Fact Sheet
Service and support from the people who know your Apple TV best
The AppleCare Protection Plan for Apple TV extends the complimentary
coverage on your Apple TV to up to two years
*
of world-class support.
The plan provides access to Apple TV experts and gives you anytime
access to web-based resources at www.apple.com/support/appletv/. If
your Apple TV or the included accessories need service, Apple will repair
or replace them.
**
Coverage information
This comprehensive plan is available for all Apple TV models within their
one-year limited warranty. If you sell the covered Apple TV before the
AppleCare Protection Plan for Apple TV expires, you may transfer the
plan to the new owner.
**
For each Apple TV you want to cover, you must
purchase a separate AppleCare Protection Plan for Apple TV.
Keep your Proof of Coverage document, the original Apple TV sales
receipt, and the AppleCare Protection Plan for Apple TV receipt. Apple
may require proof of purchase if any questions arise about the eligibility
of your Apple TV for AppleCare Protection Plan.6 English
Technical support options
If you experience difficulties with your Apple TV, refer to the Quick
Reference Guide for troubleshooting tips. If you are not able to resolve
the issue, AppleCare representatives can help troubleshoot your Apple
TV, its connection with iTunes, and its connection to your television.
Apple technical support contact information and hours of operation are
listed in the Quick Reference Guide. Under the AppleCare Protection Plan
for Apple TV, Apple offers the same complete service for both Mac and
Windows users.
Hardware service
This plan extends repair and replacement service from the Apple oneyear warranty to up to two years from your Apple TV purchase date.
Either the carry-in or direct mail-in service option may apply when
you obtain service. Refer to the Quick Reference Guide for additional
details about obtaining service. The replacement equipment that Apple
provides as part of the repair or replacement service may be new or
equivalent to new in both performance and reliability.
* From the original purchase date of your Apple TV.
** See the enclosed AppleCare Protection Plan Terms and Conditions for
complete details.English 7
Try these simple steps before contacting Apple for help.
If you experience problems with your Apple TV, try the troubleshooting
steps below. As a precaution, back up all content on your computer
before you perform these steps.
Verify that you have the latest iTunes.
You can download the latest iTunes at www.apple.com/itunes/download/
in the U.S. or www.apple.com/ca/itunes/download/ in Canada.
Visit the Apple TV Support website.
The Apple TV Support website has links to service option availability,
an Apple TV tutorial, discussions, and other resources to answer
various how-to questions, which are available 24 hours a day at
www.apple.com/support/appletv/ in the U.S. and
www.apple.com/ca/support/appletv/ in Canada.
Quick Reference Guide
AppleCare Protection Plan for Apple TV8 English
Contact Apple for more assistance.
If the steps in this guide do not resolve your issue, contact Apple. An
Apple representative will ask you for your AppleCare Protection Plan for
Apple TV agreement number or your Apple TV serial number, which is
located on the bottom of your Apple TV.
In the U.S. In Canada
800-APL-CARE (800-275-2273) 800-263-3394
Seven days a week Seven days a week
8:00 A.M. to 8:00 P.M. Central time
*
9:00 A.M. to 9:00 P.M. Eastern time
*
* Telephone numbers and hours of operation may vary and
are subject to change. You can find the most up-to-date
local and international contact information at
www.apple.com/contact/phone_contacts.html/.English 9
AppleCare Protection Plan
AppleCare Protection Plan for iPod
AppleCare Protection Plan for Apple Display
AppleCare Protection Plan for Apple TV
Terms and Conditions
Your AppleCare Protection Plan (“APP”), AppleCare Protection Plan
for iPod (“APP for iPod”), AppleCare Protection Plan for Apple Display
(“APP for Apple Display”) or AppleCare Protection Plan for Apple TV
(“APP for Apple TV”), (each referred to herein as the “Plan”) is governed
by these Terms and Conditions and constitutes your contract with
the Apple entity described in section 7.l below (“Apple”). Subject to
these Terms and Conditions, your Plan (i) covers defects for the Applebranded product(s) listed in your Plan’s Certificate or Proof of Coverage
document (“Plan Confirmation”) and the accessories that are contained
in the product(s) original packaging (“Covered Equipment”), and (ii)
provides you with access to telephone technical support and webbased support resources for the Covered Equipment. To obtain the
Plan Confirmation you must register your Plan’s unique agreement or
registration number (“Plan Agreement Number”) as described in the
instructions included in the Plan’s packaging. Customers choosing the
Auto-Registration option, where available, will automatically receive 10 English
their Plan Confirmation. The duration of the Plan (“Coverage Period”) is
for the period ending on the date specified in your Plan Confirmation.
The price of the Plan is listed on the Plan’s original sales receipt.
1. Repair Coverage
a. Scope of Coverage. Your coverage for defects begins on the date
your Covered Equipment’s Apple hardware warranty expires and
terminates at the end of the Coverage Period (“Repair Coverage
Period”). Apple will provide both parts and labor, but may
require you to replace certain readily installable parts yourself, as
described below. Apple may provide replacement product or parts
that are manufactured from parts that are new or equivalent to
new in both performance and reliability. The replacement product
or parts will be functionally equivalent to the replaced products
or parts and will assume the remaining coverage under the Plan.
The products or parts that are replaced become Apple’s property.
Apple strongly advises you to record as a back up, data and
software residing or recorded in the Covered Equipment, before
having the Covered Equipment available for repair or replacement
services. The scope of support provided to you will vary according
to the Plan you purchased, as follows.
(i) Under APP, Apple covers the Covered Equipment and one
compatible Apple branded display if purchased at the same
time and registered with a covered Mac computer. An Apple-English 11
branded mouse and keyboard are also covered under APP
if included with the Covered Equipment (or purchased with
a Mac mini). An AirPort Extreme Card, an AirPort Express or
AirPort Extreme Base Station, Time Capsule, an Apple-branded
DVI to ADC display adapter, Apple RAM modules and MacBook
Air SuperDrive are also covered under APP if used with the
compatible Covered Equipment and originally purchased by
you up to two years before your Mac purchase or during the
term of your APP. If during the Repair Coverage Period there
is a defect in the materials or workmanship of the Covered
Equipment or the other covered items described above, Apple
will at its option, repair or replace the affected item.
(ii) Under APP for iPod, Apple will, at its option, repair or replace
the affected Covered Equipment, if (a) during the Repair
Coverage Period there is a defect in the Covered Equipment’s
materials or workmanship or, (b) during the Coverage Period,
the capacity of the covered iPod battery to hold an electrical
charge has depleted fifty (50%) percent or more from its
original specification after being fully charged and the
covered iPod is playing music with all settings reset.
(iii) Under APP for Apple Display or APP for Apple TV, Apple will, at
its option, repair or replace the affected Covered Equipment,
if during the Repair Coverage Period there is a defect in the 12 English
Covered Equipment’s materials or workmanship. An AirPort
Extreme Card, an AirPort Express or AirPort Extreme Base
Station and Time Capsule are also covered under APP for
Apple TV if used with the Covered Equipment and originally
purchased by you up to two years before your Apple TV or
during the term of your APP for Apple TV coverage.
b. Limitations. The Plan does not cover:
(i) Installation, removal or disposal of the Covered Equipment,
or installation, removal, repair, or maintenance of nonCovered Equipment (including accessories, attachments, or
other devices such as external modems) or electrical service
external to the Covered Equipment;
(ii) Damage to the Covered Equipment caused by accident,
abuse, neglect, misuse (including faulty installation, repair,
or maintenance by anyone other than Apple or an Apple
Authorized Service Provider), unauthorized modification,
extreme environment (including extreme temperature or
humidity), extreme physical or electrical stress or interference,
fluctuation or surges of electrical power, lightning, static
electricity, fire, acts of God or other external causes;
(iii) Covered Equipment with a serial number that has been
altered, defaced or removed; English 13
(iv) Problems caused by a device that is not the Covered
Equipment, including equipment that is not Apple-branded,
whether or not purchased at the same time as the Covered
Equipment;
(v) Service necessary to comply with the regulations of any
government body or agency arising after the date of this Plan;
(vi) The provision of replacement equipment during the period
when the Covered Equipment is being repaired;
(vii) Covered Equipment that has been lost or stolen. This Plan
only covers Covered Equipment that is returned to Apple in
its entirety;
(viii) Cosmetic damage to the Covered Equipment including but
not limited to scratches, dents and broken plastic on ports;
(ix) Consumable parts, such as batteries, except in respect of
battery coverage under APP for iPod or unless failure has
occurred due to a defect in materials and workmanship;
(x) Preventative maintenance on the Covered Equipment;
(xi) Defects caused by normal wear and tear or otherwise due to
normal aging of the product; or
(xii) Damage to, or loss of any software or data residing or
recorded in the Covered Equipment. When providing repair
or replacement service, Apple will use reasonable efforts 14 English
to reinstall the Covered Equipment’s original software
configuration and subsequent update releases, but will
not provide any recovery or transfer of software or data
contained on the serviced unit not originally included in the
Covered Equipment. DURING iPOD SERVICE THE CONTENTS
OF YOUR iPOD WILL BE DELETED AND THE STORAGE MEDIA
REFORMATTED. Your iPod or a replacement iPod will be
returned to you as your iPod was configured when originally
purchased, subject to applicable updates. Apple may install
system software (“iPod OS”) updates as part of your service
that will prevent the iPod from reverting to an earlier version
of the iPod OS. Third party applications installed on the iPod
may not be compatible or work with the iPod as a result of
the iPod OS update. You will be responsible for reinstalling all
other software programs, data and passwords. Recovery and
reinstallation of software programs and user data are not
covered under this Plan.
c. Service Options. Apple may provide service through one or more of
the following options:
(i) Carry-in service is available for most Covered Equipment.
Return the Covered Equipment requiring service to an Appleowned retail store or an Apple Authorized Service Provider
location offering carry-in service. Service will be performed English 15
at the location, or the store or service provider may send the
Covered Equipment to an Apple repair service location to be
repaired. Once you are notified that service is complete, you
will promptly retrieve the product.
(ii) Onsite service is available for many desktop computers if
the location of the Covered Equipment is within 50 miles/80
kilometers radius of an Apple authorized onsite service
provider located in the United States or Canada. Onsite
service is not available for some parts. The service for parts
that cannot be repaired by onsite service may be repaired
under Do-It-Yourself Parts service as described below.
Apple will dispatch a service technician to the location of
the Covered Equipment. Service will be performed at the
location, or the service technician will transport the Covered
Equipment to an Apple Authorized Service Provider or Apple
repair service location for repair. If the Covered Equipment
is repaired at an Apple Authorized Service Provider or Apple
repair service location, Apple will arrange for transportation
of the Covered Equipment to your location following service.
If the service technician is not granted access to the Covered
Equipment at the appointed time, any further onsite visits
may be subject to an additional charge. 16 English
(iii) Direct mail-in service is available for most Covered
Equipment. If Apple determines that your Covered
Equipment is eligible for mail-in service, Apple will send you
prepaid way bills (and if you no longer have the original
packaging, Apple may send you packaging material) and you
will ship the Covered Equipment to Apple’s repair service
location in accordance with its instructions. Once service is
complete, the Apple repair service location will return the
Covered Equipment to you. Apple will pay for shipping to
and from your location if all instructions are followed.
(iv) Do-It-Yourself Parts service is available for many Covered
Equipment parts, allowing you to service your own
product. If Do-It-Yourself Parts service is available in the
circumstances, the following process will apply.
(A) Do-It-Yourself Parts service where Apple requires return
of the replaced part. Apple may require a credit card
authorization as security for the retail price of the
replacement part and applicable shipping costs. If you are
unable to provide credit card authorization, Do-It-Yourself
Parts service may not be available to you and Apple will
offer alternative arrangements for service. Apple will ship
a replacement part to you with installation instructions
and any requirements for the return of the replaced part. English 17
If you follow the instructions, Apple will cancel the credit
card authorization, so you will not be charged for the
part and shipping to and from your location. If you fail to
return the replaced part as instructed or return a replaced
part that is ineligible for service, Apple will charge the
credit card for the authorized amount.
(B) Do-It-Yourself Parts service where Apple does not require
return of the replaced part. Apple will ship you free of
charge a replacement part accompanied by instructions
on installation and any requirements for the disposal of
the replaced part.
(C) Apple is not responsible for any labor costs you incur
relating to Do-It-Yourself Parts service. Should you
require further assistance, contact Apple at the toll-free
telephone number listed below.
Apple reserves the right to change the method by which Apple
may provide repair or replacement service to you, and your
Covered Equipment’s eligibility to receive a particular method of
service, including but not limited to onsite service at any time.
Service will be limited to the options available in the country
where service is requested. Service options, parts availability
and response times may vary according to country. You may be
responsible for shipping and handling charges if the Covered 18 English
Equipment cannot be serviced in the country it is in. If you seek
service in a country that is not the country of purchase, you will
comply with all applicable export laws and regulations and be
responsible for all custom duties, V.A.T. and other associated
taxes and charges. For international service, Apple may repair or
exchange defective products and parts with comparable products
and parts that comply with local standards.
d. Obtaining Repair or Replacement Service. To obtain service under
this Plan, access the Apple website (www.apple.com/support)
or call the toll-free telephone number listed below. Telephone
numbers may vary according to your location. When accessing
the website, follow the instructions for requesting repair
service provided by Apple. If calling, an Apple technical support
representative will answer, request your Plan Agreement Number
or Covered Equipment serial number, advise you and determine
what service is necessary for the Covered Equipment. All service is
subject to Apple’s prior approval. Location of service may vary due
to your location. Keep your Plan Confirmation document and the
original sales receipt for your Covered Equipment and your Plan.
Proof of purchase may be required if there is any question as to
your product’s eligibility for Plan coverage.English 19
2. Technical Support
a. Telephone and Web Support. Your eligibility for technical support
begins on the date your Covered Equipment’s complimentary
technical support expires or the date your Coverage Period begins,
whichever is later, and terminates at the end of the Coverage Period
(“Technical Coverage Period”). During the Technical Coverage Period
Apple will provide you with access to telephone technical support
and web-based technical support resources. Technical support
may include assistance with installation, launch, configuration,
troubleshooting, and recovery (except for data recovery), including
storing, retrieving, and managing files; interpreting system error
messages; and determining when hardware repairs are required.
The scope of technical support provided to you will vary according
to the Plan you purchased, as follows.
(i) Under APP, Apple will provide technical support for the
Covered Equipment, Apple’s operating system software
(“Mac OS”) and Apple-branded consumer applications preinstalled with the Covered Equipment (“Consumer Software”).
Apple will also provide technical support using the graphical
user interface for server administration and network
management issues on Apple’s operating system server
software (“Mac OS Server”) pre-installed on a Mac. Apple will
provide support for the then-current version of the Mac OS,
Mac OS Server and Consumer Software, and the prior Major 20 English
Release. For purposes of this section, “Major Release” means a
significant version of software that is commercially released
by Apple in a release number format such as “1.0” or “2.0” and
which is not in beta or pre-release form.
(ii) Under APP for iPod, Apple will provide technical support for
the Covered Equipment, iPod OS and software applications
that are pre-installed with the Covered Equipment (both
referred to as “iPod Software”) and connectivity issues
between the Covered Equipment and a supported computer,
meaning a computer that meets the Covered Equipment’s
connectivity specifications and runs an operating system that
is supported by the Covered Equipment. Apple will provide
support for the then-current version of the iPod Software,
and the prior supported Major Release.
(iii) Under APP for Apple Display, Apple will provide technical
support for the Covered Equipment and connectivity issues
between the Covered Equipment and a supported computer,
meaning a computer that meets the Covered Equipment’s
connectivity specifications and runs an operating system
that is supported by the Covered Equipment. Apple will
provide support for the then-current version of the operating
system that it provides connectivity assistance for under APP
for Apple Display, and the prior supported Major Release. English 21
(iv) Under APP for Apple TV, Apple will provide technical support
for the Covered Equipment, software applications that
are pre-installed with the Covered Equipment (“Apple TV
Software”) and connectivity issues between the Covered
Equipment, a supported computer and a supported
television. Apple will provide support for the then-current
version of the Apple TV Software and the prior supported
Major Release. For purposes of this section, a “supported
computer” means a computer that meets the Covered
Equipment’s connectivity specifications and runs an operating
system that is supported by the Covered Equipment, and
a “supported television” means a television that meets the
Covered Equipment’s connectivity specifications.
b. Limitations. The Plan does not cover:
(i) Your use of the Mac OS and Consumer Software as serverbased applications;
(ii) Issues that could be resolved by upgrading software to the
then current version;
(iii) Your use of or modification to the Covered Equipment, the
Mac OS, iPod Software, Apple TV Software or Consumer
Software in a manner for which the Covered Equipment or
software is not intended to be used or modified; 22 English
(iv) Third-party products or their effects on or interactions with
the Covered Equipment, the Mac OS, Mac OS Server, iPod
Software, Apple TV Software or Consumer Software;
(v) Your use of a computer or operating system under APP for
iPod that is unrelated to iPod Software or connectivity issues
with the Covered Equipment;
(vi) Your use of a computer or operating system under APP for
Apple Display that is unrelated to connectivity issues with
the Covered Equipment;
(vii) Your use of a computer or operating system under APP
for Apple TV that is unrelated to Apple TV Software or
connectivity issues with the Covered Equipment;
(viii) Apple software other than the Mac OS, Mac OS Server,
iPod Software, Apple TV Software or Consumer Software as
covered under the applicable Plan;
(ix) Mac OS software for servers, except when using the graphical
user interface for server administration and network
management issues on Mac OS Server pre-installed on a Mac;
(x) Mac OS software or any Apple-branded software designated
as “beta”, “prerelease,” or “preview” or similarly labeled software;
(xi) Third-party web browsers, email applications, and Internet
service provider software, or the Mac OS configurations
necessary for their use, or English 23
(xii) Damage to, or loss of any software or data residing or
recorded in the Covered Equipment.
c. Obtaining Technical Support. You may obtain technical support
by calling the toll-free telephone number listed below. The Apple
technical support representative will provide you technical
support. Apple’s hours of service are described below. Apple
reserves the right to change its hours of technical service and
telephone numbers at any time. Web-based support resources are
offered to you at the Apple website (www.apple.com/support).
3. Your Responsibilities
To receive service or support under the Plan, you agree to comply
with the following
a. Provide your Plan Agreement Number and serial number of the
Covered Equipment;
b. Provide information about the symptoms and causes of the
problems with the Covered Equipment;
c. Respond to requests for information, including but not limited
to the Covered Equipment serial number, model, version of the
operating system and software installed, any peripherals devices
connected or installed on the Covered Equipment, any error
messages displayed, actions taken before the Covered Equipment
experienced the issue and steps taken to resolve the issue;24 English
d. Follow instructions Apple gives you, including but not limited
to refraining from sending Apple products and accessories that
are not subject to repair or replacement service and packing the
Covered Equipment in accordance with shipping instructions; and
e. Update software to currently published releases prior to
seeking service.
4. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW,
APPLE AND ITS EMPLOYEES AND AGENTS WILL UNDER NO
CIRCUMSTANCES BE LIABLE TO YOU OR ANY SUBSEQUENT OWNER
FOR ANY INDIRECT OR CONSEQUENTIAL DAMAGES, INCLUDING
BUT NOT LIMITED TO COSTS OF RECOVERING, REPROGRAMMING,
OR REPRODUCING ANY PROGRAM OR DATA OR THE FAILURE TO
MAINTAIN THE CONFIDENTIALITY OF DATA, ANY LOSS OF BUSINESS,
PROFITS, REVENUE OR ANTICIPATED SAVINGS, RESULTING FROM
APPLE’S OBLIGATIONS UNDER THIS PLAN. TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, THE LIMIT OF APPLE AND ITS
EMPLOYEES AND AGENT’S LIABILITY TO YOU AND ANY SUBSEQUENT
OWNER ARISING UNDER THE PLAN SHALL NOT EXCEED THE
ORIGINAL PRICE PAID FOR THE PLAN. APPLE SPECIFICALLY DOES NOT
WARRANT THAT IT WILL BE ABLE TO (i) REPAIR OR REPLACE COVERED
EQUIPMENT WITHOUT RISK TO OR LOSS OF PROGRAMS OR DATA, AND
(ii) MAINTAIN THE CONFIDENTIALITY OF DATA. English 25
FOR CONSUMERS IN JURISDICTIONS WHO HAVE THE BENEFIT OF
CONSUMER PROTECTION LAWS OR REGULATIONS, THE BENEFITS
CONFERRED BY THIS PLAN ARE IN ADDITION TO ALL RIGHTS AND
REMEDIES PROVIDED UNDER SUCH LAWS AND REGULATIONS. TO THE
EXTENT THAT LIABILITY UNDER SUCH LAWS AND REGULATIONS MAY
BE LIMITED, APPLE’S LIABILITY IS LIMITED, AT ITS SOLE OPTION, TO
REPLACE OR REPAIR OF THE COVERED EQUIPMENT OR SUPPLY OF THE
SERVICE. SOME STATES OR PROVINCES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO
SOME OR ALL OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
5. Cancellation
You may cancel this Plan at any time for any reason. If you decide to
cancel either call Apple at the telephone number below, or send or
fax written notice with your Plan Agreement Number to AppleCare
Administration, P.O. Box 149125, Austin, TX 78714-9125, U.S. (fax number
512-6748125). A copy of the Plan’s original proof of purchase must
accompany your notice. Unless local law provides otherwise, if you
cancel within thirty (30) days of your Plan’s purchase, or receipt of
these Terms and Conditions, whichever occurs later, you will receive
a full refund less the value of any service provided under the Plan.
If you cancel more than thirty (30) days after your receipt of this
Plan, you will receive a pro rata refund of the original purchase price,
based on the percentage of unexpired Coverage Period, less (a) a 26 English
cancellation fee of twenty-five ($25 USD) dollars or ten percent (10%)
of the pro-rata amount, whichever is less, and (b) the value of any
service provided to you under the Plan. Unless applicable local law
provides otherwise, Apple may cancel this Plan if service parts for the
Covered Equipment become unavailable, upon thirty (30) days’ prior
written notice. If Apple cancels this Plan, you will receive a pro-rata
refund for the Plan’s unexpired term.
6. Transfer of Plan
Subject to the restrictions set forth below, you may make a one-time
permanent transfer of all of your rights under the Plan to another
party, provided that: (a) the transfer must include the original Proof
of Purchase, the Plan’s Certificate and all of the Plan’s packaging
material, including printed materials and these Terms and Conditions;
(b) you notify Apple of the transfer by sending, faxing or emailing
notice of transfer to Apple Inc., ATTN: Agreement Administration,
MS: 217AC, 2511 Laguna Blvd, Elk Grove, CA 95758, U.S., fax number
916-399-7337 or agmts_transfer@apple.com, respectively; and (c)
the party receiving the Plan reads and agrees to accept the Terms
and Conditions of the Plan. When notifying Apple of the transfer of
the Plan, you must provide the Plan Agreement Number, the serial
numbers of the Covered Equipment being transferred and the name,
address, telephone number and email address of the new owner. English 27
7. General Terms
a. Apple may subcontract or assign performance of its obligations
to third parties but shall not be relieved of its obligations to you in
doing so.
b. Apple is not responsible for any failures or delays in performing
under the Plan that are due to events outside Apple’s
reasonable control.
c. You are not required to perform preventative maintenance on the
Covered Equipment to receive service under the Plan.
d. This Plan is offered and valid only in the fifty states of the United
States of America, the District of Columbia and Canada. This Plan is
not offered to persons who have not reached the age of majority.
This Plan is not available where prohibited by law.
e. In carrying out its obligations Apple may, at its discretion and
solely for the purposes of monitoring the quality of Apple’s
response, record part or all of the calls between you and Apple.
f. You agree that any information or data disclosed to Apple under
this Plan is not confidential or proprietary to you. Furthermore,
you agree that Apple may collect and process data on your behalf
when it provides service. This may include transferring your data
to affiliated companies or service providers located in countries
where data protection laws may be less comprehensive than
your country of residence, including but not limited to Australia, 28 English
Canada, countries of the European Union, India, Japan, the
People’s Republic of China and the U.S.
g. Apple has security measures, which should protect your data
against unauthorized access or disclosure as well as unlawful
destruction. You will be responsible for the instructions you give
to Apple regarding the processing of data, and Apple will seek to
comply with those instructions as reasonably necessary for the
performance of the service and support obligations under the
Plan. If you do not agree with the above or if you have questions
regarding how your data may be impacted by being processed in
this way, contact Apple at the telephone numbers provided.
h. Apple will protect your information in accordance with
Apple Customer Privacy Policy available at URL
www.apple.com/legal/privacy. If you wish to have access to the
information that Apple holds concerning you or if you want to
make changes, access URL www.apple.com/contact/myinfo to
update your personal contact preferences or you may contact
Apple at privacy@apple.com.
i. The Terms and Conditions of this Plan prevail over any conflicting,
additional, or other terms of any purchase order or other
document, and constitute your and Apple’s entire understanding
with respect to the Plan.English 29
j. Your rights under the Plan are in addition to any warranty rights
you may be entitled to. You must purchase and register the Plan
while your Covered Equipment is within Apple’s One Year Limited
warranty. Apple is not obligated to renew this Plan. If Apple does
offer a renewal, it will determine the price and terms.
k. There is no informal dispute settlement process available under
this Plan.
l. For Plans sold in the United States, “Apple” is AppleCare Service
Company, Inc. an Arizona corporation with its registered office at
c/o CT Corporation System, 2394 East Camelback Road, Phoenix,
Arizona 85016, doing business in the state of Texas as Apple CSC,
Inc., and the obligations of such Plans are backed by the full faith
and credit of the provider, AppleCare Service Company, Inc. For
Plans sold in Canada, “Apple” is Apple Canada Inc., 7495 Birchmount
Road, Markham, Ontario, L3R 5G2, Canada. Apple Canada Inc. is the
legal and financial obligor for Plans sold in Canada.
m. The Administrator for Plans sold in the United States is Apple
Inc. (the “Administrator”), a California corporation with its
registered office at 1 Infinite Loop, Cupertino, California 95014.
The Administrator is responsible for the collection and transfer to
AppleCare Service Company, Inc. of the purchase price for the Plan
and for the administration of claims under the Plan. 30 English
n. Except where prohibited by law, the laws of the state of California
govern Plans purchased in the United States. Except where
prohibited by law, the laws of the province of Ontario govern
Plans purchased in Canada. If the law of any jurisdiction where this
Plan is purchased is inconsistent with these terms, including the
jurisdictions of Arizona, Florida, Georgia, Nevada, Oregon, Vermont,
Washington, and Wyoming, the law of that jurisdiction will control.
o. Support services under this Plan may be available in English and
French only.
p. There is no deductible payment due in respect of a claim made
under this Plan.
q. The Plan will not be cancelled due to pre-existing conditions in the
Covered Equipment that are eligible for service under this Plan.
8. State Variations
The following state variations will control if inconsistent with any
other provisions of this Plan:
Alabama, California, Hawaii, Maryland, Minnesota, Missouri, New
Mexico, New York, Nevada, South Carolina, Texas, Washington and
Wyoming Residents
If you cancel this Plan pursuant to Section 5 of these Terms and
Conditions, and we fail to refund the purchase price to you within
thirty (30) days for California, New York, Missouri and Washington English 31
residents, within forty-five (45) days for Alabama, Hawaii, Maryland,
Minnesota, Nevada, South Carolina, Texas and Wyoming residents, and
within sixty (60) days for New Mexico residents, we are required to
pay you a penalty of 10% per month for the unpaid amount due and
owing to you. The right to cancel and receive this penalty payment
only applies to the original owner of the Agreement and may not be
transferred or assigned. The obligations of the provider under this
service contract are backed by the full faith and credit of the provider,
AppleCare Service Company, Inc.
California Residents
If you cancel within thirty (30) days of your Plan receipt, you will receive
a full refund less the value of any service provided under the Plan.
Colorado Residents
Notice: This Plan is subject to the Colorado Consumer Protection Act
or the Unfair Practices Act, Articles 1 and 2 of Title 6, CRS.
Connecticut Residents
The expiration date of the Plan will automatically be extended by
the period that the Covered Equipment is in Apple’s custody while
being serviced. Resolution of Disputes: Disputes may be resolved by
arbitration. Unresolved disputes or complaints may be mailed, with
a copy of this Plan, to State of Connecticut, Insurance Dept., P.O. Box
816, Hartford, CT 06142-0846, Attn: Consumer Affairs.32 English
Florida Residents
The laws of the State of Florida will govern this Plan and any disputes
arising under it. The rate charged for the contract is not subject to
regulation by the Florida Office of Insurance Regulation.
Michigan Residents
If performance of the service contract is interrupted because of a
strike or work stoppage at the company’s place of business, the
effective period of the service contract shall be extended for the
period of the strike or work stoppage.
Nevada Residents
Cancellations: No Plan that has been in effect for at least 70 days may
be canceled by the provider before the expiration of the agreed term
or one year after the effective date of the Plan, whichever occurs first,
except on the following grounds:
a. Failure by the holder to pay an amount due;
b. Conviction of the holder of a crime which results in an increase in
the service required;
c. Discovery of fraud or material misrepresentation by the holder in
obtaining the Plan, or in presenting a claim for service thereunder;
d. Discovery of an act or omission by the holder, or a violation by
the holder of any condition of the Plan, which occurred after the English 33
effective date of the Plan and which substantially and materially
increases the service required under the Plan;
e. A material change in the nature or extent of the required service
or repair which occurs after the effective date of the Plan and
which causes the required service or repair to be substantially and
materially increased beyond that contemplated at the time that
the Plan was issued or sold.
Grounds for cancellation; date cancellation effective. No cancellation
of a service contract may become effective until at least 15 days
after the notice of cancellation is mailed to the holder.
Cancellation of contract; Refund of purchase price; cancellation fee.
(i) If Apple cancels this Plan, Apple shall refund to Nevada
consumers the portion of the purchase price that is
unearned. Apple may deduct any outstanding balance on
your account from the amount of the purchase price that
is unearned when calculating the amount of the refund. If
Apple cancels a contract pursuant to NRS 690C.270, it may
not impose a cancellation fee.
(ii) Except as otherwise provided in this section, a Nevada
resident who is the original purchaser of this Plan, who
submits to Apple a request in writing to cancel the Plan in
accordance with the terms of the Plan, shall receive a refund
of the portion of the Plan’s purchase price that is unearned. 34 English
(iii) If you request the cancellation of this Plan, Apple may
impose the cancellation fee described in the Plan, but will
not deduct the value of any service provided.
(iv) When Apple calculates the amount of a refund pursuant
to subsection (ii), it may deduct from the portion of the
purchase price that is unearned: (a) any outstanding balance
on the account; and (b) any cancellation fee imposed
pursuant to this Plan.
AppleCare Service Company, Inc. backs this Plan for Nevada residents
by its full faith and credit.
New Hampshire Residents
In the event you do not receive satisfaction under this contract, you
may contact the New Hampshire insurance department, by mail
at State Of New Hampshire Insurance Department, 21 South Fruit
Street, Suite 14, Concord NH 03301, or by telephone, via Consumer
Assistance, at 800-852-3416.
New Mexico Residents
Cancellations: No Plan that has been in effect for at least 70 days may
be canceled by the provider before the expiration of the agreed term
or one year after the effective date of the Plan, whichever occurs first,
except on the following grounds: English 35
a. Failure by the holder to pay an amount due;
b. Conviction of the holder of a crime which results in an increase in
the service required;
c. Discovery of fraud or material misrepresentation by the holder in
obtaining the Plan, or in presenting a claim for service thereunder;
d. Discovery of an act or omission by the holder, or a violation by
the holder of any condition of the Plan, which occurred after the
effective date of the Plan and which substantially and materially
increases the service required under the Plan;
e. A material change in the nature or extent of the required service
or repair which occurs after the effective date of the Plan and
which causes the required service or repair to be substantially and
materially increased beyond that contemplated at the time that
the Plan was issued or sold.
North Carolina Residents
The purchase of this Plan is not required either to purchase or to
obtain financing for computer equipment. Apple will not cancel this
plan EXCEPT for failure to pay the purchase price for the Plan.
Oregon Residents
In the event you do not receive satisfaction under this contract, you
may contact the Oregon Department of Consumer and Business
Services by mail at the Department of Consumer and Business 36 English
Services, Oregon Insurance Division, 350 Winter Street NE, Salem, OR
97301; or by telephone via Consumer Advocacy, at 888-877-4894.
South Carolina Residents
Unresolved complaints or Plan regulation questions may be
addressed to the South Carolina Department of Insurance, P.O. Box
100105, Columbia, South Carolina 29202-3105, Tel: 1-800-768-3467.
Tennessee Residents
This Plan shall be extended as follows: (1) the number of days the
consumer is deprived of the use of the product because the product
is in repair; plus two (2) additional workdays.
Texas Residents
The provider may cancel this Plan with no prior notice for nonpayment, misrepresentation or a substantial breach of a duty by
the holder relating to the Covered Equipment or its use. Unresolved
complaints or Contract regulation questions may be addressed to
the TX Dept. of Licensing and Regulation, P.O. Box 12157, Austin, TX
78711, U.S.
Wisconsin Residents
THIS WARRANTY IS SUBJECT TO LIMITED REGULATION BY THE
OFFICE OF THE COMMISSIONER OF INSURANCE.
If you cancel within thirty (30) days of your Plan’s purchase, or receipt
of these Terms and Conditions, whichever occurs later, you will receive English 37
a full refund. If you cancel more than thirty (30) days after your receipt
of the Plan, you will receive a pro-rata refund of the original purchase
price, based on the percentage of unexpired Coverage Period, less a
cancellation fee of twenty-five ($25 USD) dollars or ten percent (10%)
of the pro-rata amount, whichever is less. No deduction shall be made
from the refund for the cost of any service received. Apple will not
cancel this plan EXCEPT for failure to pay the purchase price for the
plan. If Apple cancels the Plan, you will receive a prorata refund for
the Plan’s unexpired term.
Wyoming Residents
If Apple cancels this Plan, Apple will mail to you written notice of the
cancellation at your last known address contained in Apple’s records
no less than ten (10) days prior to the effective cancellation date. The
prior written notice will contain the effective date of cancellation and
the reasons for cancellation. Apple is not obligated to provide prior
notice if cancellation is due to nonpayment of the Plan, a material
misrepresentation by you to Apple, a substantial breach of your
duties under the Plan or a substantial breach of your duties relating
to the Covered Equipment or its use.
Disputes arising under this Plan may be settled in accordance
with the Wyoming Arbitration Act.38 English
Toll-Free Numbers
In the U.S. In Canada
800-APL-CARE (800-275-2273) 800-263-3394
Seven days a week Seven days a week
8:00 A.M. to 8:00 P.M. Central time
*
9:00 A.M. to 9:00 P.M. Eastern time
*
* Telephone numbers and hours of operation may vary
and are subject to change. You can find the most
up-to-date local and international contact information
at www.apple.com/contact/phone_contacts.html.
Toll-free numbers are not available in all countries.
APP NA v.5.3Français 39
AppleCare Protection Plan pour Apple TV
Fiche d’informations
Des services et une assistance fournis par les personnes qui
connaissent le mieux votre Apple TV
Le programme AppleCare Protection Plan pour Apple TV prolonge
la durée de la couverture gratuite de votre Apple TV à deux ans*
maximum d’assistance à l’échelle internationale. Il inclut une assistance
assurée par des spécialistes et vous propose des ressources sur le web
à l’adresse www.apple.com/ca/fr/support/appletv. Si votre Apple TV ou
ses accessoires inclus nécessitent quelque réparation, Apple s’engage à
les réparer ou les remplacer
**
.
Informations concernant la garantie
Ce programme complet est disponible pour tous les modèles d’Apple
TV encore couverts par la garantie d’un an. Si vous vendez l’Apple TV
couvert avant expiration du programme AppleCare Protection Plan
pour Apple TV, vous pouvez transférer le programme au nouveau
propriétaire
**
. Vous devez souscrire à un programme AppleCare
Protection Plan pour chaque Apple TV que vous souhaitez couvrir. 40 Français
Conservez le document Preuve de garantie, les factures d’origine
correspondant à l’Apple TV et le reçu du programme AppleCare
Protection Plan pour Apple TV. Apple pourrait réclamer une preuve
d’achat en cas de doute concernant le droit à couverture de votre
Apple TV par le programme AppleCare Protection Plan.
Options d’assistance technique
Si des problèmes se présentent lors de l’utilisation de votre Apple TV,
suivez les instructions du Guide de référence rapide pour suivre les astuces
de dépannage. Si vous ne parvenez pas à résoudre le problème seul, le
personnel AppleCare peut vous aider à diagnostiquer le problème avec
votre Apple TV, sa connexion avec iTunes et son branchement à votre
téléviseur. Vous trouverez la liste des contacts et des horaires du service
d’assistance technique d’Apple dans le Guide de référence rapide. À
travers le programme AppleCare Protection Plan pour Apple TV, Apple
assure le même service pour les utilisateurs Mac et Windows.
Service matériel
Ce programme étend les services de réparation et de remplacement de
la garantie d’un an assurée par Apple à une assistance pouvant durer
jusqu’à deux ans à compter de la date d’achat de votre Apple TV.
Si vous faites appel aux services d’Apple, les options d’enlèvement à
domicile par transporteur ou de service après-vente en magasin sont
applicables. Reportez-vous au Guide de référence rapide pour en savoir Français 41
plus sur l’obtention de ces services. Le matériel de remplacement fourni
par Apple comme partie intégrante du service de réparation ou de
remplacement peut être neuf ou, en termes de performances et de
fiabilité, équivalent au neuf.
* À partir de la date d’achat d’origine de votre Apple TV.
** Pour de plus amples informations, consultez les Conditions Générales
du programme AppleCare Protection Plan, ci-jointes.42 Français
AppleCare Protection Plan pour Apple TV
Guide de référence rapide
Essayez les opérations suivantes, faciles à réaliser, avant d’appeler
Apple pour obtenir de l’aide.
Pour tout problème concernant l’Apple TV, suivez les procédures
de dépannage mentionnées ci-après. Par mesure de précaution,
sauvegardez toutes les données de votre ordinateur avant de procéder
au dépannage.
Vérifiez que vous disposez de la dernière version d’iTunes.
Vous pouvez télécharger la dernière version d’iTunes à partir de
l’adresse www.apple.com/ca/fr/itunes/download pour le Canada.
Visitez le site web d’assistance technique de l’Apple TV.
Ce site contient des liens donnant accès aux différentes options de
service mises à votre disposition, à des guides d’initiation sur l’Apple
TV, à des forums de discussion et à de nombreuses autres ressources de
type questions et réponses, tous disponibles 24 heures sur 24 à l’adresse
www.apple.com/ca/fr/support/appletv pour le Canada.Français 43
Contactez Apple pour obtenir une assistance supplémentaire.
Si les procédures de ce guide ne vous permettent pas de résoudre
le problème rencontré, contactez Apple. Un technicien Apple vous
demandera le numéro de votre contrat AppleCare Protection Plan pour
Apple TV ou bien le numéro de série de votre Apple TV, situé en bas de
votre appareil.
Aux États Unis Au Canada
(800)-APL-CARE (800-275-2273) 800-263-3394
7 jours sur 7 7 jours sur 7
De 8H00 à 20H00 De 9H00 à 21H00
(Heure du centre)* (Heure de l’Est)*
* Les numéros de téléphone et les heures d’ouverture au public
peuvent varier et sont susceptibles d’être modifiés. Vous trouverez
la toute dernière liste des contacts nationaux et internationaux à
l’adresse www.apple.com/contact/phone_contacts.html.44 Français
Programme AppleCare Protection Plan
Programme AppleCare Protection Plan pour iPod
Programme AppleCare Protection Plan pour Apple Display
Programme AppleCare Protection Plan pour Apple TV
Modalités
Votre programme AppleCare Protection Plan (ci-après « APP »),
programme AppleCare Protection Plan pour iPod (ci-après « APP pour
iPod »), programme AppleCare Protection Plan pour Apple Display
(ci-après « APP pour Apple Display ») ou programme AppleCare
Protection Plan pour Apple TV (ci-après « APP pour Apple TV »)
(chacun étant désigné ci-après comme le « Programme ») est régi par
les présentes modalités et ces modalités constituent votre contrat
auprès de l’entité Apple décrite dans l’article 7.l ci-dessous (ci-après
« Apple »). Sujet aux présentes modalités, votre Programme (i) couvre
les vices du ou des produits de marque Apple énumérés dans le
Certificat ou la Preuve de garantie de votre Programme (ci-après
« Confirmation d’adhésion au Programme ») et les accessoires inclus
dans l’emballage original du ou des produits (ci-après le « Produit
couvert »), et (ii) vous fournit une assistance téléphonique et l’accès
à des ressources d’aide Internet pour le Produit couvert. Pour obtenir
la Confirmation d’adhésion au Programme, vous devez enregistrer Français 45
votre numéro unique de contrat ou d’adhésion (ci-après « Numéro
de contrat du Programme ») tel que indiqué aux instructions incluses
dans l’emballage du Programme. Les Clients qui ont choisi l’option
d’adhésion automatique (Auto-Registration), dans les cas où elle est
offerte, recevront automatiquement une Confirmation d’adhésion
au Programme. Le terme de ce Programme (ci-après « Période de
garantie ») est pour la période terminant à la date indiquée à la
Confirmation d’adhésion au Programme. Le prix du Programme figure
sur l’original de la facture du Programme.
1. Garantie de réparation
a. Portée de la Garantie. Votre garantie couvrant les vices prend
effet à la date d’expiration et de terminaison de votre garantie
matérielle Apple pour le Produit couvert (« Période de la garantie
de réparation »). Apple fournira les pièces et la main-d’œuvre, mais
pourra vous demander de remplacer vous-même certaines pièces
faciles à installer. Ce processus est décrit ci-dessous. Le produit
de remplacement et les pièces de rechange fournis par Apple
peuvent être fabriqués à partir de pièces neuves ou équivalentes
à neuf du point de vue de rendement et fiabilité. Toute pièce de
rechange ou produit de remplacement sera équivalent du point de
vue fonctionnel à la pièce ou au produit remplacé, et demeurera
couvert pour la Période de garantie restant à courir en vertu du
Programme. Toute pièce ou produit remplacé devient la propriété 46 Français
d’Apple. Apple vous recommande fortement d’enregistrer comme
copie de sauvegarde des données et logiciels qui résident ou sont
stockés dans le Produit couvert avant d’assurer la disponibilité du
Produit couvert pour le service de réparation ou de remplacement.
La portée de soutien qui vous sera fournie variera selon le
Programme que vous achetez comme suit.
(i) Pour l’APP, Apple couvre le Produit couvert et un écran de
marque Apple, à condition qu’il ait été acheté et enregistré
en même temps qu’un ordinateur Mac couvert. Une souris
et un clavier de marque Apple sont également couverts, si
ceux-ci font partie du Produit couvert (ou sont achetés avec
un Mac mini). Une carte AirPort Extreme, des bornes d’accès
AirPort Express ou AirPort Extreme et Time Capsule, une carte
vidéo DVI/CAN de marque Apple ainsi que des modules de
mémoire vive MacBook Air SuperDrive de marque Apple
sont également couverts sous l’APP s’ils sont utilisés avec le
Produit couvert et sont achetés à l’origine par vous jusqu’à
deux (2) ans avant l’achat de votre Mac ou pendant le
terme de l’APP. Si, au cours de la Période de la garantie de
réparation, le Produit couvert ou un autre item couvert tel
qu’indiqué ci-dessus, présente des vices de matériau ou de
main-d’œuvre, Apple s’engage, à sa discrétion, à réparer ou à
remplacer l’item couvert défectueux. Français 47
(ii) Pour l’APP pour iPod, Apple s’engage, à sa discrétion, à
réparer ou à remplacer le Produit couvert affecté (a) si au
cours de la Période de la garantie de réparation, le Produit
couvert présente des vices de matériau ou de main-d’œuvre,
ou (b) si au cours de la Période de la garantie,la capacité de
la pile iPod couverte de maintenir une charge électrique
a diminué de cinquante pour cent (50%) ou plus de ses
caractéristiques originales après avoir été entièrement
rechargé et le matériel iPod couvert joue de la musique
quand toutes les options sont à leur état initial.
(iii) Pour l’APP pour Apple Display ou l’APP pour Apple TV, Apple
s’engage, à sa discrétion, à réparer ou à remplacer le Produit
couvert affecté si au cours de la Période de la garantie de
réparation, le Produit couvert présente des vices de matériau
ou de main-d’œuvre. Une carte AirPort Extreme, des bornes
d’accès AirPort Express ou AirPort Extreme Base Station et
Time Capsule sont également couverts par l’APP pour Apple
TV s’ils sont utilisés avec le Produit couvert et sont achetés à
l’origine par vous jusqu’à deux (2) ans avant l’achat de votre
Apple TV ou pendant le terme de votre APP pour Apple TV. 48 Français
b. Exclusions. Ce Programme ne couvre pas:
(i) l’installation, l’enlèvement ou le déplacement du Produit
couvert; l’installation, l’enlèvement, le déplacement, la
réparation ou l’entretien d’un produit non couvert (y compris
les accessoires, périphériques ou autres dispositifs tels que
les modems externes); ou les services électriques qui ne sont
pas inhérents au Produit couvert;
(ii) les dommages au Produit couvert attribuables à un accident,
à un abus, à une négligence, à une mauvaise utilisation
(notamment l’installation, la réparation ou l’entretien
inappropriés réalisés par quelqu’un d’autre qu’Apple ou
qu’un prestataire de services agréé Apple), la modification
non autorisée, un environnement inadapté (notamment une
température ou une humidité inadéquates), des contraintes
ou des interférences physiques ou électriques inhabituelles,
une variation ou surtension de l’alimentation électrique, la
foudre, l’électricité statique, un incendie, un cas fortuit ou
une autre cause étrangère;
(iii) le Produit couvert dont le numéro de série a été modifié,
dégradé ou supprimé; Français 49
(iv) des problèmes causés par un dispositif étranger au Produit
couvert, y compris le matériel qui n’est pas de marque
Apple, qu’il ait été ou non acquis au même moment que le
Produit couvert;
(v) le service nécessaire pour assurer la conformité avec
la réglementation d’une agence ou d’un organisme
gouvernemental, qui aurait été adoptée après la date de
ce Programme;
(vi) la mise à disposition d’un produit de remplacement au cours
de la période de réparation du Produit couvert;
(vii) le Produit couvert qui aurait été perdu ou volé. Ce
Programme ne couvre que le Produit couvert qui est
retourné à Apple dans son intégralité;
(viii) les dommages esthétiques causés au Produit couvert
(notamment, les égratignures, le bossellement et le bris des
pièces en plastique des ports);
(ix) les consommables comme les piles, sauf la pile iPod couverte
sous l’APP pour iPod ou sauf si le défaut est survenu en
raison d’un vice de matériau ou de main-d’œuvre;
(x) l’entretien préventif du Produit couvert;
(xi) les défauts résultant d’usure normale ou autrement du
vieillissement normal du produit; ou 50 Français
(xii) les dommages affectant ou perte des logiciels ou données
qui résident ou sont stockés dans le Produit couvert. Dans
le cadre de la prestation de services de réparation ou de
remplacement, Apple emploiera tous ses efforts raisonnables
pour réinstaller la configuration originale du logiciel du
matériel couvert ainsi que les mises à jour ultérieures, mais
ne fournira aucun service de reprise ou de transfert pour
des logiciels ou données contenus dans le produit remplacé
qui n’auraient pas été installés à l’origine sur le Produit
couvert. LES CONTENUS DE VOTRE iPOD SERONT PERDUS
ET LE SUPPORT DE STOCKAGE SERA REFORMATÉ DURANT
LA PRESTATION DU SERVICE D’iPOD. Votre iPod ou un iPod
de rechange vous sera retourné selon la configuration qui
existait au moment de son achat, sous réserve des mises à
jour applicables. Apple pourrait au titre du service, installer
des mises à jour du logiciel de base (« iPod OS ») qui
empêcheront l’iPod de revenir à une version précédente
de l’iPod OS. Les applications de tiers installées sur l’iPod
peuvent ne pas être compatibles ni fonctionner à la suite
de la mise à jour de l’iPod OS. Vous êtes responsable de la
réinstallation des autres programmes logiciels, données
et mots de passe. La récupération et la réinstallation des
programmes logiciels et données de l’utilisateur ne sont pas
couvertes par le présent Programme.Français 51
c. Options offertes pour le service de réparation ou de remplacement.
Apple pourra fournir la prestation des services en question
moyennant l’une ou plusieurs des méthodes suivantes:
(i) Service après-vente en magasin est offert pour la plupart
des composants du Produit couvert. Vous devez remettre
le Produit couvert défectueux à un magasin de détail
appartenant à Apple ou à un prestataire de services agréé
Apple qui offre un service après-vente en magasin. Les
services de réparation ou de remplacement seront réalisés
sur place ou dans un centre de réparation Apple auquel le
magasin ou le prestataire de services aura fait parvenir le
Produit couvert qui devrait être réparé. Vous devez récupérer
le Produit promptement après avoir été avisé de sa réparation
ou de son remplacement.
(ii) Le service sur place est offert pour de nombreux ordinateurs
personnels à condition que le Produit couvert soit situé dans
un rayon de 50 milles ou de 80 kilomètres d’un prestataire de
service sur place agréé situé aux États-Unis d’Amérique ou
au Canada. Le service sur place n’est pas offert pour certaines
pièces. Les pièces ne pouvant pas être réparées par le service
sur place, peuvent être réparées dans le cadre du service de
réparation par envoi de pièces à installer vous-même décrit
ci-dessous. Apple enverra un technicien à l’endroit où se 52 Français
trouve le Produit couvert aux fins de la prestation du service
de réparation ou de remplacement. Soit le service sera réalisé
sur place soit le technicien transportera le Produit couvert
à un prestataire de services agrée Apple ou à un centre de
réparation Apple pour fins de réparation. Si le Produit couvert
est réparé chez un prestataire de services agrée Apple ou à
un centre de réparation Apple, Apple fera le nécessaire pour
que le Produit couvert soit transporté à vos locaux à la suite
du service. Si le technicien n’est pas donné accès au Produit
Couvert à l’heure convenue, tout service sur place additionnel
pourrait être assujetti aux frais de service supplémentaires.
(iii) Le service de réparation par envoi du matériel en panne
par courrier est offert pour la plupart des Produits couverts.
Lorsque Apple décide que votre Produit couvert peut être
réparé moyennant ce service, Apple vous enverra des lettres
de transport prépayées (et au cas où vous ne posséderiez
plus l’emballage original, Apple peut vous faire parvenir
un emballage) afin que vous expédiez le Produit couvert à
l’un des centres de réparation Apple conformément à ses
instructions. Lorsque la réparation est terminée, le centre
de réparation Apple vous renvoie le Produit couvert. Apple
paiera les frais d’expédition aller-retour à partir de l’endroit
où est situé le Produit couvert à la condition que vous
respectiez toutes les instructions fournies par Apple.Français 53
(iv) Le service de réparation par envoi de pièces à installer
vous-même est offert pour un grand nombre de pièces du
Produit couvert, afin que vous répariez votre propre produit.
Lorsque les circonstances permettent ce service, la procédure
suivante s’applique.
(A) Le service de réparation par envoi de pièces à installer
vous-même pour lequel Apple exige le retour des pièces
remplacées. Apple peut exiger une autorisation de débit
du compte de votre carte de crédit comme garantie
du prix de détail de la pièce de rechange et des frais
d’expédition applicables. Si vous n’êtes pas en mesure
de fournir une telle autorisation, le service de réparation
par envoi de pièces à installer vous-même peut vous
être refusé, et Apple vous proposera d’autres solutions
pour la réparation. Apple vous expédiera une pièce de
rechange avec des instructions sur son installation et
toute exigence relative au retour de la pièce remplacée.
Si vous vous conformez aux instructions, Apple annulera
l’autorisation de débit du compte de votre carte de
crédit, de sorte que votre compte ne sera pas débité pour
le prix de la pièce et les frais de transport aller-retour à
partir de l’endroit où le Produit couvert est situé. Si vous
omettez de retourner la pièce remplacée de la manière
prescrite ou si vous retournez une pièce qui n’est pas 54 Français
admissible au service, Apple facturera le compte de
votre carte de crédit pour le montant autorisé.
(B) Le service de réparation par envoi de pièces à installer
vous-même pour lequel Apple n’exige pas le retour des
pièces remplacées. Apple vous enverra gratuitement une
pièce de rechange accompagnée des instructions pour
l’installation et toute condition relative à la disposition de
la pièce remplacée.
(C) Apple n’est pas responsable du coût de la main-d’œuvre
relié au service de réparation par envoi de pièces à
installer vous-même. Si vous exigez une assistance
supplémentaire, veuillez communiquer avec Apple au
numéro de téléphone sans frais indiqué ci-dessous.
Apple se réserve le droit de modifier à tout moment la méthode
par laquelle Apple peut vous fournir le service de réparation
ou de remplacement, et le droit de votre Produit couvert à
bénéficier d’une méthode particulière de service, notamment le
service sur place. Les méthodes de service seront limitées aux
méthodes disponibles dans le pays où le service est demandé.
Votre droit à bénéficier d’une méthode particulière de service,
la disponibilité des pièces de rechange et le temps de réponse
sont susceptibles de varier d’un pays à l’autre. Vous pourrez être
responsable des frais de transport et de manutention si le service Français 55
ne peut pas être fourni dans le pays où le Produit couvert se
trouve. Si vous réclamez un service dans un pays qui n’est pas le
pays d’achat, vous devrez vous conformer à toutes les lois et à
tous les règlements applicables en matière d’exportation, et vous
assumerez tous les droits de douane, TVA, et autre taxes et frais
connexes. Pour le service international, Apple peut réparer ou
échanger des produits et des pièces défectueux par des produits
et pièces comparables qui sont conformes aux normes locales.
d. Obtention d’un service de réparation. Pour obtenir un service
de réparation en vertu du présent Programme, veuillez
visiter le site web d’Apple (www.apple.com/support ou
www.apple.com/ca/fr/support) ou composer le numéro de
téléphone sans frais indiqué ci-dessous. Les numéros de
téléphone peuvent varier selon votre localisation. Lorsque vous
accéderez au site web, suivez les instructions fournies par Apple.
Si vous appelez le numéro de téléphone, un représentant du
service d’assistance technique répondra, demandera votre
Numéro de contrat du Programme ou le numéro de série du
Produit couvert, vous conseillera et déterminera quel service
est requis pour le Produit couvert. Tout service est sujet à
l’approbation préalable d’Apple. L’endroit de service peut varier
à cause de votre localisation. Conservez votre Confirmation
d’adhésion au Programme ainsi que l’original de la facture 56 Français
afférente au Produit couvert et à votre adhésion au Programme.
Une preuve d’achat peut vous être demandée en cas de doute
concernant la couverture de votre produit par le Programme.
2. Assistance technique
a. Assistance technique par téléphone ou Internet. Votre admissibilité
à l’assistance technique prend effet à la date d’expiration de
l’assistance technique gratuite ou la date de commencement
de votre Période de la garantie, selon la date la plus tardive,
et termine à la fin de la Période de la garantie (« Période de
la garantie technique »). Au cours de la Période de la garantie
technique, Apple vous fournit une assistance technique par
téléphone ainsi que des ressources Internet. Cette assistance
peut comprendre l’assistance avec l’installation, le lancement,
la configuration, le dépannage et la reprise (à l’exclusion de la
reprise de données), y compris le stockage, la récupération et la
gestion de fichiers; l’interprétation de messages d’erreur système;
et la détermination de l’opportunité de réparer du matériel
informatique. La portée de l’assistance technique qui vous sera
fournie variera selon le Programme acheté comme suit.
(i) Pour l’APP, Apple fournira une assistance technique pour le
Produit couvert, le système d’exploitation Apple (ci-après
« Mac OS ») et les applications grand public de marque
Apple préinstallées avec le Produit couvert (ci-après les Français 57
« Logiciels grand public »). De plus, Apple fournira une
assistance technique pour les questions d’administration
de serveur ou de réseau par l’entremise de l’interface
d’utilisateur graphique se trouvant sur le logiciel du
système d’exploitation de serveur Apple (« Mac OS Server »)
pré-installé sur un Mac. Apple fournira une assistance
technique pour la dernière version disponible du Mac OS,
du Mac OS Server et des Logiciels grand public et pour la
principale version précédente. Pour les fins de cet article,
« principale version » signifie une version importante du
logiciel commercialisée par Apple portant un numéro de
version de format comme « 1.0 » ou « 2.0 » mais qui n’est pas
de version bêta ou préversion.
(ii) Pour l’APP pour iPod, Apple fournira une assistance
technique pour le Produit couvert, pour l’iPod OS et les
logiciels pré-installés avec le Produit couvert (tous deux étant
désignés comme les « Logiciels iPod »), et pour des questions
de connectivité entre le Produit couvert et un ordinateur
soutenu c.-à-d. un ordinateur qui satisfait aux spécifications
de connectivité du Produit couvert et qui utilise un
système d’exploitation soutenu par le Produit couvert.
Apple fournira une assistance technique pour la dernière
version des Logiciels iPod et pour la version principale
précédente soutenue.58 Français
(iii) Pour l’APP pour Apple Display, Apple fournira une assistance
technique pour le Produit couvert et pour des questions
de connectivité entre le Produit couvert et l’ordinateur
soutenu, c.àd. un ordinateur qui satisfait aux spécifications
de connectivité du Produit couvert et qui utilise un système
d’exploitation soutenu par le Produit couvert. Apple fournira
une assistance technique pour la dernière version du
système d’exploitation pour lequel elle fournit d’assistance
de connectivité d’après l’APP pour Apple Display et pour la
version principale précédente soutenue
(iv) Pour l’APP pour Apple TV, Apple fournira une assistance
technique pour le Produit couvert, les logiciels pré-installés
avec le Produit couvert (ci-après « Logiciels Apple TV »)
et pour des questions de connectivité entre le Produit
couvert, un ordinateur soutenu et un téléviseur soutenu.
Apple fournira une assistance technique pour la dernière
version des Logiciels Apple TV et pour la version principale
précédente soutenue. Pour les fins de cet article, un
« ordinateur soutenu » désigne un ordinateur qui satisfait aux
spécifications de connectivité du Produit couvert et qui utilise
un système d’exploitation soutenu par le Produit couvert, et
un « téléviseur soutenu » désigne un téléviseur qui satisfait
aux spécifications de connectivité du Produit couvert.Français 59
b. Exclusions. Le Programme ne couvre pas :
(i) votre utilisation du système d’exploitation Mac OS et de
Logiciels grand public comme des applications serveur;
(ii) les problèmes pouvant être résolus par une mise à jour de
logiciels avec la dernière version disponible;
(iii) votre utilisation ou modification du Produit couvert, du
système d’exploitation Mac OS, des Logiciels iPod, des
Logiciels Apple TV ou des Logiciels grand public d’une
manière pour laquelle le Produit couvert ou ces logiciels
n’ont pas été conçus ou pour laquelle la modification n’était
pas prévue;
(iv) les produits de tierces parties ou leurs effets sur ou
interactions avec le Produit couvert, le système d’exploitation
Mac OS, le Mac OS Server, les Logiciels iPod, les Logiciels
Apple TV ou les Logiciels grand public;
(v) votre utilisation d’un ordinateur ou système d’exploitation
sous l’APP pour iPod qui n’a aucun rapport avec les Logiciels
iPod ou des questions de connectivité du Produit couvert;
(vi) votre utilisation d’un ordinateur ou système d’exploitation
sous l’APP pour Apple Display qui n’a aucun rapport avec des
questions de connectivité du Produit couvert; 60 Français
(vii) votre utilisation d’un ordinateur ou système d’exploitation
sous l’APP pour Apple TV qui n’a aucun rapport avec les
Logiciels Apple TV ou des questions de connectivité du
Produit couvert;
(viii) les logiciels Apple autres que le système d’exploitation
Mac OS, le Mac OS Server, les Logiciels iPod et les Logiciels
grand public d’après la couverture prévue au Programme
applicable;
(ix) le logiciel Mac OS pour serveur sauf l’utilisation de l’interface
d’utilisateur graphique pré-installé sur un Mac OS Server en
cas de questions sur l’administration de serveur ou de réseau;
(x) le logiciel Mac OS ou tout autre logiciel de marque Apple de
version « bêta », « préversion », « version préliminaire » ou de
dénomination semblable;
(xi) les navigateurs et applications de courrier électronique
de tierces parties ainsi que les logiciels de fournisseurs de
services Internet, ou les configurations de Mac OS nécessaires
à leur utilisation; ou
(xii) des dommages à ou perte des logiciels ou données qui
résident ou sont stockés dans le Produit couvert.
c. Obtention d’une assistance technique. Vous pouvez obtenir une
assistance technique en composant le numéro de téléphone sans
frais indiqué ci-dessous. Le représentant du service d’assistance Français 61
technique d’Apple vous offrira d’assistance technique. Les
horaires de service Apple sont indiqués ci-dessous. Ces
horaires peuvent être modifiés de temps en temps. Apple se
réserve le droit de changer ces horaires de service et les
numéros de téléphone à tout moment. Des ressources
d’assistance en ligne sont offertes sur le site web d’Apple
(www.apple.com/support ou www.apple.com/ca/fr/support).
3. Vos obligations
Afin de recevoir la prestation de service prévue ou le soutien prévu
au Programme, vous convenez de vous conformer aux exigences
suivantes :
a. fournir votre Numéro de contrat du Programme et le numéro de
série du Produit couvert;
b. fournir d’information sur les symptômes et les causes des
problèmes inhérents au Produit couvert;
c. répondre aux demandes d’information notamment, le numéro
de série du Produit couvert, le modèle, la version du système
d’exploitation et des logiciels installés, tout périphérique connecté
au ou installé sur le Produit couvert, tout message d’erreur affiché,
les démarches prises avant que le problème se produit sur Produit
couvert et les mesures prises pour résoudre le problème;
d. suivre les instructions que vous donne Apple, notamment ne
pas renvoyer à Apple les produits et les accessoires pour lesquels 62 Français
le service de réparation ou de remplacement n’est pas offert et
l’emballage du Produit couvert conformément aux instructions sur
son expédition; et
e. mettre à jour des logiciels avec des versions actuelles
commercialisées avant de demander la prestation du service de
réparation ou de remplacement.
4. Limite de responsabilité
DANS TOUTE LA MESURE PERMISE PAR LA LOI APPLICABLE, APPLE,
SES EMPLOYÉS ET MANDATAIRES NE SAURAIENT EN AUCUN CAS
ÊTRE TENUS RESPONSABLES ENVERS VOUS OU TOUT PROPRIÉTAIRE
ULTÉRIEUR, DES DOMMAGES INDIRECTS OU ACCESSOIRES RÉSULTANT
DES OBLIGATIONS QUI INCOMBENT À APPLE EN VERTU DU PRÉSENT
PROGRAMME, Y COMPRIS, ENTRE AUTRES, LES COÛTS AFFÉRENTS À
LA REPRISE, À LA REPROGRAMMATION OU À LA REPRODUCTION DE
TOUT PROGRAMME OU DE TOUTE DONNÉE, OU À SON INCAPACITÉ
À PRÉSERVER LA CONFIDENTIALITÉ DES DONNÉES, OU À LA PERTE
D’AFFAIRES, DE PROFITS, DE PRODUITS OU D’ÉCONOMIES ANTICIPÉES.
DANS TOUTE LA MESURE PERMISE PAR LA LOI APPLICABLE, LA
LIMITE DE RESPONSABILITÉ D’APPLE ET DE SES EMPLOYÉS ET DE
SON MANDATAIRE ENVERS VOUS ET TOUT PROPRIÉTAIRE ULTÉRIEUR,
DÉCOULANT DU PROGRAMME, NE SAURAIT EXCÉDER LA SOMME
ACQUITTÉE POUR BÉNÉFICIER DU PRÉSENT PROGRAMME. EN
PARTICULIER, APPLE NE GARANTIT PAS QU’ELLE POURRA (i) RÉPARER Français 63
OU REMPLACER LE PRODUIT COUVERT SANS RISQUER DE PERDRE OU
D’ENDOMMAGER LES LOGICIELS OU LES DONNÉES, NI (ii) PRÉSERVER
LA CONFIDENTIALITÉ DES DONNÉES.
POUR LES CONSOMMATEURS QUI BÉNÉFICIENT D’UNE LOI OU
RÉGLEMENTATION SUR LA PROTECTION DES CONSOMMATEURS,
LES AVANTAGES CONFÉRÉS PAR LE PRÉSENT PROGRAMME
S’AJOUTENT À TOUS LES DROITS ET RECOURS PRÉVUS PAR CETTE
LOI ET CES RÈGLEMENTS. DANS LA MESURE OÙ LA RESPONSABILITÉ
DÉCOULANT DE CETTE LOI OU RÉGLEMENTATION SERAIT LIMITÉE, LA
RESPONSABILITÉ D’APPLE EST LIMITÉE, À SON ENTIÈRE DISCRÉTION,
AU REMPLACEMENT OU À LA RÉPARATION DU PRODUIT COUVERT
OU À LA PRESTATION DE SERVICE. CERTAINS ÉTATS ET CERTAINES
PROVINCES NE PERMETTENT PAS L’EXCLUSION OU LA LIMITATION DES
DOMMAGES ACCESSOIRES AUQUEL CAS UNE PARTIE DES OU TOUTES
LES LIMITATIONS CI-DESSUS PEUVENT NE PAS S’APPLIQUER.
5. Résiliation
Vous pouvez résilier le présent Programme à tout moment, pour
tout motif. Le cas échéant, veuillez contacter Apple en composant
le numéro de téléphone indiqué ci-dessous, ou en faisant
parvenir ou envoyant par télécopieur, un avis écrit indiquant
votre Numéro de contrat du Programme à l’adresse suivante :
AppleCare Administration, P.O. Box 149125, Austin, TX 787149125,
U.S. (numéro de télécopieur 512-674-8125). Une photocopie de 64 Français
votre preuve d’achat du Programme devrait accompagner votre
avis. Sous réserve des dispositions de la loi locale, au cas où la
résiliation serait effectuée dans les trente (30) jours de la date de
votre adhésion au Programme, ou de celle de la réception des
présentes modalités, selon la date la plus tardive, vous recevrez
un remboursement complet, déduction faite de la valeur de tout
service fourni dans le cadre du présent Programme. Au cas où la
résiliation serait effectuée plus de trente (30) jours à partir de la
réception du présent Programme, vous recevrez un remboursement
au prorata du prix d’achat original du présent Programme, calculé
en fonction du pourcentage de la durée de la Période de la garantie
restant, déduction faite (a) de frais de résiliation de vingt-cinq dollars
(25 $ US) ou de dix pourcent (10 %) du montant au prorata, selon
le montant le moins élevé des deux, et (b) de la valeur de tout
service qui vous a été fourni dans le cadre de ce Programme. Sous
réserves des dispositions de la loi locale, Apple peut résilier le présent
Programme si les pièces de rechange pour le Produit couvert ne sont
plus disponibles moyennant un avis écrit de trente (30) jours. Si Apple
résilie ce Programme, vous recevrez un remboursement au prorata de
la durée du Programme restant à courir.
6. Cession du Programme
Sujet aux limitations ci-dessous, vous ne pouvez faire qu’une seule
cession permanente de tous vous droits en vertu du Programme Français 65
à une autre partie et ceci à condition que : (a) la preuve d’achat
originale, le Certificat du Programme y compris les documents
imprimés et ces modalités, fassent partie de la cession; (b) vous
avisiez Apple en faisant parvenir ou envoyant par télécopieur
ou courriel, un avis de transfert à Apple Inc., ATT: Agreement
Administration, MS: 217AC, 2511 Laguna Blvd, Elk Grove, CA 95758, U.S.,
numéro de télécopieur 916-399-7337, ou agmts_transfer@apple.com,
respectivement; (c) la partie qui reçoit le Programme lise et convienne
d’accepter les modalités du Programme. Quand vous avisez Apple de
la cession du Programme, vous devez fournir votre Numéro de contrat
du Programme, les numéros de série du Produit couvert faisant
l’objet de la cession, une preuve d’achat du Programme, ainsi que le
nom, l’adresse, le numéro de téléphone et l’adresse électronique du
nouveau propriétaire.
7. Dispositions générales
a. Apple peut sous-traiter ou confier l’exécution de ses obligations
à des tierces parties sans être pour autant déchargée de ses
obligations à votre égard.
b. Apple n’est pas responsable des manquements ou retards
dans l’exécution de ses obligations conformément au présent
Programme qui seraient attribuables à des événements qu’elle ne
peut raisonnablement maîtriser. 66 Français
c. Vous n’êtes pas tenu de réaliser un entretien préventif du Produit
couvert afin de recevoir la prestation des services prévus par le
présent Programme.
d. Le présent Programme est offert et valable uniquement dans les
cinquante états des États-Unis d’Amérique, le District of Columbia
et au Canada. Le présent Programme n’est offert à aucune
personne qui n’a pas atteint sa majorité. Le présent Programme
n’est pas offert dans les juridictions dans lesquelles il serait interdit
par la loi.
e. En exécutant ses obligations, Apple peut, à son entière discrétion
et uniquement à des fins d’analyse de la qualité de son service
à la clientèle, enregistrer tout ou partie des communications
téléphoniques entre vous et Apple.
f. Vous convenez que toute information donnée ou divulguée à
Apple dans le cadre de ce Programme n’est ni confidentielle ni
propriétaire. En outre, vous acceptez qu’Apple collecte et traite
des données en votre nom au moment de la prestation de
service. Ainsi, Apple peut être amenée à transmettre des données
vous appartenant à des sociétés affiliées ou à des fournisseurs
de service situés dans des pays où les lois sur la protection des
données offrent une protection moins étendue que dans votre
pays de résidence, notamment en Australie, au Canada, dans Français 67
l’Union européenne, en Inde, au Japon, en République populaire
de Chine ou aux Etats-Unis d’Amérique.
g. Apple dispose de dispositifs de sécurité protégeant contre l’accès
ou la divulgation non autorisé et la destruction illégale. Vous
assumez la responsabilité des instructions que vous transmettez
à Apple concernant le traitement des données et Apple
s’efforcera de les respecter dans la mesure du raisonnable aux
fins d’exécution du service de réparation et des obligations de
soutien prévus par le présent Programme. Si vous ne consentez
pas à ce qui vient d’être énoncé ou si vous avez des questions sur
les conséquences d’un tel traitement de vos données, veuillez en
aviser Apple en téléphonant aux numéros indiqués.
h. Apple protégera vos renseignements personnels
conformément à la politique sur la vie privée des clients
d’Apple (Apple Customer Privacy Policy) affichée à l’adresse
URL suivante : www.apple.com/legal/privacy ou
www.apple.com/ca/fr/legal/privacy. Si vous souhaitez accéder
à l’information vous concernant détenue par Apple, ou si vous
voulez la modifier, veuillez accéder à l’adresse URL suivante :
www.apple.com/contact/myinfo afin de mettre à jour vos
coordonnées personnelles, ou communiquer avec Apple à
l’adresse électronique suivante : privacy@apple.com. 68 Français
i. Les modalités du présent Programme prévalent sur toute modalité
contraire, supplémentaire ou autre de tout bon de commande ou
autre document, et constituent l’intégralité de l’accord entre vous
et Apple en ce qui concerne le Programme.
j. Vos droits en vertu du Programme s’ajoutent à tout droit de
garantie dont vous bénéficiez. Vous devez acheter et inscrire le
Programme pendant la période de la garantie limitée un an Apple
pour le Produit couvert. Apple n’est pas tenue de renouveler le
présent Programme. Si Apple décide de renouveler le Programme,
elle en déterminera le prix et les modalités.
k. Aucun mécanisme informel de résolution des différends n’est
prévu par le présent Programme.
l. Pour les Programmes vendus aux États-Unis d’Amérique, « Apple »
est AppleCare Service Company, Inc., une société incorporée
en vertu des lois de l’Arizona ayant son bureau enregistré à a/s
CT Corporation System, 2394, East Camelback Road, Phoenix,
Arizona 85016, faisant affaires dans l’état du Texas comme Apple
CSC, Inc. Les obligations découlant dudits Programmes sont
garanties de pleine foi par AppleCare Service Company, Inc. Pour
les Programmes vendus au Canada, « Apple » est Apple Canada
Inc., 7495, Birchmount Road, Markham (Ontario) L3R 5G2 Canada.
Apple Canada Inc. est le débiteur sur les plans juridique et
financier pour les Programmes vendus au Canada. Français 69
m. Le gestionnaire des Programmes vendus aux États-Unis
d’Amérique est Apple, Inc. (le Gestionnaire »), une société
incorporée en vertu des lois de la Californie ayant son bureau
enregistré à 1 Infinite Loop, Cupertino, California 95014. Le
Gestionnaire est responsable du recouvrement et transfert à
AppleCare Service Company, Inc. du prix d’achat du Programme et
de la gestion des réclamations dans le cadre du Programme.
n. Les lois de l’État de la Californie régissent les Programmes
souscrits aux États-Unis d’Amérique, sauf dans les juridictions
dans lesquelles il serait interdit par la loi. Les lois de la province de
l’Ontario régissent les Programmes souscrits au Canada, sauf dans
les juridictions dans lesquelles il serait interdit par la loi. Si les lois
d’une juridiction dans laquelle le présent Programme est souscrit
sont incompatibles avec les présentes modalités, y compris
celui des juridictions de l’Arizona, de la Floride, de la Géorgie, du
Nevada, de l’Oregon, du Vermont, de Washington ou du Wyoming,
les lois de cette juridiction prévaudront.
o. Les services d’assistance prévus par le présent Programme
pourraient être disponibles uniquement en anglais et français.
p. En cas de réclamation en vertu du présent Programme, aucun
paiement de franchise n’est exigible. 70 Français
q. Le Programme ne sera pas résilié à cause de conditions
préexistantes dans le Produit couvert qui est admissible à la
prestation de service du Programme.
8. Variantes en fonction des États.
Les variantes en fonction des États prévaudront en cas d’incohérence
avec l’une quelconque des dispositions du présent Programme :
Résidents d’Alabama, de la Californie, de Hawaï, du Maryland,
du Minnesota, du Missouri, du Nouveau-Mexique, de New York,
du Nevada, de la Caroline du Sud, du Texas, de Washington et
du Wyoming
Si vous résiliez ce contrat conformément à l’article 5 des présentes
modalités, et que nous faisons défaut de vous rembourser le prix
d’achat dans les trente (30) jours pour les résidents de la Californie, de
New York, du Missouri et de Washington et quarante-cinq (45) jours
pour les résidents d’Alabama, de Hawaï, du Maryland, du Minnesota,
du Nevada, de la Caroline du Sud, du Texas et du Wyoming, et
soixante (60) jours pour les résidents du Nouveau-Mexique, nous
nous engageons à vous verser une pénalité de 10 % par mois pour
le montant impayé que nous vous devons. Le droit d’annuler et de
recevoir cette pénalité ne s’applique qu’au propriétaire original du
contrat et ne peut être aliéné ou cédé. Les obligations du fournisseur
découlant du présent contrat de service sont garanties de pleine foi
par le fournisseur, AppleCare Service Company, Inc.Français 71
Résidents de la Californie
En cas de résiliation de votre part dans les trente (30) jours de la
réception de votre Programme, vous recevrez un remboursement
complet, déduction faite de la valeur de tout service fourni en vertu
du présent Programme.
Résidents du Colorado
Avis : Ce Programme est régi par le Colorado Consumer Protection Act
ou le Unfair Practices Act, Articles 1 et 2 du Titre 6, CRS.
Résidents du Connecticut
La date d’expiration du Programme sera automatiquement prolongée
de la période pendant laquelle le matériel couvert se trouvera en
la possession d’Apple pour être réparé. Règlement des différends :
les différends peuvent être résolus par arbitrage. Les différends ou
plaintes qui n’auraient pas été résolus doivent être consignés par
écrit et acheminés par la poste, accompagnés d’une photocopie du
présent Programme, au State of Connecticut, Insurance Dept., P.O. Box
816, Hartford, CT 06142-0846, Attn: Consumer Affairs.
Résidents de la Floride
Ce Programme et tout différend qui survient en vertu du Programme
seront régit par les lois de l’état de Floride. Le tarif du contrat n’est pas
sujet à une réglementation de Florida Office of Insurance Regulation 72 Français
Résidents du Michigan
Si l’exécution de ce contrat de service est interrompue suite à
une grève ou un arrêt de travail à la place d’affaires de la société,
la période effective de ce contrat de service sera prolongée de la
période de grève ou d’arrêt de travail.
Résidents du Nevada
Résiliation : Aucun Programme en vigueur depuis au moins soixantedix (70) jours ne peut être résilié par le fournisseur avant l’expiration
du terme convenu ou une année après la date effective d’entrée en
vigueur du Programme, selon la première des deux, sauf pour les
motifs suivants :
a. défaut par le titulaire de payer une somme due;
b. condamnation du titulaire à un crime qui aurait pour effet de faire
augmenter la prestation de service requise;
c. découverte d’une fraude ou d’une fausse déclaration importante
par le titulaire afin de souscrire le Programme ou de présenter une
réclamation de service en vertu du Programme;
d. découverte d’un acte ou d’une omission par le titulaire, ou
d’une violation par le titulaire d’une quelconque des modalités
du Programme, qui a eu lieu après la date d’entrée en vigueur
effective du Programme et qui aurait pour effet d’augmenter
de manière substantielle et importante la prestation de service
requise en vertu du présent Programme; Français 73
e. un changement important dans la nature ou l’étendue du
service ou de la réparation requise qui serait survenu après la
date d’entrée en vigueur effective du Programme et qui aurait
pour effet d’augmenter le service ou la réparation requise de
manière substantielle ou importante par rapport à ce qui avait été
envisagé au moment où le Programme a été émis ou vendu.
Motifs de résiliation; date effective de résiliation. Aucune résiliation
d’un contrat de service ne peut prendre effet avant au moins
quinze (15) jours après l’envoi par la poste de l’avis de résiliation
au titulaire.
Résiliation du contrat; remboursement du prix d’achat; frais de
résiliation.
(i) En cas de résiliation du présent Programme par Apple, Apple
remboursera aux consommateurs du Nevada la portion du
prix d’achat qui n’est pas acquise. Apple peut déduire tout
solde en souffrance de votre compte, du montant du prix
d’achat qui n’est pas acquise à la date de calcul de la somme
à rembourser. Si Apple résilie un contrat conformément à
NRS 690C.270, elle ne peut pas exiger des frais de résiliation.
(ii) Sous réserve de ce qui serait autrement prévu dans cet
article, un résident du Nevada qui est l’acheteur original de
ce Programme, qui fait parvenir à Apple une demande par
écrit de résilier le Programme conformément aux modalités 74 Français
de celui-ci, recevra un remboursement de la portion du prix
d’achat qui n’est pas acquise.
(iii) Si vous demandez la résiliation de ce Programme, Apple peut
exiger les frais de résiliation décrits au Programme, mais ne
déduira pas la valeur de tout service.
(iv) Lorsque Apple calcule le montant d’un remboursement
conformément au paragraphe (ii), elle peut déduire de la
portion du prix d’achat qui n’est pas acquise : (a) tout solde
impayé du compte; et (b) tous frais de résiliation exigés en
vertu de ce Programme.
AppleCare Service Company, Inc. endosse le présent Programme de
pleine foi vis-à-vis des résidents du Nevada.
Résidents du Nouveau Hampshire
Si vous n’obtenez pas réparation en vertu de ce contrat, vous pouvez
communiquer avec le New Hampshire insurance department, par
la poste au State Of New Hampshire Insurance Department, 21
South Fruit Street, Suite 14, Concord NH 03301, ou par téléphone via
Consumer Assistance au 800-852-3416. Français 75
Résidents du Nouveau-Mexique
Résiliation : Aucun Programme en vigueur depuis au moins soixantedix (70) jours ne peut être résilié par le fournisseur avant l’expiration
du terme convenu ou une année après la date effective d’entrée en
vigueur du Programme, selon la première des deux, sauf pour les
motifs suivants :
a. défaut par le titulaire de payer une somme due;
b. condamnation du titulaire à un crime qui aurait pour effet de faire
augmenter la prestation de service requise;
c. découverte d’une fraude ou d’une fausse déclaration importante
par le titulaire afin de souscrire le Programme ou de présenter une
réclamation de service en vertu du Programme;
d. découverte d’un acte ou d’une omission par le titulaire, ou
d’une violation par le titulaire d’une quelconque des modalités
du Programme, qui a eu lieu après la date d’entrée en vigueur
effective du Programme et qui aurait pour effet d’augmenter
de manière substantielle et importante la prestation de service
requise en vertu du présent Programme;
e. un changement important dans la nature ou l’étendue du
service ou de la réparation requise qui serait survenu après la
date d’entrée en vigueur effective du Programme et qui aurait 76 Français
pour effet d’augmenter le service ou la réparation requise de
manière substantielle ou importante par rapport à ce qui avait été
envisagé au moment où le Programme a été émis ou vendu.
Résidents de la Caroline du Nord
L’achat de ce Programme n’est requis ni pour l’achat ni pour
l’obtention de financement pour matériel informatique, sauf en cas
de défaut de payer le prix d’achat du Programme, Apple ne résiliera
pas le Programme.
Résidents de l’Oregon
Si vous n’obtenez pas réparation en vertu de ce contrat, vous pouvez
communiquer avec le Oregon Department of Consumer and Business
Services, par la poste au Department of Consumer and Business
Services, 350 Winter Street NE, Salem, OR 97301, ou par téléphone via
Consumer Advocacy au 888-877-4894.
Résidents de la Caroline du Sud
Toute plainte non résolue ou toute question relative à la
réglementation du Programme, peuvent être adressée au South
Carolina Department of Insurance, P.O. Box 100105, Columbia, South
Carolina 29202-3105, Tel: 1-800-768-3467.Français 77
Résidents du Tennessee
Ce Programme sera prolongé tel qui suit : (1) du nombre de jours
pendant lesquels le consommateur n’est pas en mesure d’utiliser
le produit parce qu’il se trouve en réparation; plus deux (2) jours
ouvrables supplémentaires.
Résidents du Texas
Le fournisseur peut résilier le présent Programme sans avis préalable
pour cause de non-paiement, d’assertion inexacte ou de violation
substantielle d’une obligation par le détenteur concernant le Produit
couvert ou son utilisation. Toute plainte non résolue ou toute
question relative à la réglementation en matière contractuelle peut
être adressée au TX Dept. of Licensing and Regulation, P.O. Box 12157,
Austin, TX 78711, U.S.
Résidents du Wisconsin
CETTE GARANTIE EST SUJETTE À UNE RÉGLEMENTATION LIMITÉE DE
L’OFFICE OF THE COMMISSIONER OF INSURANCE.
Si vous résiliez le Programme dans les trente (30) jours de la
date de l’achat de votre Programme ou de la réception des
présentes modalités, selon la date la plus tardive, vous recevrez un
remboursement complet. Si vous résiliez le Programme plus de trente
(30) jours après votre réception du présent Programme, vous recevrez
un remboursement au prorata du prix d’achat original du présent
Programme, calculé en fonction du pourcentage de la durée de la 78 Français
Période de la garantie restant, déduction faite de frais de résiliation
de vingt-cinq dollars (25 $ US) ou de dix pourcent (10 %) du montant
au prorata, selon le montant le moins élevé des deux. Aucun coût
de service reçu ne sera déduit du remboursement. Apple ne résiliera
pas ce Programme SAUF en cas de défaut de payer le prix d’achat
du Programme. Si Apple résilie ce Programme, vous recevrez un
remboursement au prorata de la durée du Programme restant à courir.
Résidents du Wyoming
Si Apple résilie le présent Programme, Apple vous expédiera un avis
écrit de résiliation à votre dernière adresse connue contenue dans
les dossiers de Apple au moins dix (10) jours avant la date effective
d’annulation. L’avis écrit préalable contiendra la date effective de
résiliation et les motifs de résiliation. Apple n’est pas obligé de fournir
d’avis préalable en cas de résiliation pour cause de non-paiement
du Programme, d’assertion inexacte matérielle par vous à Apple, de
violation matérielle de vos obligations dans le cadre du Programme
ou de violation matérielle de vos obligations concernant le Produit
couvert ou son utilisation. Des conflits survenant dans le cadre de ce
Programme peuvent être réglés selon le Wyoming Arbitration Act.Français 79
Numéros sans frais
Aux E.U.: Au Canada:
800-APL-CARE (800-275-2273) 800-263-3394
Sept jours par semaine Sept jours par semaine
De 8h00 à 20h00 De 9h00 à 21h00
heure du centre * heure de la côte est américaine*
* Les numéros de téléphone et les horaires de service peuvent varier
et sont sujets à des modifications. Vous trouverez l’information la
plus récente sur nos représentants situés dans votre région ou dans
le monde entier à www.apple.com/contact/phone_contacts.html.
Les numéros sans frais ne sont pas disponibles dans tous les pays
APP NA v5.3www.apple.com
© 2010 Apple Inc. All rights reserved. Apple, the Apple logo, AirPort,
AirPort Express, AirPort Extreme, Apple TV, IPod, Mac, MacBook, MacBook
Air, Mac OS, Macintosh, SuperDrive, and Time Capsule are trademarks
of Apple Inc., registered in the U.S. and other countries. AppleCare is a
service mark of Apple Inc., registered in the U.S. and other countries.
Other product and company names mentioned herein may be
trademarks of their respective companies.
Z034-5546-A
Printed in XXXX
Component AV Cable2 English
Component AV Cable
Use the Component AV Cable to connect your iPod, iPhone, or iPad to the component
video and analog audio ports on your TV, home theater receiver, or stereo receiver.
The Component AV Cable features a USB connector that you can plug into a power
source, such as a computer or a USB Power Adapter.
Before you begin connecting components, turn down the volume on iPod, iPhone,
or iPad, and turn off the power to all your components. Remember to make all
connections firmly to avoid humming and noise.
Important: Never force a connector into a port. If the connector and port don’t join
with reasonable ease, they probably don’t match. Make sure the connector matches
the port and is positioned correctly in relation to the port.
To use the Component AV Cable to connect iPod, iPhone, or iPad to your TV or
receiver:
1 Plug the red, green, and blue video connectors into the component video input
(Y, Pb, and Pr) ports on your TV or receiver.
2 Plug the white and red audio connectors into the left and right analog audio input
ports, respectively, on your TV or receiver.
3 Plug the iPod Dock Connector into your iPod, iPhone, iPad, or Universal Dock.
4 Plug the USB connector into a USB Power Adapter or your computer to keep your iPod,
iPhone, or iPad charged.
5 Turn on iPod, iPhone, or iPad and your TV or receiver to start playing.English 3
Make sure you set iPod, iPhone, or iPad to send a video signal out to your TV or receiver.
For more information, see the user guide for your device.
Left audio (white)
Television
Video in (Y, Pb, Pr)
Right audio (red)
USB port
Dock Connector
USB
connector
iPod
The ports on your TV or receiver may differ from the ports in the illustration.
Note: If your iPod doesn’t support video, you can use the Component AV Cable for
audio output, syncing content, and charging.6 Français
Câble composante AV
Le câble composante AV permet de brancher votre iPod, iPhone ou iPad aux ports
vidéo composante YUV et audio analogique de votre téléviseur, de votre récepteur
home cinéma ou encore de votre récepteur stéréo. Ce câble est doté d’un connecteur
USB à brancher sur une source d’alimentation électrique, par exemple un ordinateur
ou un adaptateur secteur USB.
Avant de brancher des composants, baissez le volume de l’iPod, iPhone ou iPad
et éteignez tous vos composants. Assurez-vous que tous les branchements sont
fermement en place pour éviter les effets de souffle et de parasites.
Important : ne forcez jamais en enfonçant un connecteur dans un port. S’ils ne
s’accouplent pas facilement, il est probable qu’ils ne soient pas faits pour être branchés
ensemble. Assurez-vous que le connecteur corresponde bien au port et qu’il soit mis
dans le bon sens.
Pour utiliser le câble composante AV pour brancher l’iPod, iPhone ou iPad à votre
téléviseur ou votre récepteur :
1 Branchez les prises vidéo rouge, verte et bleue sur les ports d’entrée vidéo composante
YUV (Y, Pb, et Pr) de votre téléviseur ou de votre récepteur.
2 Connectez les prises audio blanche et rouge sur les ports d’entrée audio analogique
respectifs gauche et droit de votre téléviseur ou de votre récepteur.
3 Branchez le connecteur Dock sur votre iPod, iPhone, iPad ou votre socle Universal Dock.
4 Connectez la prise USB à un adaptateur secteur USB ou à votre ordinateur pour que
votre iPod, iPhone ou iPad ne se décharge pas.Français 7
5 Allumez l’iPod, iPhone ou iPad et votre téléviseur ou votre récepteur pour lancer
la lecture.
Assurez-vous que votre iPod, iPhone ou iPad est configuré de façon à envoyer les
signaux vidéo à votre téléviseur ou votre récepteur. Pour en savoir plus, consultez le
manuel de l’utilisateur de votre appareil.
Audio gauche (blanc)
Télévision
Entrée vidéo (Y, Pb, Pr)
Audio droit (rouge)
Port USB
Connecteur Dock
Connecteur
USB
iPod
Il se peut que les ports de votre téléviseur ou votre récepteur diffèrent de ceux
illustrés ici.
Remarque : si votre iPod ne prend pas en charge la vidéo, vous pouvez néanmoins
vous servir du câble composante AV pour assurer la sortie audio, la synchronisation des
données et la recharge de la batterie.8 Deutsch
Component AV-Kabel
Verwenden Sie das Component AV-Kabel, um Ihren iPod, Ihr iPhone oder iPad mit den
Component-Video- und analogen Audioanschlüssen Ihres Fernsehgeräts bzw. Ihres
Heimkino- oder Stereoempfängers zu verbinden. Das Component AV-Kabel besitzt
einen USB-Stecker, den Sie mit einer Stromquelle wie Ihrem Computer oder dem
mitgelieferten USB Power Adapter (Netzteil) verbinden können.
Vor dem Anschließen von Komponenten sollten Sie die Lautstärke von iPod, iPhone
oder iPad reduzieren und alle Komponenten ausschalten. Achten Sie darauf, alle Kabel
fest anzuschließen, um Störgeräusche zu vermeiden.
Wichtig: Versuchen Sie niemals, einen Stecker gewaltsam mit einem Anschluss zu verbinden. Lässt sich der Stecker nicht problemlos mit dem Anschluss verbinden, passen Stecker
und Anschluss vermutlich nicht zueinander. Vergewissern Sie sich, dass der Stecker zum
Anschluss passt und dass Sie den Stecker korrekt mit dem Anschluss ausgerichtet haben.
Gehen Sie wie folgt vor, um iPod, iPhone oder iPad mithilfe des Component AVKabels an Ihr Fernsehgerät oder Ihren Empfänger anzuschließen:
1 Schließen Sie den roten, grünen und blauen Videostecker an den Component-Videoeingängen (Y, Pb und Pr) Ihres Fernsehgeräts oder Empfängers an.
2 Schließen Sie den weißen und den roten Audiostecker an die linken und rechten
analogen Audioeingänge Ihres Fernsehgeräts oder Empfängers an.
3 Schließen Sie den iPod Dock Connector-Stecker an iPod, iPhone, iPad oder das
Universal Dock an.
4 Verbinden Sie den USB-Stecker mit Ihrem USB Power Adapter oder Computer, damit
die Batterie von iPod, iPhone oder iPad aufgeladen bleibt.Deutsch 9
5 Schalten Sie den iPod, das iPhone oder iPad und das Fernsehgerät oder den Empfänger
ein, um die Wiedergabe zu starten.
Vergewissern Sie sich, dass Sie Ihren iPod, Ihr iPhone oder iPad zum Senden eines
Videosignals an Ihr Fernsehgerät bzw. Ihren Empfänger konfiguriert haben. Weitere
Informationen hierzu finden Sie im Benutzerhandbuch zu Ihrem Gerät.
Audio links (weiß)
Fernsehgerät
Videoeingänge
(Y, Pb, Pr)
Audio rechts (rot)
USBAnschluss
Dock Connector-Stecker
USBStecker
iPod
Möglicherweise sehen die Anschlüssen an Ihrem Fernsehgerät oder Empfänger anders
als hier dargestellt aus.
Hinweis: Wenn Ihr iPod keine Videounterstützung bietet, können Sie das Component
AV-Kabel für die Audioausgabe, das Synchronisieren von Inhalten und zum Laden der
Batterie verwenden.10 Español
Cable de AV por componentes
Utilice el cable de AV por componentes para conectar el iPod, iPhone o iPad a los
puertos de audio analógico y vídeo de su televisor, receptor de cine en casa o equipo
estéreo. El cable de AV por componentes incorpora un conector USB que puede
conectarse a una fuente de alimentación, como un ordenador o un adaptador de
corriente USB.
Antes de empezar a conectar componentes, desactive el sonido del iPod, iPhone o iPad
y desconecte de la corriente todos los componentes. Recuerde acoplar bien todas las
conexiones para evitar oír zumbidos y ruidos.
Importante: Nunca introduzca un conector en un puerto a la fuerza. Si el conector y el
puerto no encajan con una facilidad razonable, probablemente es que no estén hechos
el uno para el otro. Asegúrese de que el conector encaja con el puerto y de que lo ha
colocado en la posición correcta.
Para utilizar el cable de AV por componentes para conectar el iPod, iPhone o iPad al
televisor o a un receptor:
1 Enchufe los conectores de vídeo rojo, verde y azul en los puertos de entrada de vídeo
de componentes (Y, Pb y Pr) de su televisor o receptor.
2 Enchufe los conectores de audio blanco y rojo en los puertos de entrada de audio
analógico izquierdo y derecho, respectivamente, de su televisor o receptor.
3 Enchufe el conector iPod Dock Connector al iPod, iPhone, iPad o a la base Universal Dock.
4 Enchufe el conector USB en un adaptador de corriente USB o en el ordenador para que
el iPod, iPhone o iPad no se descargue.Español 11
5 Encienda el iPod, iPhone o iPad y el televisor o receptor para iniciar la reproducción.
Asegúrese de configurar el iPod, iPhone o iPad para enviar señal de vídeo al televisor o
receptor. Para más información, consulte el manual del usuario de su dispositivo.
Audio izquierdo (blanco)
Televisor
Entrada de vídeo (Y, Pb, Pr)
Audio derecho (rojo)
Puerto USB
Conector Dock
Conector USB iPod
Los puertos del televisor o receptor pueden diferir de los puertos de la ilustración.
Nota: Si su iPod no permite visualizar vídeos, puede utilizar el cable de AV por
componentes para reproducir audio, sincronizar contenidos y cargar el iPod.12 Italiano
Cavo AV component
Utilizza il cavo AV component per collegare iPod, iPhone o iPad alle porte video a
componenti e audio analogico della TV o del ricevitore dell’home theater o dello
stereo. Il cavo AV component è dotato di un connettore USB che puoi collegare
a una fonte di alimentazione, come un computer o un adattatore di corrente USB.
Prima di collegare i componenti, abbassa al minimo il volume di iPod, iPhone o iPad
ed elimina l’alimentazione da tutti i componenti. Ricordati di assicurarti che tutti i
collegamenti siano saldi, per evitare ronzio e altro rumore.
Importante: non forzare mai un connettore in una porta. Se il connettore non entra
con facilità nella porta, probabilmente non sono compatibili. Assicurati che lo spinotto
del connettore sia adatto alla porta e che il connettore sia posizionato correttamente in
relazione alla porta.
Per utilizzare il cavo AV component per collegare iPod, iPhone o iPad alla TV o al
ricevitore:
1 Collega i connettori video (rosso, verde e blu) alle porte di ingresso video a componenti
(Y, Pb e Pr) della TV o del ricevitore.
2 Collega i connettori audio (bianco e rosso) alle porte di sinistra e di destra di ingresso
audio analogico, rispettivamente, della TV o del ricevitore.
3 Collega iPod Dock Connector ad iPod, iPhone, iPad o al Dock universale.
4 Collega il connettore USB ad un alimentatore di corrente USB o al computer per
mantenere carichi iPod, iPhone o iPad.
5 Accendi iPod, iPhone o iPad e la TV o il ricevitore per avviare la riproduzione.Italiano 13
Assicurati di aver impostato iPod, iPhone o iPad per inviare un segnale video in
uscita alla TV o al ricevitore. Per ulteriori informazioni, consulta il manuale utente
del dispositivo.
Audio di sinistra (bianco)
Televisione
Ingresso video (Y, Pb, Pr)
Audio di destra (rosso)
Porta USB
Connettore Dock
Connettore
USB
iPod
Le porte della TV o del ricevitore potrebbero essere diverse da quelle dell’illustrazione.
Nota: se iPod non supporta i video, puoi utilizzare il cavo AV component per l’uscita
audio, per sincronizzare contenuti e per caricare il dispositivo.14
Regulatory Compliance Information
FCC Compliance Statement
This device complies with part 15 of the FCC rules. Operation
is subject to the following two conditions: (1) This device may
not cause harmful interference, and (2) this device must accept
any interference received, including interference that may cause
undesired operation. See instructions if interference to radio or
television reception is suspected.
L‘utilisation de ce dispositif est autorisée seulement aux
conditions suivantes: (1) il ne doit pas produire de brouillage et (2)
l’utilisateur du dispositif doit étre prêt à accepter tout brouillage
radioélectrique reçu, même si ce brouillage est susceptible de
compromettre le fonctionnement du dispositif.
Radio and Television Interference
The equipment described in this manual generates, uses, and
can radiate radio-frequency energy. If it is not installed and used
properly—that is, in strict accordance with Apple’s instructions—it
may cause interference with radio and television reception.
This equipment has been tested and found to comply with
the limits for a Class B digital device in accordance with the
specifications in Part 15 of FCC rules. These specifications
are designed to provide reasonable protection against such
interference in a residential installation. However, there is
no guarantee that interference will not occur in a particular
installation.
You can determine whether your computer system is causing
interference by turning it off. If the interference stops, it was
probably caused by the computer or one of the peripheral devices.
If your computer system does cause interference to radio or
television reception, try to correct the interference by using one or
more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the computer to one side or the other of the television
or radio.
• Move the computer farther away from the television or radio.
• Plug the computer into an outlet that is on a different circuit
from the television or radio. (That is, make certain the computer
and the television or radio are on circuits controlled by different
circuit breakers or fuses.)
If necessary, consult an Apple Authorized Service Provider or
Apple. See the service and support information that came with
your Apple product. Or, consult an experienced radio or television
technician for additional suggestions.
Important: Changes or modifications to this product not
authorized by Apple Inc. could void the FCC compliance and
negate your authority to operate the product.
This product was tested for FCC compliance under conditions that
included the use of Apple peripheral devices and Apple shielded
cables and connectors between system components.
It is important that you use Apple peripheral devices and shielded
cables and connectors between system components to reduce
the possibility of causing interference to radios, television sets, and
other electronic devices. You can obtain Apple peripheral devices
and the proper shielded cables and connectors through an Appleauthorized dealer. For non-Apple peripheral devices, contact the
manufacturer or dealer for assistance.
Responsible party (contact for FCC matters only):
Apple Inc. Corporate Compliance
1 Infinite Loop, MS 26-A
Cupertino, CA 95014
Industry Canada Statements
Complies with the Canadian ICES-003 Class B specifications.
Cet appareil numérique de la classe B est conforme à la norme
NMB-003 du Canada. This device complies with RSS 210 of Industry
Canada.
This Class B device meets all requirements of the Canadian
interference-causing equipment regulations.
Cet appareil numérique de la Class B respecte toutes les exigences
du Règlement sur le matériel brouilleur du Canada. 15
European Compliance Statement
This product complies with the requirements of European
Directives 72/23/EEC, 89/336/EEC, and 1999/5/EC.
Korea Class B Statement
Taiwan Class B Statement
Disposal and Recycling Information
When this product reaches its end of life, please dispose of it
according to your local environmental laws and guidelines.
For information about Apple’s recycling programs, visit:
www.apple.com/environment/recycling
2010
Türkiyewww.apple.com
© 2010 Apple Inc. All rights reserved.
Apple, the Apple logo, iPhone, and iPod are trademarks
of Apple Inc., registered in the U.S. and other countries.
iPad is a trademark of Apple Inc.
ZM034-5766-A
Printed in XXXX
Brazil—Disposal Information
Brasil: Informações sobre eliminação e reciclagem
O símbolo indica que este produto e/ou sua bateria não devem
ser descartadas no lixo doméstico. Quando decidir descartar este
produto e/ou sua bateria, faça-o de acordo com as leis e diretrizes
ambientais locais. Para informações sobre o programa de
reciclagem da Apple, pontos de coleta e telefone de informações,
visite www.apple.com/br/environment.
European Union—Disposal Information
The symbol above means that according to local laws and
regulations your product should be disposed of separately from
household waste. When this product reaches its end of life, take
it to a collection point designated by local authorities. Some
collection points accept products for free. The separate collection
and recycling of your product at the time of disposal will help
conserve natural resources and ensure that it is recycled in a
manner that protects human health and the environment.
Union Européenne—informations sur l’élimination
Le symbole ci-dessus signifie que vous devez vous débarasser
de votre produit sans le mélanger avec les ordures ménagères,
selon les normes et la législation de votre pays. Lorsque ce produit
n’est plus utilisable, portez-le dans un centre de traitement des
déchets agréé par les autorités locales. Certains centres acceptent
les produits gratuitement. Le traitement et le recyclage séparé
de votre produit lors de son élimination aideront à préserver les
ressources naturelles et à protéger l’environnement et la santé
des êtres humains.
Europäische Union—Informationen zur Entsorgung
Das Symbol oben bedeutet, dass dieses Produkt entsprechend den
geltenden gesetzlichen Vorschriften und getrennt vom Hausmüll
entsorgt werden muss. Geben Sie dieses Produkt zur Entsorgung
bei einer offiziellen Sammelstelle ab. Bei einigen Sammelstellen
können Produkte zur Entsorgung unentgeltlich abgegeben
werden. Durch das separate Sammeln und Recycling werden die
natürlichen Ressourcen geschont und es ist sichergestellt, dass
beim Recycling des Produkts alle Bestimmungen zum Schutz von
Gesundheit und Umwelt beachtet werden.
Unione Europea—informazioni per l’eliminazione
Questo simbolo significa che, in base alle leggi e alle norme locali,
il prodotto dovrebbe essere eliminato separatamente dai rifiuti
casalinghi. Quando il prodotto diventa inutilizzabile, portarlo nel
punto di raccolta stabilito dalle autorità locali. Alcuni punti di
raccolta accettano i prodotti gratuitamente. La raccolta separata
e il riciclaggio del prodotto al momento dell’eliminazione aiutano
a conservare le risorse naturali e assicurano che venga riciclato in
maniera tale da salvaguardare la salute umana e l’ambiente.
Europeiska unionen—uttjänta produkter
Symbolen ovan betyder att produkten enligt lokala lagar och
bestämmelser inte får kastas tillsammans med hushållsavfallet. När
produkten har tjänat ut måste den tas till en återvinningsstation
som utsetts av lokala myndigheter. Vissa återvinningsstationer
tar kostnadsfritt hand om uttjänta produkter. Genom att låta den
uttjänta produkten tas om hand för återvinning hjälper du till att
spara naturresurser och skydda hälsa och miljö.
Apple and the Environment
Apple Inc. recognizes its responsibility to minimize the
environmental impacts of its operations and products. More
information is available on the web at:
www.apple.com/environment
iPhone et iPad en entreprise
Scénarios de déploiement
Mars 2012
Découvrez, grâce à ces scénarios de déploiement, comment l’iPhone et l’iPad
s’intègrent en toute transparence dans les environnements d’entreprise.
• Microsoft Exchange ActiveSync
• Services standard
• Réseaux privés virtuels (VPN)
• Wi-Fi
• Certificats numériques
• Introduction à la sécurité
• Gestion des appareils mobiles (MDM)
• Apple ConfiguratorDéploiement de l’iPhone
et de l’iPad
Exchange ActiveSync
L’iPhone et l’iPad peuvent communiquer directement avec votre serveur Microsoft
Exchange via Microsoft Exchange ActiveSync (EAS), autorisant la transmission en mode
« push » du courrier électronique, des calendriers, des contacts et des tâches. Exchange
ActiveSync fournit également aux utilisateurs l’accès à la Liste d’adresses globale et
aux administrateurs des capacités de mise en œuvre de politiques de code d’appareil
et d’effacement à distance. iOS prend en charge l’authentification tant de base que
par certificat pour Exchange ActiveSync. Si votre entreprise a actuellement Exchange
ActiveSync activé, elle a déjà les services nécessaires en place pour prendre en charge
l’iPhone et l’iPad — aucune configuration supplémentaire n’est requise. Si vous avez
Exchange Server 2003, 2007 ou 2010 mais que votre société découvre Exchange
ActiveSync, suivez les étapes ci-dessous.
Configuration d’Exchange ActiveSync
Présentation de la configuration du réseau
• Assurez-vous que le port 443 est ouvert sur le coupe-feu. Si votre entreprise utilise
Outlook Web Access, le port 443 est probablement déjà ouvert.
• Vérifiez qu’un certificat de serveur est installé sur le serveur frontal et activez le
protocole SSL pour le répertoire virtuel Exchange ActiveSync dans IIS.
• Si un serveur Microsoft Internet Security and Acceleration (ISA) est utilisé, vérifiez qu’un
certificat de serveur est installé et mettez à jour le serveur DNS public de manière à ce
qu’il résolve les connexions entrantes.
• Assurez-vous que le DNS de votre réseau renvoie une adresse unique routable en
externe au serveur Exchange ActiveSync pour les clients intranet et Internet. C’est
obligatoire afin que l’appareil puisse utiliser la même adresse IP pour communiquer
avec le serveur lorsque les deux types de connexions sont actifs.
• Si vous utilisez un serveur Microsoft ISA, créez un écouteur web ainsi qu’une règle de
publication d’accès au client web Exchange. Consultez la documentation de Microsoft
pour plus de détails.
• Pour tous les coupe-feu et équipements réseau, définissez à 30 minutes le délai
d’expiration de session. Pour en savoir plus sur les autres intervalles de pulsations et
de délai d’attente, consultez la documentation Microsoft Exchange à l’adresse http://
technet.microsoft.com/en-us/library/cc182270.aspx.
• Configurez les fonctionnalités, les stratégies et les réglages en matière de sécurité des
appareils mobiles à l’aide d’Exchange System Manager. Pour Exchange Server 2007 et
2010, il faut utiliser la console de gestion Exchange.
• Téléchargez et installez l’outil Microsoft Exchange ActiveSync Mobile Administration
Web Tool, qui est nécessaire afin de lancer un effacement à distance. Pour Exchange
Server 2007 et 2010, un effacement à distance peut aussi être lancé à l’aide d’Outlook
Web Access ou de la console de gestion Exchange.
Règles de sécurité Exchange ActiveSync
prises en charge
• Effacement à distance
• Application d’un code sur l’appareil
• Nombre minimum de caractères
• Nombre maximum de tentatives (avant
effacement local)
• Exiger à la fois des chiffres et des lettres
• Délai d’inactivité en minutes (de 1 à
60 minutes)
Règles Exchange ActiveSync
supplémentaires (pour Exchange 2007 et
2010 seulement)
• Autoriser ou interdire les mots de passe
simples
• Expiration du mot de passe
• Historique des mots de passe
• Intervalle d’actualisation des règles
• Nombre minimum de caractères
complexes dans le mot de passe
• Exiger la synchronisation manuelle
pendant l’itinérance
• Autoriser l’appareil photo
• Autoriser la navigation web3
Authentification de base (nom d’utilisateur et mot de passe)
• Activez Exchange ActiveSync pour certains utilisateurs ou groupes à l’aide du service
Active Directory. Ces fonctionnalités sont activées par défaut sur tous les appareils
mobiles au niveau organisationnel dans Exchange Server 2003, 2007 et 2010. Pour
Exchange Server 2007 et 2010, voir l’option Configuration du destinataire dans la
console de gestion Exchange.
• Par défaut, Exchange ActiveSync est configuré pour l’authentification de base des
utilisateurs. Il est recommandé d’activer le protocole SSL pour l’authentification de base
afin que les références soient chiffrées lors de l’authentification.
Authentification par certificat
• Installez les services de certificats d’entreprise sur un contrôleur de domaine ou
un serveur membre de votre domaine (celui-ci sera votre serveur d’autorité de
certification).
• Configurez IIS sur votre serveur frontal Exchange ou votre Serveur d’Accès Client
afin d’accepter l’authentification par certificats pour le répertoire virtuel Exchange
ActiveSync.
• Pour autoriser ou exiger des certificats pour tous les utilisateurs, désactivez
« Authentification de base » et sélectionnez « Accepter les certificats clients » ou
« Exiger les certificats clients ».
• Générez les certificats clients au moyen de votre serveur d’autorité de certification.
Exportez la clé publique et configurez IIS de manière à utiliser cette clé. Exportez la clé
privée et utilisez un Profil de configuration pour fournir cette clé à l’iPhone et à l’iPad.
L’authentification par certificats peut uniquement être configurée à l’aide d’un Profil de
configuration.
Pour en savoir plus sur les services de certificats, reportez-vous aux ressources
disponibles auprès de Microsoft.
Autres services Exchange ActiveSync
• Consultation de la liste d’adresses globale
(GAL)
• Acceptation et création d’invitations dans
le calendrier
• Synchronisation des tâches
• Signalisation d’e-mails par des drapeaux
• Synchronisation des repères Répondre et
Transférer à l’aide d’Exchange Server 2010
• Recherche de courrier électronique sur
Exchange Server 2007 et 2010
• Prise en charge de plusieurs comptes
Exchange ActiveSync
• Authentification par certificat
• Envoi de courrier électronique en mode
« push » vers des dossiers sélectionnés
• AutodiscoverL’iPhone et l’iPad demandent l’accès aux services Exchange ActiveSync via le port 443 (HTTPS). (Il s’agit du même port utilisé
pour Outlook Web Access et d’autres services web sécurisés. Dans de nombreux déploiements, ce port est donc déjà ouvert et
configuré pour autoriser un trafic HTTPS avec chiffrement SSL.)
ISA offre un accès au serveur frontal Exchange ou au serveur d’accès au client. ISA est configuré comme un proxy ou, dans de
nombreux cas, comme un proxy inverse, pour acheminer le trafic vers le serveur Exchange.
Le serveur Exchange identifie l’utilisateur entrant à l’aide du service Active Directory et du serveur de certificats (si vous utilisez
une authentification par certificats).
Si l’utilisateur saisit les informations d’identification correctes et a accès aux services Exchange ActiveSync, le serveur frontal
établit une connexion à la boîte de réception correspondante sur le serveur principal (via le catalogue global Active Directory).
La connexion Exchange ActiveSync est établie. Les mises à jour/modifications sont envoyées en mode push (« Over The Air » ou
OTA) et les modifications effectuées sur iPhone et iPad sont répercutées sur le serveur Exchange.
Les courriers électroniques envoyés sont également synchronisés avec le serveur Exchange via Exchange ActiveSync (étape 5).
Pour acheminer le courrier électronique sortant vers des destinataires externes, celui-ci est généralement envoyé par le
biais d’un serveur Bridgehead (ou Hub Transport) vers une passerelle Mail (ou Edge Transport) externe via SMTP. Selon la
configuration de votre réseau, la passerelle Mail ou le serveur Edge Transport externe peut résider dans la zone démilitarisée ou
à l’extérieur du coupe-feu.
© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, iPhone, iPad et Mac OS sont des marques d’Apple Inc., déposées aux États-Unis et dans d’autres pays. Les autres noms de produits et de sociétés
mentionnés dans ce document peuvent être des marques de leurs sociétés respectives. Les caractéristiques des produits sont sujettes à modification sans préavis. Les informations contenues dans ce
document sont fournies à titre indicatif uniquement ; Apple n’assume aucune responsabilité quant à leur utilisation. Mars 2012
Scénario de déploiement d’Exchange ActiveSync
Cet exemple montre comment l’iPhone et l’iPad se connectent à un déploiement Microsoft Exchange Server 2003, 2007 ou 2010
standard.
4
Coupe-feu Coupe-feu
Serveur proxy
Internet
Serveur frontal Exchange ou
serveur d’accès au client
Serveur de
certificats
Active Directory
Clé privée (Certificat)
Clé publique
(Certificat)
*Selon la configuration de votre réseau, le serveur Mail Gateway ou Edge Transport peut résider dans la zone démilitarisée (DMZ).
Boîte à lettres ou
serveur(s) principaux
Exchange
Serveur Mail Gateway ou
Edge Transport*
Profil de configuration
Serveur Bridgehead ou
Hub Transport
443
1
4
6 5
2
3
4
5
6
1
3
2Déploiement de l’iPhone
et de l’iPad
Services standard
Grâce à sa prise en charge du protocole de messagerie IMAP, des services d’annuaire
LDAP et des protocoles de calendriers CalDAV et de contacts CardDAV, iOS peut s’intégrer
à la quasi-totalité des environnements standard de courrier électronique, calendriers et
contacts. Si l’environnement réseau est configuré de manière à exiger l’authentification de
l’utilisateur et SSL, l’iPhone et l’iPad offrent une approche hautement sécurisée de l’accès
aux e-mails, calendriers, tâches et contacts de l’entreprise.
Dans un déploiement type, l’iPhone et l’iPad établissent un accès direct aux serveurs de
messagerie IMAP et SMTP afin de recevoir et d’envoyer les e-mails à distance (« OverThe-Air ») et ils peuvent également synchroniser sans fil les notes avec les serveurs
IMAP. Les appareils iOS peuvent se connecter aux annuaires LDAPv3 de votre société, ce
qui permet aux utilisateurs d’accéder aux contacts de l’entreprise dans les applications
Mail, Contacts et Messages. La synchronisation avec votre serveur CalDAV permet aux
utilisateurs de créer et d’accepter des invitations de calendrier, de recevoir des mises à
jour de calendriers et de synchroniser des tâches avec l’app Rappels, le tout sans fil. Et la
prise en charge de CardDAV permet à vos utilisateurs de synchroniser en permanence
un ensemble de contacts avec votre serveur CardDAV à l’aide du format vCard. Tous
les serveurs réseau peuvent se trouver au sein d’un sous-réseau de zone démilitarisée,
derrière un coupe-feu d’entreprise, ou les deux. Avec SSL, iOS prend en charge le
chiffrement 128 bits et les certificats racine X.509 publiés par les principales autorités de
certification.
Configuration réseau
Votre administrateur informatique ou réseau devra suivre ces étapes essentielles pour
permettre un accès direct aux services IMAP, LDAP, CalDAV et CardDAV à partir de
l’iPhone et de l’iPad :
• Ouvrez les ports appropriés sur le coupe-feu. Les ports sont souvent les suivants : 993
pour le courrier électronique IMAP, 587 pour le courrier électronique SMTP, 636 pour les
services d’annuaire LDAP, 8443 pour les calendriers CalDAV et 8843 pour les contacts
CardDAV. Il est également recommandé que la communication entre votre serveur proxy
et vos serveurs principaux IMAP, LDAP, CalDAV et CardDAV soit configurée pour utiliser
SSL et que les certificats numériques de vos serveurs réseau soient émis par une autorité
de certification (AC) de confiance telle que VeriSign. Cette étape essentielle garantit que
l’iPhone et l’iPad reconnaissent votre serveur proxy en tant qu’entité de confiance au sein
de l’infrastructure de votre entreprise.
• Pour le courrier SMTP sortant, les ports 587, 465 ou 25 doivent être ouverts pour
permettre l’envoi du courrier électronique. iOS vérifie automatiquement le port 587, puis
le port 465, et enfin le port 25. Le port 587 est le port le plus fiable et le plus sûr car il
nécessite l’identification de l’utilisateur. Le port 25 ne nécessite pas d’identification et
certains FAI le bloquent par défaut pour éviter le courrier indésirable.
Ports communs
• IMAP/SSL : 993
• SMTP/SSL : 587
• LDAP/SSL : 636
• CalDAV/SSL : 8443, 443
• CardDAV/SSL : 8843, 443
Solutions de messagerie IMAP ou POP
iOS prend en charge les serveurs
de messagerie compatibles avec les
protocoles IMAP4 et POP3 sur une large
gamme de systèmes d’exploitation, y
compris Windows, UNIX, Linux et Mac
OS X.
Standards CalDAV et CardDAV
iOS prend en charge les protocoles de
calendrier CalDAV et de contacts CardDAV.
Ces deux protocoles ont été standardisés
par l’IETF. Pour en savoir plus, consultez le
site du consortium CalConnect à l’adresse
http://caldav.calconnect.org/ et
http://carddav.calconnect.org/.Scénario de déploiement
Cet exemple montre comment l’iPhone et l’iPad se connectent à un déploiement IMAP, LDAP, CalDAV et CardDAV classique.
© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, iPhone, iPad et Mac OS sont des marques d’Apple Inc., déposées aux États-Unis et dans d’autres pays. UNIX est une marque déposée de The Open
Group. Les autres noms de produits et de sociétés mentionnés dans ce document appartiennent à leurs propriétaires respectifs. Les caractéristiques des produits sont sujettes à modification sans préavis.
Les informations contenues dans ce document sont fournies à titre indicatif uniquement ; Apple n’assume aucune responsabilité quant à leur utilisation. Mars 2012
L’iPhone et l’iPad demandent l’accès aux services réseau sur les ports désignés.
En fonction du service, les utilisateurs doivent s’authentifier soit sur le proxy inverse, soit directement auprès du serveur pour
obtenir l’accès aux données de l’entreprise. Dans tous les cas, les connexions sont relayées par le proxy inverse, qui se comporte
comme une passerelle sécurisée, en général derrière le coupe-feu Internet de l’entreprise. Une fois authentifiés, les utilisateurs
peuvent accéder aux données de l’entreprise sur les serveurs principaux.
L’iPhone et l’iPad offrent des services de consultation des annuaires LDAP, ce qui permet aux utilisateurs de rechercher des
contacts et autres données de carnet d’adresses sur le serveur LDAP.
Pour les calendriers CalDAV, les utilisateurs peuvent accéder aux calendriers et les mettre à jour.
Les contacts CardDAV sont stockés sur le serveur et sont également accessibles en local sur iPhone et iPad. Les changements
apportés aux champs dans les contacts CardDAV sont ensuite synchronisés avec le serveur CardDAV.
Concernant les services de messagerie IMAP, les messages nouveaux et anciens peuvent être lus sur iPhone et iPad au travers de
la connexion proxy avec le serveur de messagerie. Les e-mails sortants sont envoyés au serveur SMTP, des copies étant placées
dans le dossier des messages envoyés de l’utilisateur.
1
2
3
4
5
6
Coupe-feu Coupe-feu
Serveur proxy inverse
Internet
Mail Server
Serveur d’annuaires
LDAP
3
6
Serveur CalDAV
Serveur CardDAV
2
4
5
1
636
(LDAP)
8843
(CardDAV)
993 (IMAP)
587 (SMTP)
8443
(CalDAV)
6Déploiement de l’iPhone
et de l’iPad
Réseaux privés virtuels (VPN)
L’accès sécurisé aux réseaux d’entreprise privés est disponible sur iPhone et iPad via des
protocoles de réseau privé virtuel (VPN) standard bien établis. Les utilisateurs peuvent
facilement se connecter aux systèmes des entreprises via le client VPN intégré ou via des
applications tierces de Juniper Networks, Cisco, SonicWALL, Check Point, Aruba Networks
et F5 Networks.
iOS prend immédiatement en charge les protocoles Cisco IPSec, L2TP sur IPSec et PPTP. Si
votre organisation prend en charge l’un de ces protocoles, aucune configuration réseau ni
application tierce n’est nécessaire pour connecter l’iPhone et l’iPad à votre VPN.
En outre, iOS prend en charge les VPN SSL pour l’accès aux serveurs VPN SSL de
Juniper Networks, Cisco, SonicWALL, Check Point, Aruba Networks et F5 Networks.
Pour commencer, il suffit aux utilisateurs de se rendre sur l’App Store et de télécharger
une application client VPN développée par l’une de ces sociétés. Comme pour d’autres
protocoles VPN pris en charge par iOS, les VPN SSL peuvent être configurés manuellement
sur l’appareil ou via un Profil de configuration.
iOS prend en charge les technologies standard comme IPv6, les serveurs proxy et la
tunnelisation partagée, offrant une riche expérience VPN pour la connexion aux réseaux
d’entreprise. iOS est également compatible avec différents modes d’authentification
comme le mot de passe, l’authentification à deux facteurs et les certificats numériques.
Pour simplifier la connexion dans des environnements où l’authentification par certificats
est utilisée, iOS intègre le VPN à la demande, qui lance de façon dynamique une session
VPN lors de la connexion aux domaines spécifiés.
Protocoles et modes d’authentification pris en charge
VPN SSL
Prend en charge l’authentification des utilisateurs par mot de passe, jeton à deux facteurs
et certificat.
IPSec Cisco
Prend en charge l’authentification des utilisateurs par mot de passe, jeton à deux facteurs,
et l’authentification des appareils par secret partagé et certificat.
L2TP via IPSec
Prend en charge l’authentification des utilisateurs par mot de passe MS-CHAP v2, jeton à
deux facteurs et l’authentification des appareils par secret partagé.
PPTP
Prend en charge l’authentification des utilisateurs par mot de passe MS-CHAP v2 et jeton
à deux facteurs.8
VPN à la demande
Pour les configurations utilisant l’authentification par certificat, iOS est compatible
avec le VPN à la demande. Le VPN à la demande peut établir automatiquement une
connexion lors de l’accès à des domaines prédéfinis, ce qui procure aux utilisateurs une
connectivité VPN totalement transparente.
Cette fonctionnalité d’iOS ne nécessite pas de configuration supplémentaire du serveur.
La configuration du VPN à la demande se déroule via un Profil de configuration ou
peut être effectuée manuellement sur l’appareil.
Les options de VPN à la demande sont les suivantes :
Toujours
Lance une connexion VPN pour toute adresse qui correspond au domaine spécifié.
Jamais
Ne lance pas de connexion VPN pour les adresses qui correspondent au domaine
spécifié, mais si le VPN est déjà actif, il peut être utilisé.
Établir si nécessaire
Lance une connexion VPN pour les adresses qui correspondent au domaine spécifié
seulement si une recherche DNS a échoué.
Configuration VPN
• iOS s’intègre avec de nombreux réseaux VPN existants et ne demande qu’une
configuration minimale. La meilleure façon de préparer le déploiement consiste
à vérifier si les protocoles VPN et les modes d’authentification utilisés par votre
entreprise sont pris en charge par iOS.
• Il est aussi recommandé de vérifier le chemin d’authentification jusqu’à votre serveur
d’authentification pour vous assurer que les normes prises en charge par iOS sont
activées au sein de votre implémentation.
• Si vous comptez utiliser l’authentification par certificats, assurez-vous que votre
infrastructure à clé publique est configurée de manière à prendre en charge
les certificats d’appareil et d’utilisateur avec le processus de distribution de clés
correspondant.
• Si vous souhaitez configurer des réglages proxy propres à une URL, placez un fichier
PAC sur un serveur web qui soit accessible avec les réglages VPN de base et assurezvous qu’il soit hébergé avec le type MIME application/x-ns-proxy-autoconfig.
Configuration du proxy
Pour toutes les configurations, vous pouvez aussi spécifier un proxy VPN. Pour
configurer un seul proxy pour toutes les connexions, utilisez le paramètre Manuel et
fournissez l’adresse, le port et l’authentification si nécessaire. Pour attribuer à l’appareil
un fichier de configuration automatique du proxy à l’aide de PAC ou WPAD, utilisez
le paramètre Auto. Pour PACS, spécifiez l’URL du fichier PACS. Pour WPAD, l’iPhone et
l’iPad interrogeront les serveurs DHCP et DNS pour obtenir les bons réglages.9
1
2
3
4
5
Coupe-feu Coupe-feu
Serveur/concentrateur VPN
Internet public
Réseau privé
Authentification
Certificat ou jeton
Serveur proxy
Serveur d’authentification VPN
Génération du jeton ou authentification par certificat
1 4
3a 3b
2
5
Service d’annuaire
© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, iPhone, iPad et Mac OS sont des marques d’Apple Inc., déposées aux États-Unis et dans d’autres pays. App Store est une marque de service
d’Apple Inc. Les autres noms de produits et de sociétés mentionnés dans ce document appartiennent à leurs propriétaires respectifs. Les caractéristiques des produits sont sujettes à modification sans
préavis. Les informations contenues dans ce document sont fournies à titre indicatif uniquement ; Apple n’assume aucune responsabilité quant à leur utilisation. Mars 2012
Scénario de déploiement
Cet exemple présente un déploiement standard avec un serveur/concentrateur VPN et avec un serveur d’authentification contrôlant
l’accès aux services réseau de l’entreprise.
L’iPhone et l’iPad demandent l’accès aux services réseau.
Le serveur/concentrateur VPN reçoit la requête, puis la transmet au serveur d’authentification.
Dans un environnement d’authentification à deux facteurs, le serveur d’authentification génère alors le jeton synchronisé en
temps avec le serveur de clés. Si une méthode d’authentification par certificat est déployée, un certificat d’identité doit être
distribué avant l’authentification. Si une méthode par mots de passe est déployée, la procédure d’authentification se poursuit
avec la validation de l’utilisateur.
Une fois l’utilisateur authentifié, le serveur d’authentification valide les stratégies d’utilisateur et de groupe.
Une fois les stratégies d’utilisateur et de groupe validées, le serveur VPN autorise un accès chiffré par tunnel aux services réseau.
Si un serveur proxy est utilisé, l’iPhone et l’iPad se connectent via le serveur proxy pour accéder aux informations en dehors du
coupe-feu.Déploiement de l’iPhone
et de l’iPad
Wi-Fi
Protocoles de sécurité sans fil
• WEP
• WPA Personal
• WPA Enterprise
• WPA2 Personal
• WPA2 Enterprise
Méthodes d’authentification 802.1x
• EAP-TLS
• EAP-TTLS
• EAP-FAST
• EAP-SIM
• PEAPv0 (EAP-MS-CHAP v2)
• PEAPv1 (EAP-GTC)
• LEAP
Dès la sortie de l’emballage, l’iPhone et l’iPad peuvent se connecter en toute sécurité
aux réseaux Wi-Fi d’entreprise ou d’invités, ce qui permet de détecter rapidement et
facilement les réseaux sans fil disponibles, où que vous soyez.
iOS prend en charge les protocoles réseau sans fil standard comme le WPA2 Enterprise,
garantissant une configuration rapide et un accès sécurisé aux réseaux sans fil
d’entreprise. Le protocole WPA2 Enterprise utilise le chiffrement AES sur 128 bits, une
méthode de chiffrement par blocs qui a fait ses preuves et qui garantit aux utilisateurs
un haut degré de protection de leurs données.
Avec la prise en charge du protocole 802.1x, iOS peut s’intégrer dans une grande variété
d’environnements d’authentification RADIUS. Parmi les méthodes d’authentification sans
fil 802.1x prises en charge par l’iPhone et l’iPad, figurent EAP-TLS, EAP-TTLS, EAP-FAST,
EAP-SIM, PEAPv0, PEAPv1 et LEAP.
Les utilisateurs peuvent régler l’iPhone et l’iPad pour se connecter automatiquement
aux réseaux Wi-Fi disponibles. Les réseaux Wi-Fi qui nécessitent une identification ou
d’autres informations peuvent être rapidement accessibles sans ouvrir une session de
navigation distincte, à partir des réglages Wi-Fi ou au sein d’applications comme Mail.
Et la connectivité Wi-Fi permanente à faible consommation permet aux applications
d’utiliser les réseaux Wi-Fi pour envoyer des notifications en mode push.
Pour faciliter la configuration et le déploiement, les réglages de réseau sans fil, de
sécurité, de proxy et d’authentification peuvent être définis à l’aide de profils de
configuration.
Configuration du protocole WPA2 Enterprise
• Vérifiez que les équipements réseau sont compatibles et sélectionnez un type
d’authentification (type EAP) pris en charge par iOS.
• Assurez-vous que 802.1x est activé sur le serveur d’authentification et, si nécessaire,
installez un certificat de serveur et affectez des autorisations d’accès réseau aux
utilisateurs et groupes.
• Configurez des points d’accès sans fil pour l’authentification 802.1x et saisissez les
informations correspondantes sur le serveur RADIUS.
• Si vous comptez utiliser l’authentification par certificats, configurez votre infrastructure
à clé publique de manière à prendre en charge les certificats d’appareil et d’utilisateur
avec le processus de distribution de clés correspondant.
• Vérifiez que le format des certificats est compatible avec le serveur d’authentification.
iOS prend en charge PKCS#1 (.cer, .crt, .der) et PKCS#12.
• Des informations complémentaires sur les protocoles réseau sans fil et sur le protocole
Wi-Fi Protected Access (WPA) sont disponibles à l’adresse www.wi-fi.org.Scénario de déploiement WPA2 Enterprise/802.1X
Cet exemple présente un déploiement sans fil sécurisé standard tirant parti de l’authentification RADIUS.
L’iPhone et l’iPad demandent l’accès au réseau. La connexion est lancée soit en réponse à un utilisateur sélectionnant un réseau
sans fil disponible, soit automatiquement après détection d’un réseau préalablement configuré.
Lorsque le point d’accès reçoit la requête, celle-ci est transmise au serveur RADIUS pour authentification.
Le serveur RADIUS identifie le compte utilisateur à l’aide du service d’annuaire.
Une fois l’utilisateur identifié, le point d’accès ouvre l’accès réseau en fonction des stratégies et des autorisations définies par le
serveur RADIUS.
© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, iPhone, iPad et Mac OS sont des marques d’Apple Inc., déposées aux États-Unis et dans d’autres pays. Les autres noms de produits et de sociétés
mentionnés dans ce document peuvent être des marques de leurs sociétés respectives. Les caractéristiques des produits sont sujettes à modification sans préavis. Les informations contenues dans ce
document sont fournies à titre indicatif uniquement ; Apple n’assume aucune responsabilité quant à leur utilisation. Mars 2012
11
1
2
3
4
Point d’accès sans fil
avec prise en charge
802.1X
Services d’annuaire
Services réseau
Serveur d’authentification
avec prise en charge
802.1X (RADIUS)
Certificat ou mot
de passe basé sur
le type EAP
1
2
3
4
Coupe-feuiOS prend en charge les certificats numériques, offrant aux utilisateurs d’entreprise un
accès sécurisé et simplifié aux services d’entreprise. Un certificat numérique est composé
d’une clé publique, d’informations sur l’utilisateur et de l’autorité de certification qui a
émis le certificat. Les certificats numériques sont une forme d’identification qui permet
une authentification simplifiée, l’intégrité des données et le chiffrement.
Sur iPhone et iPad, les certificats peuvent être utilisés de différentes manières. La
signature des données à l’aide d’un certificat numérique aide à garantir que les
informations ne seront pas modifiées. Les certificats peuvent aussi être utilisés pour
garantir l’identité de l’auteur ou « signataire ». En outre, ils peuvent être utilisés pour
chiffrer les profils de configuration et les communications réseau afin de mieux protéger
les informations confidentielles ou privées.
Utilisation des certificats sur iOS
Certificats numériques
Les certificats numériques peuvent être utilisés pour l’authentification en toute sécurité des
utilisateurs pour les services d’entreprise, sans nécessiter de noms d’utilisateurs, de mots
de passe ni de jetons. Sous iOS, l’authentification par certificat est prise en charge pour
gérer l’accès aux réseaux Microsoft Exchange ActiveSync, VPN et Wi-Fi.
Services d’entreprise
Intranet, Email, VPN, Wi-Fi
Autorité
de certification
Service
d’annuaire
Demande
d’authentification
Certificats de serveur
Les certificats numériques peuvent aussi être utilisés pour valider et chiffrer les
communications réseau. La connexion aux sites web internes et externes est ainsi
sécurisée. Le navigateur Safari peut vérifier la validité d’un certificat numérique X.509 et
configurer une session sécurisée à l’aide d’un chiffrement AES sur 256 bits. Le navigateur
s’assure ainsi que l’identité du site est légitime et que la communication avec le site web
est chiffrée pour éviter toute interception de données personnelles ou confidentielles.
Requête HTTPS Services réseau Autorité
de certification
Déploiement de l’iPhone
et de l’iPad
Certificats numériques
Formats de certificats et d’identité pris
en charge :
• iOS prend en charge les certificats X.509
avec des clés RSA.
• Les extensions de fichiers .cer, .crt, .der, .p12
et .pfx sont reconnues.
Certificats racine
Les appareils iOS incluent différents
certificats racine préinstallés. Pour
consulter la liste des racines système
préinstallées, consultez l’article Assistance
Apple à l’adresse http://support.apple.
com/kb/HT4415?viewlocale=fr_FR. Si vous
utilisez un certificat racine qui n’est pas
préinstallé, comme un certificat racine
auto-signé créé par votre entreprise,
vous pouvez le diffuser à l’aide d’une
des méthodes mentionnées à la
section « Distribution et installation des
certificats » de ce document.© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, iPhone, iPad, Mac OS et Safari sont des marques d’Apple Inc., déposées
aux États-Unis et dans d’autres pays. Les autres noms de produits et de sociétés mentionnés dans ce document peuvent être des
marques de leurs sociétés respectives. Les caractéristiques des produits sont sujettes à modification sans préavis. Les informations
contenues dans ce document sont fournies à titre indicatif uniquement ; Apple n’assume aucune responsabilité quant à leur
utilisation. Mars 2012
Distribution et installation des certificats
La distribution de certificats sur iPhone et iPad est très simple. À la réception d’un
certificat, les utilisateurs touchent tout simplement l’écran pour en lire le contenu, puis
le touchent à nouveau pour ajouter le certificat à leur appareil. Lorsqu’un certificat
d’identité est installé, les utilisateurs sont invités à entrer le mot de passe correspondant.
Si l’authenticité d’un certificat ne peut être vérifiée, un message d’avertissement sera
présenté aux utilisateurs avant qu’il ne soit ajouté à leur appareil.
Installation des certificats via les profils de configuration
Si des profils de configuration sont utilisés pour distribuer les réglages destinés à des
services d’entreprise comme Exchange, VPN ou Wi-Fi, les certificats peuvent être ajoutés
au profil afin de simplifier le déploiement.
Installation de certificats via Mail ou Safari
Si un certificat est envoyé par e-mail, il apparaîtra sous forme de pièce jointe. Safari
peut être utilisé pour télécharger des certificats à partir d’une page web. Vous pouvez
héberger un certificat sur un site web sécurisé et fournir aux utilisateurs l’adresse URL où
ils peuvent télécharger le certificat sur leurs appareils.
Installation via le protocole SCEP (Simple Certificate Enrollment Protocol)
Le protocole SCEP est conçu pour fournir un processus simplifié permettant de gérer
la distribution des certificats pour des déploiements à grande échelle. Cela permet
une inscription à distance (ou inscription en mode OTA) des certificats numériques sur
iPhone et iPad, qui peuvent ensuite être utilisés pour l’authentification auprès de services
d’entreprise, ainsi que l’inscription auprès d’un serveur de gestion des appareils mobiles.
Pour en savoir plus sur le protocole SCEP et l’inscription à distance (en mode OTA),
consultez la page www.apple.com/fr/iphone/business/resources.
Suppression et révocation de certificats
Pour supprimer manuellement un certificat qui a été installé, choisissez Réglages >
Général > Profils. Si vous supprimez un certificat qui est nécessaire pour accéder à un
compte ou à un réseau, l’appareil ne pourra plus se connecter à ces services.
Pour supprimer des certificats à distance, un serveur de gestion des appareils mobiles
(MDM) peut être utilisé. Ce serveur peut voir tous les certificats qui se trouvent sur un
appareil et supprimer ceux qu’il a installés.
En outre, le protocole OCSP (Online Certificate Status Protocol) est pris en charge pour
vérifier l’état des certificats. Lorsqu’un certificat compatible OCSP est utilisé, iOS le valide
afin de s’assurer qu’il n’a pas été révoqué avant d’accomplir la tâche demandée.
13Déploiement de l’iPhone
et de l’iPad
Introduction à la sécurité
iOS, le système d’exploitation qui est au cœur de l’iPhone et de l’iPad, repose sur plusieurs
niveaux de sécurité. Cela permet à l’iPhone et à l’iPad d’accéder en toute sécurité aux
différents services d’entreprise et d’assurer la protection des données importantes. iOS
assure un haut niveau de chiffrement des données transmises, applique des méthodes
d’authentification éprouvées pour l’accès aux services d’entreprise et assure le
chiffrement matériel de toutes les données stockées sur l’appareil. iOS offre également un
haut niveau de protection grâce à l’utilisation de règles de code d’appareil, qui peuvent
être appliquées et distribuées à distance. Et si un appareil tombe entre de mauvaises
mains, les utilisateurs et les administrateurs informatiques peuvent lancer un effacement
à distance pour supprimer toutes les informations confidentielles de l’appareil.
Lors de l’évaluation de la sécurité d’iOS en vue de son utilisation en entreprise, il est utile
de s’intéresser aux points suivants :
• Sécurité de l’appareil : méthodes empêchant toute utilisation non autorisée de l’appareil
• Sécurité des données : protection des données au repos (en cas de perte ou de vol)
• Sécurité réseau : protocoles de réseau et chiffrement des données transmises
• Sécurité des apps : plate-forme de base sécurisée d’iOS
Ces capacités fonctionnent de concert pour offrir une plate-forme informatique mobile
sécurisée.
Sécurité de l’appareil
L’établissement de règles strictes d’accès aux iPhone et iPad est essentiel pour assurer la
protection des données d’entreprise. L’application de codes d’appareil, qui peuvent être
configurés et appliqués à distance, constitue la ligne de front de la défense contre l’accès
non autorisé. Les appareils iOS utilisent le code unique défini par chaque utilisateur afin
de générer une clé de chiffrement sécurisée et ainsi protéger les e-mails et les données
d’application sensibles sur l’appareil. iOS fournit en plus des méthodes sécurisées pour
configurer l’appareil dans un environnement d’entreprise où des réglages, des règles et
des restrictions spécifiques doivent être appliqués. Ces méthodes offrent un vaste choix
d’options pour établir un niveau de protection standard pour les utilisateurs autorisés.
Règles de code d’appareil
Un code d’appareil empêche les utilisateurs non autorisés d’accéder aux données
stockées sur l’appareil ou d’utiliser ce dernier. iOS propose un grand nombre de règles
d’accès conçues pour répondre à vos besoins en matière de sécurité (délais d’expiration,
niveau de sécurité et fréquence de changement du code d’accès, par exemple).
Les règles suivantes sont prises en charge :
• Exiger un code sur l’appareil
• Accepter les valeurs simples
• Exiger une valeur alphanumérique
• Nombre minimum de caractères
• Nombre minimum de caractères complexes
• Durée de vie maximum du code
• Délai avant verrouillage automatique
• Historique des codes
• Délai supplémentaire pour le verrouillage de l’appareil
• Nombre maximum de tentatives
Sécurité des appareils
• Codes d’appareils forts
• Expiration des codes d’appareil
• Historique de réutilisation des codes
• Nombre maximal de tentatives infructueuses
• Application des codes à distance
• Délai d’expiration progressif des codesApplication des règles
Les règles décrites précédemment peuvent être configurées de différentes façons
sur iPhone et iPad. Les règles peuvent être distribuées dans le cadre d’un profil de
configuration à installer par les utilisateurs. Un profil peut être défini de sorte qu’un mot
de passe d’administrateur soit obligatoire pour pouvoir le supprimer, ou vous pouvez
définir le profil de façon à ce qu’il soit verrouillé sur l’appareil et qu’il soit impossible de
le supprimer sans effacer complètement le contenu de l’appareil. Par ailleurs, les réglages
des mots de passe peuvent être configurés à distance à l’aide de solutions de gestion des
appareils mobiles (MDM) qui peuvent transmettre directement les règles à l’appareil. Cela
permet d’appliquer et de mettre à jour les règles sans intervention de l’utilisateur.
Néanmoins, si l’appareil est configuré pour accéder à un compte Microsoft Exchange,
les règles Exchange ActiveSync sont « poussées » sur l’appareil via une connexion sans
fil. N’oubliez pas que les règles disponibles varient en fonction de la version d’Exchange
(2003, 2007 ou 2010). Consultez le document Exchange ActiveSync et les appareils iOS
pour prendre connaissance de la liste des règles prises en charge en fonction de votre
configuration.
Configuration sécurisée des appareils
Les profils de configuration sont des fichiers XML qui contiennent les règles de sécurité
et les restrictions applicables à un appareil, les informations sur la configuration des
réseaux VPN, les réglages Wi-Fi, les comptes de courrier électronique et de calendrier et
les références d’authentification qui permettent à l’iPhone et à l’iPad de fonctionner avec
les systèmes de votre entreprise. La possibilité d’établir des règles de code et de définir
des réglages dans un profil de configuration garantit que les appareils utilisés dans votre
entreprise sont configurés correctement et selon les normes de sécurité définies par
votre organisation. Et comme les profils de configuration peuvent être à la fois chiffrés et
verrouillés, il est impossible d’en supprimer, modifier ou partager les réglages.
Les profils de configuration peuvent être à la fois signés et chiffrés. Signer un profil
de configuration garantit que les réglages appliqués ne peuvent être modifiés. Le
chiffrement d’un profil de configuration protège le contenu du profil et permet de
lancer l’installation uniquement sur l’appareil pour lequel il a été créé. Les profils de
configuration sont chiffrés à l’aide de CMS (Cryptographic Message Syntax, RFC 3852),
prenant en charge 3DES et AES 128.
La première fois que vous distribuez un profil de configuration chiffré, vous pouvez
l’installer via USB à l’aide de l’Utilitaire de configuration ou sans fil via l’inscription à
distance (en mode OTA). Par ailleurs, une autre distribution de profils de configuration
chiffrés peut ensuite être effectuée par e-mail, sous forme de pièce jointe, hébergée sur
un site web accessible à vos utilisateurs ou « poussée » vers l’appareil à l’aide de solutions
MDM.
Restrictions de l’appareil
Les restrictions de l’appareil déterminent à quelles fonctionnalités vos utilisateurs
peuvent accéder sur l’appareil. Généralement, il s’agit d’applications réseau telles que
Safari, YouTube ou l’iTunes Store, mais les restrictions peuvent aussi servir à contrôler
les fonctionnalités de l’appareil comme l’installation d’applications ou l’utilisation de la
caméra, par exemple. Les restrictions vous permettent de configurer l’appareil en fonction
de vos besoins, tout en permettant aux utilisateurs d’utiliser l’appareil de façon cohérente
par rapport à vos pratiques professionnelles. Les restrictions peuvent être configurées
manuellement sur chaque appareil, mises en œuvre via un profil de configuration ou
établies à distance à l’aide de solutions MDM. En outre, comme les règles de code
d’appareil, des restrictions concernant l’appareil photo ou la navigation sur le Web
peuvent être appliquées à distance via Microsoft Exchange Server 2007 et 2010.
En plus de définir les restrictions et les règles sur l’appareil, l’application de bureau iTunes
peut être configurée et contrôlée par voie informatique. Cela consiste, par exemple, à
désactiver l’accès aux contenus explicites, à définir à quels services réseau les utilisateurs
peuvent accéder dans iTunes et à déterminer si de nouvelles mises à jour logicielles sont
disponibles. Pour en savoir plus, consultez le document Déploiement d’iTunes pour les
appareils iOS.
Règles et restrictions configurables
prises en charge :
Fonctionnalité des appareils
• Autoriser l’installation d’apps
• Autoriser Siri
• Autoriser Siri lorsque l’appareil est verrouillé
• Autoriser l’utilisation de l’appareil photo
• Autoriser FaceTime
• Autoriser la capture d’écran
• Permettre la synchronisation automatique en
déplacement
• Permettre la composition vocale de numéros
• Autoriser les achats intégrés
• Exiger le mot de passe iTunes Store pour les
achats
• Autoriser les jeux multijoueurs
• Autoriser l’ajout d’amis dans Game Center
Applications
• Autoriser l’utilisation de YouTube
• Autoriser l’utilisation de l’iTunes Store
• Autoriser l’utilisation de Safari
• Définir les préférences de sécurité de Safari
iCloud
• Autoriser la sauvegarde
• Autoriser la synchronisation des documents et
des valeurs clés
• Autoriser Flux de photos
Sécurité et confidentialité
• Autoriser l’envoi à Apple des données de
diagnostic
• Autoriser l’utilisateur à accepter des certificats
non fiables
• Forcer les sauvegardes chiffrées
Classement du contenu
• Autoriser la musique et les podcasts à contenu
explicite
• Définir la région du classement
• Définir les classements de contenus autorisés
15Sécurité des données
La protection des données stockées sur iPhone et iPad est un facteur essentiel pour
tous les environnements intégrant des données d’entreprise ou des informations
client sensibles. En plus du chiffrement des données en transmission, l’iPhone et
l’iPad assurent un chiffrement matériel de toutes les données stockées sur l’appareil
et le chiffrement du courrier électronique et des données d’applications grâce à une
protection améliorée des données.
En cas de perte ou de vol d’un appareil, il est important de désactiver l’appareil et d’en
effacer le contenu. Il est également conseillé de mettre en place une politique visant
à effacer le contenu d’un appareil après un nombre défini de tentatives infructueuses
de saisie du code : il s’agit là d’un puissant moyen de dissuasion contre les tentatives
d’accès non autorisé à l’appareil.
Chiffrement
L’iPhone et l’iPad proposent le chiffrement matériel. Ce chiffrement matériel utilise
l’encodage AES sur 256 bits pour protéger toutes les données stockées sur l’appareil.
Cette fonction est toujours activée et ne peut pas être désactivée par les utilisateurs.
De plus, les données sauvegardées dans iTunes sur l’ordinateur d’un utilisateur
peuvent également être chiffrées. Ce chiffrement peut être activé par l’utilisateur
ou mis en place à l’aide des réglages de restriction de l’appareil dans les profils de
configuration.
iOS prend en charge S/MIME dans Mail, ce qui permet à l’iPhone et à l’iPad de
visualiser et d’envoyer des e-mails chiffrés. Les restrictions peuvent également servir à
empêcher le déplacement d’e-mails d’un compte à l’autre ou le transfert de messages
reçus dans un compte depuis un autre.
Protection des données
À partir des capacités de chiffrement matériel de l’iPhone et de l’iPad, la sécurité des
e-mails et pièces jointes stockés sur l’appareil peut être renforcée par l’utilisation des
fonctionnalités de protection des données intégrées à iOS. La protection des données
associe le code unique de chaque appareil au chiffrement matériel de l’iPhone et
de l’iPad pour générer une clé de chiffrement sécurisée. Cette clé empêche l’accès
aux données lorsque l’appareil est verrouillé afin d’assurer la sécurité des données
sensibles, même quand l’appareil tombe entre de mauvaises mains.
Pour activer la protection des données, il vous suffit de définir un code de verrouillage
sur l’appareil. L’efficacité de la protection des données dépend du code, il est donc
important d’exiger et d’appliquer un code contenant plus de quatre chiffres lorsque
vous établissez vos règles de codes en entreprise. Les utilisateurs peuvent vérifier
que la protection des données est activée sur leur appareil en consultant l’écran des
réglages de codes. Les solutions MDM peuvent aussi interroger l’appareil pour obtenir
ces informations.
Ces API de protection des données sont aussi disponibles pour les développeurs
et peuvent être utilisées pour sécuriser les données des applications internes ou
commerciales de l’entreprise.
Effacement à distance
iOS prend en charge l’effacement à distance. En cas de perte ou de vol d’un appareil,
l’administrateur ou le propriétaire de l’appareil peut émettre une commande
d’effacement à distance qui supprimera toutes les données et désactivera l’appareil.
Si l’appareil est configuré avec un compte Exchange, l’administrateur peut initier
une commande d’effacement à distance à l’aide de la console de gestion Exchange
Management Console (Exchange Server 2007) ou de l’outil Exchange ActiveSync
Mobile Administration Web Tool (Exchange Server 2003 ou 2007). Les utilisateurs
d’Exchange Server 2007 peuvent aussi initier directement des commandes
d’effacement à distance à l’aide d’Outlook Web Access. Les commandes d’effacement
à distance peuvent aussi être lancées par les solutions MDM, même si les services
d’entreprise Exchange ne sont pas en cours d’utilisation.
Délai d’expiration progressif des codes
L’iPhone et l’iPad peuvent être configurés
pour initier automatiquement un effacement
après plusieurs tentatives infructueuses de
saisie du code d’appareil. Si un utilisateur
saisit à plusieurs reprises un code erroné, iOS
sera désactivé pendant des intervalles de
plus en plus longs. Après plusieurs tentatives
infructueuses, toutes les données et tous les
réglages stockés sur l’appareil seront effacés.
Sécurité des données
• Chiffrement matériel
• Protection des données
• Effacement à distance
• Effacement local
• Profils de configuration chiffrés
• Sauvegardes iTunes chiffrées
16Protocoles VPN
• IPSec Cisco
• L2TP/IPSec
• PPTP
• VPN SSL
Méthodes d’authentification
• Mot de passe (MSCHAPv2)
• RSA SecurID
• CRYPTOCard
• Certificats numériques X.509
• Secret partagé
Protocoles d’authentification 802.1x
• EAP-TLS
• EAP-TTLS
• EAP-FAST
• EAP-SIM
• PEAP v0, v1
• LEAP
Formats de certificats pris en charge
iOS prend en charge les certificats X.509 avec
des clés RSA. Les extensions de fichiers .cer, .crt
et .der sont reconnues.
Effacement local
Il est également possible de configurer les appareils de manière à initier
automatiquement un effacement local après plusieurs tentatives de saisie
infructueuses du code. Ce système évite les tentatives d’accès en force à l’appareil.
Lorsqu’un code est établi, les utilisateurs ont la possibilité d’activer l’effacement local
directement à partir des réglages. Par défaut, iOS efface automatiquement le contenu
de l’appareil après dix tentatives de saisie infructueuses. Comme avec les autres règles
de code d’appareil, le nombre maximum de tentatives infructueuses peut être établi
via un profil de configuration, défini par un serveur MDM ou appliqué à distance par
l’intermédiaire de règles Microsoft Exchange ActiveSync.
iCloud
iCloud stocke la musique, les photos, les apps, les calendriers, les documents et plus
encore, et les pousse automatiquement vers tous les appareils d’un utilisateur. Il
sauvegarde également des informations, notamment les réglages des appareils, les
données d’apps et les messages texte et MMS, chaque jour en Wi-Fi. iCloud sécurise
vos contenus en les chiffrant lors de leur envoi sur Internet, en les stockant dans un
format chiffré et en utilisant des jetons sécurisés pour l’authentification. Par ailleurs,
les fonctionnalités d’iCloud telles que Flux de photos, Synchronisation de documents
et Sauvegarde peuvent être désactivées à l’aide d’un Profil de configuration. Pour
en savoir plus sur la sécurité et la confidentialité d’iCloud, consultez la page http://
support.apple.com/kb/HT4865?viewlocale=fr_FR.
Sécurité réseau
Les utilisateurs mobiles doivent pouvoir accéder aux réseaux d’information de leur
entreprise partout dans le monde, mais il est aussi important de s’assurer que les
utilisateurs disposent d’une autorisation et que leurs données sont protégées pendant
la transmission. iOS fournit des technologies éprouvées afin d’atteindre ces objectifs de
sécurité pour les connexions Wi-Fi et les connexions à un réseau cellulaire.
En plus de votre infrastructure existante, chaque session FaceTime et échange
iMessage est chiffré de bout en bout. iOS crée un identifiant unique pour chaque
utilisateur, veillant ainsi à ce que les communications soient correctement chiffrées,
acheminées et connectées.
VPN
De nombreux environnements d’entreprise intègrent une forme de réseau privé virtuel
(VPN). Ces services réseau sécurisés sont déjà déployés et nécessitent généralement un
minimum d’installation et de configuration pour fonctionner avec l’iPhone et l’iPad.
iOS s’intègre immédiatement avec un large éventail de technologies de VPN courantes,
grâce à sa prise en charge de Cisco IPSec, L2TP et PPTP. Il prend en charge les
technologies de VPN SSL par le biais d’applications de Juniper Networks, Cisco,
SonicWALL, Check Point, Aruba Networks et F5 Networks. La prise en charge de ces
protocoles garantit un niveau de chiffrement optimal basé sur IP pour la transmission
des informations sensibles.
En plus d’assurer un accès sécurisé aux environnements VPN existants, iOS offre des
méthodes éprouvées pour l’authentification des utilisateurs. L’authentification via
des certificats numériques X.509 standard offre aux utilisateurs un accès simplifié aux
ressources de la société et une alternative viable à l’utilisation de jetons matériels. Par
ailleurs, l’authentification par certificat permet à iOS de tirer parti de la technologie
VPN On Demand, pour un processus d’authentification VPN transparent, tout en
fournissant un accès hautement sécurisé aux services réseau. Pour les environnements
d’entreprise dans lesquels un jeton à deux facteurs est obligatoire, iOS s’intègre avec
RSA SecurID et CRYPTOCard.
iOS prend en charge la configuration du proxy réseau, ainsi que la tunnelisation IP
partagée afin que le trafic vers des domaines réseau publics ou privés soit relayé en
fonction des règles propres à votre entreprise.
Sécurité réseau
• Protocoles VPN Cisco IPSec, L2TP et
PPTP intégrés
• VPN SSL via les apps de l’App Store
• SSL/TLS avec des certificats X.509
• WPA/WPA2 Enterprise avec
authentification 802.1x
• Authentification par certificat
• RSA SecurID, CRYPTOCard
17SSL/TLS
iOS prend en charge le protocole SSL v3, ainsi que Transport Layer Security (TLS
v1.0, 1.1 et 1.2), la norme de sécurité de prochaine génération pour Internet. Safari,
Calendrier, Mail et d’autres applications Internet démarrent automatiquement ces
mécanismes afin d’activer un canal de communication chiffré entre iOS et les services
de l’entreprise.
WPA/WPA2
iOS prend en charge la norme WPA2 Enterprise pour fournir un accès authentifié
au réseau sans fil de votre entreprise. WPA2 Enterprise utilise le chiffrement AES sur
128 bits, offrant aux utilisateurs un niveau optimal de garantie que leurs données
seront protégées lorsqu’ils enverront et recevront des communications via une
connexion Wi-Fi. Et avec la prise en charge de l’authentification 802.1x, l’iPhone et
l’iPad peuvent s’intégrer dans une grande variété d’environnements d’authentification
RADIUS.
Sécurité des apps
iOS est conçu pour une sécurité optimale. Il adopte une approche de « bac à sable »
(sandboxing) pour la protection des applications au moment de l’exécution et exige
une signature pour garantir qu’elles n’ont pas été falsifiées. iOS comprend aussi
un cadre d’applications sécurisé qui facilite le stockage sécurisé des informations
d’identification des applications et des services réseau dans un trousseau chiffré. Pour
les développeurs, il offre une architecture cryptographique courante qui peut être
utilisée pour chiffrer les magasins de données des applications.
Protection à l’exécution
Les applications sur l’appareil sont mises en « bac à sable » (sandboxed) pour qu’elles
ne puissent pas accéder aux données stockées par d’autres applications. De plus, les
fichiers système, les ressources et le noyau sont à l’abri de l’espace d’exécution des
applications de l’utilisateur. Si une application doit accéder aux données depuis une
autre application, elle ne peut le faire qu’en utilisant les API et les services fournis par
iOS. La génération de codes est également impossible.
Signature obligatoire du code
Toutes les applications iOS doivent être signées. Les applications fournies avec
l’appareil sont signées par Apple. Les applications tierces sont signées par leur
développeur à l’aide d’un certificat délivré par Apple. Ce mécanisme permet d’assurer
qu’elles n’ont pas été détournées ou altérées. En outre, des vérifications sont effectuées
à l’exécution pour garantir que l’application n’a pas été invalidée depuis sa dernière
utilisation.
L’utilisation des applications personnalisées ou « maison » peut être contrôlée à
l’aide d’un profil d’approvisionnement. Les utilisateurs doivent avoir installé le profil
d’approvisionnement correspondant pour pouvoir exécuter l’application. Des profils
d’approvisionnement peuvent être installés ou révoqués à distance à l’aide de
solutions MDM. Les administrateurs peuvent également restreindre l’utilisation d’une
application à des appareils spécifiques.
Structure d’authentification sécurisée
iOS fournit un trousseau chiffré sécurisé pour stocker les identités numériques, les
noms d’utilisateur et les mots de passe. Les données du trousseau sont segmentées de
sorte que les informations d’identification stockées par des applications tierces soient
inaccessibles aux applications ayant une identité différente. Ce mécanisme permet de
sécuriser les informations d’authentification sur iPhone et iPad sur un large éventail
d’applications et de services au sein de l’entreprise.
Sécurité des apps
• Protection à l’exécution
• Signature obligatoire du code
• Services de trousseau
• API de chiffrement courantes
• Protection des données des applications
18© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, FaceTime, iPad, iPhone, iTunes, Safari et Siri sont des marques d’Apple Inc.,
déposées aux États-Unis et dans d’autres pays. iMessage est une marque d’Apple Inc. iCloud et iTunes Store sont des marques de
service d’Apple Inc., déposées aux États-Unis et dans d’autres pays. App Store est une marque de service d’Apple Inc. Les autres
noms de produits et de sociétés mentionnés dans ce document appartiennent à leurs propriétaires respectifs. Les caractéristiques
des produits sont sujettes à modification sans préavis. Mars 2012
Architecture cryptographique courante
Les développeurs d’applications ont accès à des API de chiffrement qu’ils peuvent
utiliser pour renforcer la protection de leurs données d’applications. Les données
peuvent être chiffrées symétriquement à l’aide de méthodes éprouvées comme AES,
RC4 ou 3DES. En outre, l’iPhone et l’iPad fournissent une accélération matérielle pour le
chiffrement AES et le hachage SHA1, optimisant les performances des applications.
Protection des données des applications
Les applications peuvent également exploiter le chiffrement matériel intégré à l’iPhone
et à l’iPad pour renforcer la protection de leurs données sensibles. Les développeurs
peuvent désigner des fichiers spécifiques pour la protection des données, en
demandant au système de chiffrer le contenu du fichier pour le rendre inaccessible à
l’application et à tout intrus potentiel lorsque l’appareil est verrouillé.
Apps gérées
Un serveur MDM peut gérer des apps tierces de l’App Store, ainsi que les applications
développées en interne par les entreprises. La désignation d’une app comme app
gérée permet au serveur de préciser si l’app et ses données peuvent être supprimées
de l’appareil par le serveur MDM. De plus, le serveur peut empêcher les données
de l’app gérée d’être sauvegardées dans iTunes et iCloud. Cela permet aux équipes
informatiques de gérer les apps susceptibles de contenir des informations métier
sensibles de façon plus contrôlée que les apps téléchargées directement par
l’utilisateur.
Afin d’installer une app gérée, le serveur MDM envoie une commande d’installation
à l’appareil. Les apps gérées nécessitent l’acceptation de l’utilisateur avant d’être
installées. Pour en savoir plus sur les apps gérées, consultez le document d’introduction
à la gestion des appareils mobiles, téléchargeable à l’adresse www.apple.com/fr/iphone/
business/integration/mdm.
Des appareils révolutionnaires entièrement sécurisés
L’iPhone et l’iPad fournissent une protection chiffrée des données en transit, au
repos et lors de la sauvegarde sur iTunes ou iCloud. Que l’utilisateur accède aux
e-mails d’entreprise, visite un site web privé ou s’identifie sur le réseau d’entreprise,
iOS fournit la garantie que seuls les utilisateurs autorisés peuvent accéder aux
informations d’entreprise sensibles. Et avec la prise en charge de fonctionnalités réseau
professionnelles et de méthodes complètes pour éviter la perte de données, vous
pouvez déployer les appareils iOS avec la garantie d’implanter un système éprouvé de
sécurité des appareils mobiles et de protection des données.
19Déploiement de l’iPhone
et de l’iPad
Gestion des appareils mobiles
(MDM)
iOS prend en charge la gestion des appareils mobiles (MDM), offrant aux entreprises la
possibilité de gérer des déploiements évolutifs d’iPhone et d’iPad dans l’ensemble de
leurs organisations. Ces capacités de gestion des appareils mobiles sont fondées sur les
technologies iOS existantes comme les profils de configuration, l’inscription à distance
(en mode OTA) et le service de notification push Apple (Apple Push Notification service,
APN). Elles peuvent être intégrées à des solutions serveur internes ou tierces. Les
responsables informatiques peuvent déployer l’iPhone et l’iPad dans un environnement
professionnel en toute sécurité, configurer et mettre à jour des réglages sans fil, vérifier
la conformité de l’appareil avec les règles d’entreprise, et même effacer ou verrouiller à
distance des appareils ainsi gérés.
Gestion des iPhone et des iPad
La gestion des appareils iOS se déroule via une connexion à un serveur MDM. Ce
serveur peut être assemblé par le service informatique interne de l’entreprise, ou
obtenu auprès d’un fournisseur tiers. L’appareil communique avec le serveur et
recueille les tâches en attente, puis répond en effectuant les actions correspondantes.
Il peut s’agir de la mise à jour de règles, de l’envoi d’informations sur l’appareil ou le
réseau, ou de la suppression de réglages et de données.
La plupart des fonctions de gestion sont réalisées en arrière-plan et ne nécessitent
aucune interaction avec les utilisateurs. Par exemple, si le service informatique met à
jour son infrastructure VPN, le serveur MDM peut configurer les iPhone et iPad avec
de nouvelles informations de compte à distance. Lors de l’utilisation suivante du VPN
par l’employé, la configuration requise est déjà présente sur l’appareil, ce qui évite un
appel au service d’assistance ou la modification manuelle des réglages.
Coupe-feu
Service de notification Serveur MDM tiers
Push d’AppleMDM et le service de notification push Apple (APN)
Quand un serveur de gestion des appareils mobiles (MDM) veut communiquer avec un
iPhone ou un iPad, une notification silencieuse est envoyée à l’appareil via le service
de notification push Apple, lui demandant de se connecter au serveur. Le processus
de notification de l’appareil n’échange aucune information propriétaire avec le service
de notification push Apple. La seule tâche effectuée par la notification push consiste
à réveiller l’appareil afin qu’il se connecte au serveur MDM. Toutes les informations
de configuration, les réglages et les requêtes sont envoyés directement du serveur à
l’appareil iOS par une connexion SSL/TLS chiffrée entre l’appareil et le serveur MDM.
iOS gère toutes les requêtes et actions de MDM en arrière-plan afin d’en limiter
l’impact pour l’utilisateur, y compris en termes d’autonomie, de performances et de
fiabilité.
Pour que le serveur de notifications push reconnaisse les commandes du serveur
MDM, un certificat doit au préalable être installé sur le serveur. Ce certificat doit
être demandé et téléchargé depuis le portail de certificats push Apple (Apple Push
Certificates Portal). Une fois le certificat de notification push Apple téléchargé sur
le serveur MDM, l’inscription des appareils peut débuter. Pour en savoir plus sur la
demande d’un certificat de notification push Apple pour un serveur MDM, consultez la
page www.apple.com/fr/iphone/business/integration/mdm.
Configuration réseau pour le service APN
Lorsque les serveurs MDM et les appareils iOS sont protégés par un coupe-feu, il est
nécessaire de procéder à une configuration réseau pour permettre au service MDM
de fonctionner correctement. Pour envoyer des notifications depuis un serveur MDM
vers le service APN, le port TCP 2195 doit être ouvert. Pour bénéficier du service de
feedback, le port TCP 2196 doit également être ouvert. Pour les appareils se connectant
au service push en Wi-Fi, le port TCP 5223 doit être ouvert.
La plage d’adresses IP utilisée pour le service push est susceptible de changer ; il est
normalement prévu qu’un serveur MDM se connecte par nom d’hôte plutôt que
par adresse IP. Le service push met en œuvre une stratégie d’équilibrage des charge
qui fournit une adresse IP différente pour le même nom d’hôte. Ce nom d’hôte est
gateway.push.apple.com (et gateway.sandbox.push.apple.com pour l’environnement
de notification push de développement). Par ailleurs, l’ensemble du bloc d’adresses
17.0.0.0/8 est attribué à Apple afin d’établir des règles de coupe-feu spécifiant cette
plage.
Pour en savoir plus, adressez-vous à votre fournisseur de solutions MDM ou consultez
la Developer Technical Note TN2265 de la bibliothèque de développement iOS à
l’adresse http://developer.apple.com/library/ios/#technotes/tn2265/_index.html.
Inscription
Une fois le serveur MDM et le réseau configurés, la première étape de la gestion d’un
iPhone ou d’un iPad consiste à inscrire celui-ci auprès d’un serveur MDM. Cela établit
une relation entre l’appareil et le serveur qui permet de gérer l’appareil à la demande
sans autre interaction avec l’utilisateur.
Pour cela, l’iPhone ou l’iPad peuvent être connectés à un ordinateur via USB, mais la
plupart des solutions fournissent le profil d’inscription sans fil. Certains fournisseurs
de solutions MDM utilisent une app pour démarrer le processus, tandis que d’autres
lancent l’inscription en dirigeant les utilisateurs vers un portail web. Chaque méthode
a ses avantages, et l’une comme l’autre permettent de déclencher le processus
d’inscription à distance via Safari.
iOS et SCEP
iOS prend en charge le protocole SCEP (Simple
Certificate Enrollment Protocol). SCEP est un
protocole d’enregistrement à l’état d’Internet
draft selon les spécifications de l’IETF. Il a
été conçu pour simplifier la distribution des
certificats dans le cas de déploiements réalisés
à grande échelle. Cette installation permet
une inscription à distance des certificats
d’identité destinés à l’iPhone et à l’iPad et
servant de système d’identification aux services
d’entreprise.
2122
Présentation du processus d’inscription
Le processus d’inscription à distance (mode OTA) suppose des phases qui s’associent
en un flux automatisé afin d’offrir le moyen le plus adaptable d’inscrire des appareils
de façon sécurisée dans un environnement d’entreprise. Ces phases sont les
suivantes :
1. L’authentification de l’utilisateur
L’authentification de l’utilisateur garantit que les demandes d’inscription entrantes
proviennent d’utilisateurs légitimes et que les informations de l’appareil de
l’utilisateur sont capturées avant l’inscription par certificat. L’administrateur peut
inviter l’utilisateur à initier la procédure d’inscription via un portail web, par e-mail,
SMS ou même par le biais d’une app.
2. Inscription par certificat
Une fois l’utilisateur authentifié, iOS génère une demande d’inscription par certificat
à l’aide du protocole SCEP (Simple Certificate Enrollment Protocol). Cette demande
d’inscription communique directement avec l’autorité de certification (AC ou CA)
de l’entreprise et permet à l’iPhone et à l’iPad de recevoir en retour le certificat
d’identité émis par l’AC.
3. Configuration de l’appareil
Une fois que le certificat d’identité est installé, l’appareil peut recevoir un profil de
configuration chiffré à distance. Ces informations ne peuvent être installées que sur
l’appareil auquel elles sont destinées et contiennent les réglages permettant de se
connecter au serveur MDM.
À la fin du processus d’inscription, l’utilisateur voit apparaître un écran d’installation
qui décrit les droits d’accès que le serveur MDM possédera sur l’appareil. Lorsque
l’utilisateur accepte l’installation du profil, son appareil est automatiquement inscrit,
sans intervention supplémentaire.
Une fois l’iPhone et l’iPad inscrits en tant qu’appareils gérés, ils peuvent être
configurés de façon dynamique à l’aide de réglages, interrogés pour livrer des
informations ou effacés à distance par le serveur MDM.
Configuration
Pour configurer un appareil à l’aide de comptes, de règles et de restrictions, le
serveur MDM envoie à l’appareil des fichiers appelés Profils de configuration qui
sont installés automatiquement. Les Profils de configuration sont des fichiers XML
qui contiennent des réglages permettant à l’appareil d’interagir avec les systèmes
de votre entreprise : informations de comptes, règles de codes, restrictions et
autres réglages d’appareils. Lorsqu’on l’associe au processus d’inscription décrit
précédemment, la configuration de l’appareil garantit au service informatique que
seuls les utilisateurs de confiance peuvent accéder aux services de l’entreprise et
que leurs appareils sont correctement configurés en fonction des règles établies.
Et comme les profils de configuration peuvent être à la fois signés et chiffrés, les
réglages ne peuvent être ni modifiés, ni partagés avec d’autres.Réglages configurables pris en charge
Comptes
• Exchange ActiveSync
• E-mail IMAP/POP
• Wi-Fi
• VPN
• LDAP
• CardDAV
• CalDAV
• Calendriers avec abonnements
Règles de code d’appareil
• Exiger un code sur l’appareil
• Autoriser une valeur simple
• Exiger une valeur alphanumérique
• Nombre minimum de caractères
• Nombre minimum de caractères complexes
• Durée de vie maximum du code
• Délai avant verrouillage automatique
• Historique des codes
• Délai supplémentaire pour le verrouillage de
l’appareil
• Nombre maximum de tentatives
Sécurité et confidentialité
• Autoriser l’envoi à Apple des données de
diagnostic
• Autoriser l’utilisateur à accepter des
certificats non fiables
• Forcer les sauvegardes chiffrées
Autres réglages
• Références
• Web Clips
• Réglages SCEP
• Réglages APN
Fonctionnalité des appareils
• Autoriser l’installation d’apps
• Autoriser Siri
• Autoriser Siri lorsque l’appareil est
verrouillé
• Autoriser l’utilisation de l’appareil photo
• Autoriser FaceTime
• Autoriser la capture d’écran
• Permettre la synchronisation automatique
en déplacement
• Permettre la composition vocale de
numéros
• Autoriser les achats intégrés
• Demander le mot de passe du Store pour
tous les achats
• Autoriser les jeux multijoueurs
• Autoriser l’ajout d’amis dans Game Center
Applications
• Autoriser l’utilisation de YouTube
• Autoriser l’utilisation de l’iTunes Store
• Autoriser l’utilisation de Safari
• Définir les préférences de sécurité de
Safari
iCloud
• Autoriser la sauvegarde
• Autoriser la synchronisation des
documents et des valeurs clés
• Autoriser Flux de photos
Classement du contenu
• Autoriser la musique et les podcasts à
contenu explicite
• Définir la région du classement
• Définir les classements de contenus
autorisés
23Interrogation des appareils
Outre la configuration, un serveur MDM a la capacité d’interroger les appareils pour
obtenir des informations diverses. Ces informations peuvent servir à s’assurer que les
appareils continuent à respecter les politiques en vigueur.
Requêtes prises en charge
Informations sur les appareils
• Identifiant unique de l’appareil (UDID)
• Nom de l’appareil
• iOS et version
• Nom et numéro du modèle
• Numéro de série
• Capacité et espace disponible
• Numéro IMEI
• Firmware du modem
• Niveau de la batterie
Informations réseau
• ICCID
• Adresses MAC Bluetooth® et Wi-Fi
• Réseau et opérateur actuel
• Réseau de l’opérateur de l’abonné
• Version des réglages de l’opérateur
• Téléphone
• Paramètre d’itinérance des données
(activer/désactiver)
Informations de conformité et de
sécurité
• Profils de configuration installés
• Certificats installés avec des dates
d’expiration
• Recensement de toutes les restrictions en
vigueur
• Capacité de chiffrement matériel
• Code d’appareil présent
Applications
• Applications installées (ID, nom, version,
taille de l’app et volume des données de
l’app)
• Profils d’approvisionnement installés avec
des dates d’expiration
Gestion
Grâce à la gestion des appareils mobiles, un certain nombre de fonctions peuvent
être effectuées par un serveur MDM sur des appareils iOS. Parmi ces tâches, figurent
l’installation et la suppression de profils de configuration et d’approvisionnement,
la gestion des apps, la rupture de la relation MDM et l’effacement à distance d’un
appareil.
Réglages gérés
Au cours du processus initial de configuration d’un appareil, un serveur MDM pousse
vers l’iPhone ou l’iPad des profils de configuration, qui sont installés en arrière-plan.
Au fil du temps, il peut être nécessaire d’actualiser ou de modifier les réglages et les
règles mis en place au moment de l’inscription. Pour effectuer ces changements, un
serveur MDM peut à tout moment installer de nouveaux profils de configuration et
modifier ou supprimer les profils existants. De même, il peut être nécessaire d’installer
sur des appareils iOS des configurations spécifiques à un contexte particulier, selon
la localisation d’un utilisateur ou son rôle au sein de l’organisation. Par exemple, si
un utilisateur voyage à l’étranger, un serveur MDM peut exiger que ses comptes de
courrier électronique se synchronisent manuellement plutôt qu’automatiquement.
Un serveur MDM peut même désactiver à distance des services voix ou données afin
d’éviter à un utilisateur des frais d’itinérance imposés par un opérateur.
Apps gérées
Un serveur MDM peut gérer des apps tierces de l’App Store ainsi que des applications
développées en interne par les entreprises. Le serveur peut supprimer à la demande
des apps gérées et les données qui leur sont associées ou préciser si les apps doivent
être supprimées lors de la suppression du profil MDM. De plus, le serveur MDM peut
empêcher la sauvegarde sur iTunes et iCloud des données de l’app gérée.
2425
Pour installer une app gérée, le serveur MDM envoie une commande d’installation
sur l’appareil de l’utilisateur. Les apps gérées nécessitent l’acceptation de l’utilisateur
avant d’être installées. Lorsqu’un serveur MDM demande l’installation d’une app
gérée de l’App Store, l’app est acquise à l’aide du compte iTunes utilisé au moment
de l’installation de l’app. Pour les apps payantes, le serveur MDM devra envoyer
un code d’utilisation du Programme d’achats en volume (VPP, Volume Purchasing
Program). Pour en savoir plus sur le programme VPP, consultez la page www.apple.
com/business/vpp/. Les apps de l’App Store ne peuvent pas être installées sur
l’appareil d’un utilisateur si l’App Store a été désactivé.
Suppression ou effacement d’appareils
Si un appareil ne respecte pas les règles, est perdu ou volé, ou si un employé quitte
la société, un serveur MDM dispose d’un certain nombre de moyens pour protéger
les informations d’entreprise que contient cet appareil.
Un administrateur informatique peut mettre fin à la relation MDM avec un appareil
en supprimant le profil de configuration contenant les informations relatives
au serveur MDM. Ainsi, tous les comptes, réglages et apps qu’il avait la charge
d’installer sont supprimés. Le service informatique peut également laisser le profil
de configuration MDM en place et n’utiliser le serveur MDM que pour supprimer
des profils de configuration et des profils d’approvisionnement spécifiques ainsi
que les apps gérées qu’il souhaite supprimer. Cette approche maintient la gestion
de l’appareil par le serveur MDM et évite d’avoir à le réinscrire dès qu’il respecte à
nouveau les règles.
Les deux méthodes donnent au service informatique la capacité de s’assurer que
les informations ne sont disponibles qu’aux utilisateurs et aux appareils respectant
les règles, et de veiller à ce que les données d’entreprise soient supprimées sans
interférer avec les données personnelles d’un utilisateur, comme la musique, les
photos ou des apps personnelles.
Pour supprimer de façon définitive tous les contenus multimédias et les données
de l’appareil et en restaurer les réglages d’origine, le serveur MDM peut effacer à
distance un iPhone ou un iPad. Si l’utilisateur est toujours à la recherche de son
appareil, le service informatique peut également décider d’envoyer à cet appareil
une commande de verrouillage à distance. Cela a pour effet de verrouiller l’écran et
d’exiger le code de sécurité de l’utilisateur pour le déverrouiller.
Si un utilisateur a tout simplement oublié son code de sécurité, un serveur MDM
peut le supprimer de l’appareil et inviter l’utilisateur à en définir un nouveau dans
un délai de 60 minutes.
Commandes de gestion prises en charge
Réglages gérés
• Installation du profil de configuration
• Suppression du profil de configuration
• Itinérance du service données
• Itinérance du service voix (non disponible chez certains opérateurs)
Apps gérées
• Installation d’apps gérées
• Suppression d’apps gérées
• Recensement de toutes les apps gérées
• Installation de profil d’approvisionnement
• Suppression de profil d’approvisionnement
Commandes de sécurité
• Effacement à distance
• Verrouillage à distance
• Effacement de codes de verrouillageCoupe-feu
Service de notification Serveur MDM tiers
Push d’Apple
1
2
4
3
5
© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, FaceTime, iPad, iPhone, iTunes, Safari et Siri sont des marques d’Apple Inc., déposées aux États-Unis et dans d’autres pays. iCloud et iTunes Store
sont des marques de service d’Apple Inc., déposées aux États-Unis et dans d’autres pays. App Store est une marque de service d’Apple, Inc. Le terme et les logos Bluetooth® sont des marques déposées
détenues par Bluetooth SIG, Inc. et utilisées sous licence par Apple. Les autres noms de produits et de sociétés mentionnés sont des marques de leurs sociétés respectives. Les caractéristiques des produits
sont sujettes à modification sans préavis. Mars 2012
1
2
3
4
5
Présentation du processus
Cet exemple illustre le déploiement élémentaire d’un serveur de gestion d’appareils mobiles (MDM).
Un Profil de configuration contenant des informations relatives au serveur de gestion des appareils mobiles est envoyé à
l’appareil. L’utilisateur voit apparaître les informations sur les éléments qui seront gérés et/ou demandés par le serveur.
L’utilisateur installe le profil pour accepter (« opt-in ») la gestion de l’appareil.
L’inscription de l’appareil se fait pendant l’installation du profil. Le serveur valide l’appareil et autorise l’accès.
Le serveur envoie une notification « push » invitant l’appareil à s’identifier pour les tâches ou requêtes demandées.
L’appareil se connecte directement au serveur via HTTPS. Le serveur envoie les informations concernant les commandes ou les
requêtes.
Pour en savoir plus sur la gestion des appareils mobiles, consultez la page www.apple.com/fr/iphone/business/integration/mdm.
26Déploiement de l’iPhone
et de l’iPad
Apple Configurator
Les appareils iOS peuvent être configurés pour un déploiement en entreprise à l’aide
d’un large éventail d’outils et de méthodes. L’utilisateur final peut configurer les
appareils manuellement en suivant quelques instructions simples fournies par le service
informatique ; la configuration des appareils peut aussi être automatisée au moyen de
profils de configuration ou d’un serveur de gestion des appareils mobiles (MDM) tiers.
Dans le cadre de certains déploiements, le service informatique souhaitera parfois
configurer de nombreux appareils en leur appliquant les mêmes réglages et apps, avant
de les distribuer aux utilisateurs. C’est souvent le cas lorsqu’un même appareil doit être
utilisé par différents utilisateurs au cours de la journée. D’autres déploiements exigent
quant à eux une gestion étroite des appareils et la réinitialisation d’une configuration
particulière à intervalles réguliers.
Apple Configurator pour OS X Lion simplifie la configuration et le déploiement en masse
des iPhone et des iPad dans de telles situations grâce à trois options simples :
Préparer les appareils. Vous pouvez Préparer un jeu de nouveaux appareils iOS à
partir d’une même configuration centralisée, avant de les déployer auprès des utilisateurs.
Installez la dernière version d’iOS, installez des profils de configuration et des apps,
inscrivez les appareils auprès du serveur MDM de votre organisation, puis distribuez les
appareils. La préparation des appareils est une excellente option de déploiement si votre
organisation souhaite fournir des appareils iOS aux employés pour une utilisation au
quotidien.
Superviser les appareils. Une autre option consiste à Superviser un ensemble d’appareils
iOS qui restent sous votre contrôle direct et peuvent être configurés de manière
continue. Vous appliquez une configuration à chaque appareil, puis l’appliquez à nouveau
automatiquement après chaque utilisation en reconnectant tout simplement l’appareil à
Apple Configurator. La supervision est idéale pour le déploiement d’appareils destinés à
des tâches dédiées (vente au détail, SAV sur le terrain, tâches médicales, etc.), le partage
d’appareils entre élèves d’une classe ou d’un laboratoire, ou le prêt d’appareils iOS à des
clients (par exemple dans un hôtel, un restaurant ou à l’hôpital).
Attribuer des appareils. Enfin, vous pouvez Attribuer des appareils supervisés à des
utilisateurs particuliers de votre organisation. Attribuez un appareil à un utilisateur
particulier, puis restaurez la sauvegarde de l’utilisateur concerné (y compris toutes ses
données) sur l’appareil. Lorsque l’appareil est restitué, sauvegardez les données de
l’utilisateur pour une utilisation ultérieure, y compris sur un autre appareil. Cette option
est pratique lorsque les utilisateurs doivent pouvoir exploiter les mêmes données et
documents sur une longue période, quel que soit l’appareil qui leur est attribué.
Configuration requise
• Ordinateur Mac
• OS X Lion 10.7.2
• iTunes 10.6
Apple Configurator fonctionne avec les
appareils équipés d’iOS 4.3 ou version
ultérieure, et il peut superviser les appareils
équipés d’iOS 5.0 ou version ultérieure.Configuration des réglages et des apps
Que vous choisissiez de Préparer, de Superviser ou d’Attribuer vos appareils iOS avant
leur déploiement, Apple Configurator simplifie la configuration d’un éventail complet de
réglages ainsi que l’installation d’apps de l’App Store ou développées en interne.
Réglages
Tout comme iTunes, Apple Configurator permet de nommer les appareils et d’installer les
mises à jour d’iOS. En outre, Apple Configurator peut configurer les préférences, dont
le fond d’écran de l’écran de verrouillage, la disposition de l’écran d’accueil et d’autres
réglages qui peuvent être définis manuellement sur un appareil et sauvegardés dans
Apple Configurator.
Apple Configurator simplifie la configuration de nombreux appareils qui doivent disposer
des mêmes réglages. Il suffit de configurer un appareil avec les réglages et préférences
souhaités sur tous les appareils, puis d’effectuer une sauvegarde avec Apple Configurator.
Apple Configurator restaure aussi simultanément la sauvegarde sur les autres appareils
(jusqu’à 30 appareils connectés par USB à la fois).
Comme l’Utilitaire de configuration iPhone, le Gestionnaire de profils d’OS X Lion Server et
certaines solutions tierces de gestion des appareils mobiles, Apple Configurator permet
de créer et d’installer des profils de configuration pour les réglages suivants :
• Comptes Exchange ActiveSync
• Réglages VPN et Wi-Fi
• Longueur et complexité du code d’appareil et réglages d’effacement local
• Réglages d’inscription MDM
• Restrictions de l’appareil
• Certificats
• Web Clips
Les profils de configuration créés avec d’autres outils peuvent être importés facilement
dans Apple Configurator. Pour une liste complète des réglages de profil de configuration
disponibles dans Apple Configurator, rendez-vous sur http://help.apple.com/configurator/
mac/1.0.
Si vous souhaitez connecter des appareils à un serveur de gestion des appareils mobiles,
utilisez Apple Configurator pour installer les réglages de MDM avant de remettre
l’appareil à un utilisateur final. Une fois l’appareil inscrit auprès du serveur MDM de
votre organisation, vous pouvez configurer les réglages à distance, surveiller le respect
des règles de l’entreprise et effacer ou verrouiller l’appareil. Pour en savoir plus sur les
fonctionnalités de gestion des appareils mobiles d’iOS, consultez la page www.apple.
com/fr/iphone/business/integration/mdm.
Activer les appareils
Pour préparer les appareils de façon à ce que
vous (ou l’utilisateur final) ne soyez pas obligé
de passer par l’assistant de configuration iOS,
restaurez la sauvegarde d’un appareil ayant
déjà suivi les étapes de l’assistant. Apple
Configurator ne peut pas effectuer la
toute première activation des iPhone ou iPad
sur un réseau cellulaire, mais il peut réactiver
des appareils précédemment activés dans le
cadre du processus de configuration.
28Apps
Pour installer une app de l’App Store sur vos appareils, achetez et téléchargez l’app dans
iTunes, ajoutez-la à Apple Configurator, puis installez l’app lors de la configuration des
appareils.
Pour installer des apps payantes de l’App Store à l’aide d’Apple Configurator, vous
devez participer au Programme d’achat en volume pour les entreprises (VPP).
Apple Configurator récupère automatiquement les codes fournis par l’animateur du
programme VPP ou l’acheteur agréé pour installer les apps.
La liste des apps dans Apple Configurator indique les apps gratuites et le nombre de
codes de téléchargement restants pour les apps payantes. Chaque fois que vous
installez une app sur un appareil, un code de téléchargement est utilisé sur la feuille de
calcul VPP qui a été importée dans Apple Configurator. Les codes de téléchargement ne
peuvent pas être réutilisés. S’il ne vous en reste plus, vous devez en importer d’autres
pour installer l’app sur d’autres appareils. Lorsqu’une app payante est désinstallée d’un
appareil supervisé ou attribué, elle peut être installée sur un autre appareil. Le code VPP
n’est pas réactivé, ce qui signifie que les installations ultérieures doivent être effectuées
avec Apple Configurator sur le Mac utilisé pour l’installation initiale de l’app.
Les apps payantes de l’App Store ne peuvent être installées qu’à l’aide des codes
de téléchargement obtenus par le biais du Programme d’achat en volume pour les
entreprises ou l’Éducation. Le Programme d’achat en volume n’est pas disponible dans
tous les pays. Pour en savoir plus, consultez www.apple.com/business/vpp ou www.
apple.com/education/volume-purchase-program.
Vous pouvez également installer les apps développées et distribuées en interne au
sein de votre entreprise. Ajoutez votre app (qui inclut le profil d’approvisionnement de
distribution) à Apple Configurator, puis installez-la durant la configuration des appareils.
Important : les apps installées avec Apple Configurator sont associées à l’appareil sur
lequel elles ont été installées, et non à un identifiant Apple particulier. Pour mettre à jour
les apps déployées avec Apple Configurator, vous devez reconnecter l’appareil au Mac
ayant servi à installer les apps. En outre, vous ne pouvez pas télécharger à nouveau ces
apps via iTunes dans le nuage. Dès lors, il est conseillé de réserver l’installation d’apps
de l’App Store avec Apple Configurator aux appareils supervisés ou attribués.
Exemples de déploiement
Les scénarios suivants illustrent la manière dont vous pouvez tirer parti d’Apple
Configurator pour déployer rapidement des appareils personnalisés.
Préparer de nouveaux appareils pour un usage personnel
Avec l’option Préparer, configurez les réglages sur les appareils avant de les déployer
auprès des utilisateurs pour un usage professionnel. Il peut s’agir d’évoluer vers la
dernière version d’iOS, d’actualiser une configuration réseau ou des informations
d’inscription auprès du serveur MDM de votre organisation.
Si un appareil est préparé avec Apple Configurator, il peut être reconfiguré à la
convenance de l’utilisateur final. Il ne sera pas reconnu par Apple Configurator s’il
est reconnecté ultérieurement. Par exemple, les utilisateurs peuvent connecter leurs
appareils non supervisés à leur copie d’iTunes et synchroniser le contenu de leur
choix. Les administrateurs informatiques qui souhaitent autoriser les utilisateurs à
personnaliser leurs appareils peuvent utiliser Apple Configurator pour Préparer et
déployer des appareils non supervisés, puis utiliser une solution MDM pour gérer à
distance les réglages, comptes et apps de chaque appareil.
La configuration d’un appareil non supervisé est généralement effectuée une seule fois,
l’utilisateur étant responsable de la gestion de l’appareil par la suite. Apple Configurator
oublie les appareils non supervisés dès qu’ils sont déconnectés ; il les traite comme de
nouveaux appareils lorsqu’ils sont reconnectés.
Afficher ou exporter des infos sur les
appareils
Apple Configurator intègre un inspecteur
qui affiche les informations relatives aux
appareils supervisés, comme la version
d’iOS, le numéro de série, les identifiants et
adresses matérielles et la capacité disponible.
Vous pouvez également exporter la plupart
de ces informations au format CSV pour les
exploiter dans un tableur, ou les exporter
dans un format spécialement conçu pour
le portail d’approvisionnement iOS afin de
permettre aux développeurs de logiciels de
votre entreprise d’y accéder et de créer des
profils d’approvisionnement pour les apps iOS
développées en interne.
29Superviser des appareils devant être déployés auprès d’utilisateurs non
spécifiés
Lors de la préparation, vous pouvez choisir de Superviser les appareils qui doivent être
contrôlés et configurés de manière continue avec Apple Configurator. Il peut s’agir
d’un ensemble d’appareils qui doivent tous être dotés d’une même configuration et
qui ne sont pas associés à des utilisateurs particuliers. Un appareil supervisé est effacé
à chaque reconnexion à Apple Configurator. Les données de l’utilisateur précédent
sont alors supprimées et l’appareil est reconfiguré. En outre, les appareils supervisés ne
peuvent pas être synchronisés avec iTunes ou Apple Configurator sur un autre Mac.
Le déploiement d’appareils supervisés consiste généralement à distribuer les appareils,
les récupérer, réappliquer leur configuration initiale et les redistribuer. Les appareils
supervisés peuvent être classés dans des groupes, afin de simplifier l’application
automatique d’une même configuration.
Important : lors de la supervision initiale d’un appareil lors du processus de
préparation, l’ensemble du contenu et des réglages est volontairement effacé. Cela
permet d’éviter que l’appareil personnel d’un utilisateur soit supervisé sans qu’il en ait
connaissance.
Attribuer des appareils supervisés à des utilisateurs particuliers
Une fois que vous avez configuré un appareil supervisé, vous pouvez aussi l’Attribuer
à un utilisateur particulier. Lorsque vous « extrayez » l’appareil pour un utilisateur
particulier, Apple Configurator le remet dans l’état où il était la dernière fois que cette
personne l’a utilisé. L’intégralité des réglages et données d’apps de l’utilisateur est alors
restaurée.
Lorsque l’appareil est retourné, Apple Configurator sauvegarde les réglages et les
données d’apps de l’utilisateur pour la prochaine fois, y compris toutes les nouvelles
données créées par l’utilisateur, puis efface toutes les informations laissées sur l’appareil
par le précédent utilisateur. Le mécanisme d’extraction-archivage des appareils permet
à l’utilisateur de bénéficier de l’expérience d’un appareil personnel tout en vous laissant
la possibilité d’attribuer un même groupe d’appareils à plusieurs groupes d’utilisateurs.
Les utilisateurs peuvent être ajoutés manuellement ou importés depuis Open Directory
ou Active Directory, puis classés dans des groupes personnalisés.
Si vous installez des apps comme Keynote ou Pages qui prennent en charge le partage
de fichiers iTunes, vous pouvez également installer des documents qui seront prêts à
l’emploi lorsque vos utilisateurs récupéreront un appareil extrait. Et lorsque l’appareil est
restitué, une sauvegarde des données et des réglages de l’utilisateur est effectuée, et ses
documents synchronisés sont accessibles directement depuis Apple Configurator.
© 2012 Apple Inc. Tous droits réservés. Apple, le logo Apple, iPad, iPhone, iTunes, Keynote, Mac, le logo Mac, OS X et Pages sont des
marques d’Apple Inc., déposées aux États-Unis et dans d’autres pays. iCloud et iTunes Store sont des marques de service d’Apple Inc.,
déposées aux États-Unis et dans d’autres pays. App Store est une marque de service d’Apple Inc. Les autres noms de produits et de
sociétés mentionnés dans ce document appartiennent à leurs propriétaires respectifs. Les caractéristiques des produits sont sujettes à
modification sans préavis. Mars 2012
30
Installing and Configuring
the Apple PCI Dual-Attached FDDI Card
EnglishPreface / A5
1 Installing the Card and Connecting to the Network / A7
Opening the logic module of the Network Server / A8
Unpacking the card / A11
Installing the card / A12
Attaching the cables and connecting to the network / A16
2 Installing and Configuring the Device Driver Software / A19
Installing the Common FDDI Software / A20
Installing the FDDI AIX device driver / A22
Configuring the FDDI network interface / A24
3 Troubleshooting and Diagnostics / A27
Troubleshooting / A28
Using FDDI diagnostic routines / A29
Obtaining service and support / A29
Appendix Specifications / A31
ContentsThe Apple Peripheral Connect Interface (PCI) Dual-Attached FDDI Card is a
100 megabit per second (Mbps) single-slot Fiber Distributed Data Interface
(FDDI) card for use with the Apple Network Server. The card and its
associated driver provide physical and data-link services under the TCP/IP
protocol as defined by the ANSI X3T9.5 specifications for FDDI.
IMPORTANT You must first install AIX 4.1.4.1 before you can use the
FDDI Card. See Instructions to Update AIX for the Network Server to
Version 4.1.4.1.
The Apple PCI Dual-Attached FDDI Card has the following features:
m compliance with PCI Local Bus, version 2.1
m onboard integrated FDDI Station Management (SMT)
m 32-bit, zero wait state PCI Direct Memory Access (DMA) master
m up to 132 Mbps burst DMA rate
m PCI commands for efficient use of cache lines
m support of optical fiber media
m support of Dual Attachment for direct attachment to network ring
m 128K of local buffering
m Motorola MC68840 FDDI chipset
These capabilities are all available as soon as the card is installed in the
Network Server. No special configuring is required.
PrefaceAbout this manual
This manual is aimed at Network Server administrators. It assumes you have a
good understanding of the Network Server hardware, as described in Setting
Up the Network Server (available in the Network Server accessory kit). You
should also have a working knowledge of the AIX operating system. Using
AIX®, AppleTalk Services, and Mac OS Utilities on the Network Server, also
available in your accessory kit, provides a basic introduction. Complete AIX
documentation is available online through the InfoExplorer application.
Chapter 5 of Using AIX, AppleTalk Services, and Mac OS Utilities on the
Network Server tells you how to access and use InfoExplorer.
For more information
Numerous books about FDDI and FDDI token-passing networks are available
at most technical bookstores. In addition, the FDDI Consortium at the
University of New Hampshire is an excellent resource for FDDI information
and training. The Consortium can be accessed on the Internet at
http://www.iol.unh.edu/consortiums/fddi/fddi_consortium.html
A6 PrefaceThis chapter provides complete instructions for installing the Apple PCI DualAttached FDDI Card in the Network Server. Before proceeding, you should
familiarize yourself with the section on installing PCI cards in Setting Up the
Network Server. Be sure to follow all recommendations for handling and
installing the card carefully and correctly, so as not to damage either the card
or the computer.
1 Installing the Card and
Connecting to the NetworkOpening the logic module of the Network Server
You do not need to remove the cover from the Network Server to install a card.
Instead you open the logic module, following the directions in this section.
1 Shut down the Network Server.
See Using AIX, AppleTalk Services, and Mac OS Utilities on the Apple
Network Server if you need more information about safely shutting down the
Network Server.
2 Attach a grounding strap to your body
A grounding strap is strongly recommended to avoid damage to the card or the
computer from electrostatic discharge.
3 Turn the key at the rear of the server to the Unlock position.
A8 Chapter 1 / Installing the Card and Connecting to the Network4 Loosen the thumb screws completely.
Opening the logic module of the Network Server A95 Grasping the logic module by its handles, pull the module out as far as it will go.
6 Remove the cover plate from the expansion slot you want to use.
Put the screw aside. You will reattach it later to hold the card in place. Put the
cover plate away for safekeeping in case you remove the card later.
A10 Chapter 1 / Installing the Card and Connecting to the NetworkUnpacking the card
The package for the Apple PCI Dual-Attached FDDI Card contains an
installation CD-ROM disc, the card itself, and this manual.
1 Remove the protective packing materials from around the card.
Save the packing materials and the package. You can use them should you
need to return the card for service.
2 Carefully remove the card from its antistatic bag.
Inspect for any visible damage that might have occurred during shipment. If
you find any damage, contact your Apple-authorized Network Server dealer or
service representative.
Unpacking the card A11Installing the card
The cable ports on the Apple PC Dual-Attached FDDI card are somewhat
oversized for the Network Server, and require you to slightly modify the
procedure you’ve used to install other cards. Use the illustrations that follow to
install the FDDI card:
A12 Chapter 1 / Installing the Card and Connecting to the NetworkInstalling the card A13A14 Chapter 1 / Installing the Card and Connecting to the NetworkOnce the card has been installed, push the logic module back in, tighten the
thumb screws, turn the key to Lock, and reattach all cables. Do not turn on the
computer until you have connected the card to the network.
Installing the card A15Attaching the cables and connecting to the network
The Apple PCI Dual-Attached FDDI card requires one SC Duplex fiber cable
for single attachment or two cables for dual attachment. Note that each cable
has two connectors, as shown in the illustration that follows.
These cables are not supplied with the card but may be ordered in a variety of
lengths from most large computer suppliers.
Attach each cable to Port A or Port B on the FDDI card, following the cable
manufacturer’s instructions (if any). Looking at the computer from the back
(toward the logic module), as shown in the illustration that follows, Port A is
on the left.
A16 Chapter 1 / Installing the Card and Connecting to the NetworkIMPORTANT Do not connect the Network Server to the next node on the
network without consulting with your network administrator. Where and how
you should connect, and how the rest of the network will be affected by adding
a node, depends on your particular network.
Attaching the cables and connecting to the network A17Once you install the FDDI card, you must install a common FDDI software
package and the FDDI device driver software. You must also configure the
FDDI device driver so your Network Server can communicate on the FDDI
network. This chapter describes all of these steps.
IMPORTANT You must be using Apple’s AIX version 4.1.4.1 or later to use the
FDDI Card. If your Network Server is not running AIX 4.1.4.l, you must first
upgrade your software before installing the FDDI software. See the
Instructions to Update AIX to Version 4.1.4.1 that came with your FDDI card.
2 Installing and Configuring
the Device Driver SoftwareInstalling the Common FDDI Software
After you have AIX Version 4.1.4.1 (or later) running on your Network Server,
you need to install a Common FDDI Software package before you install the
FDDI device driver. The steps you follow depend on whether you have the
Installation CD or the Software Update CD. Refer to the section below for the
CD you are using.
If you have the AIX Installation CD Version 4.1.4.1 (or later)
Follow these steps:
1 Type
lslpp -l devices.mca.8ef4.com
In most cases a message appears telling you that the software is not installed.
Continue with step 2.
If a message appears telling you the software is present, then go to next
section, “Installing the FDDI AIX Driver.”
2 Insert the AIX Installation CD in the CD drive.
3 At the AIX prompt, type the following command and press return:
smitty devinst
The menu for installing additional device software appears.
4 Press F4 (or ESC-4).
A pop-up menu listing the device software that can be installed appears.
5 Select the appropriate CD device from the list and press Return.
An expanded menu appears.
6 Select “Software to install” from the menu and type:
devices.mca.8ef4.com
7 Press Return.
A dialog box appears asking you to confirm the installation. Press Return to
begin the installation or press F3 (or ESC 3) to cancel the installation.
When the installation is finished, continue with the next section, “Installing the
FDDI AIX Driver.”
A20 Chapter 2 / Installing and Configuring the Device Driver SoftwareIf you have the Software Update CD
Follow these steps:
1 Type
lslpp -l devices.mca.8ef4.com
In most cases a message appears telling you that the0 software is not installed.
Continue with step 2.
If a message appears telling you the software is present, then go to next
section, “Installing the FDDI AIX Driver.”
2 Insert the Network Server Software Update Kit CD in the CD drive.
3 To mount the CD, type the following command and press return:
mount -r -v cdrfs /dev/cd0 /mnt
4 At the AIX prompt, type the following command and press return:
smitty devinst
The menu for installing additional device software appears.
5 In the “INPUT device/directory for software” field, type:
/mnt/new
6 In the “SOFTWARE to install” field, type:
devices.mca.8ef4.com
7 Press Return.
A dialog box appears asking you to confirm the installation. Press Return to
begin the installation or press F3 (or ESC 3) to cancel the installation.
8 To unmount the CD, type:
umount /mnt
When the installation is finished, continue with the next section, “Installing the
FDDI AIX Driver.”
Installing the Common FDDI Software A21Installing the FDDI AIX device driver
The device driver software is included on the installation floppy disk. The
following instructions can be used to install the driver software using either
the X-windows version of the System Management Interface Tool (SMIT) or
the command line version (SMITTY). The example uses SMITTY, but all the
steps are the same.
Note: To perform the installation you must be logged in as root.
1 Insert the installation floppy disk.
2 At the AIX prompt, type the following command and press Return:
smitty devinst
The following menu appears:
3 In the INPUT entry field, type:
/dev/fd0
A22 Chapter 2 / Installing and Configuring the Device Driver Software4 Press Return to display the configuration options shown in the next screen:
5 Type devices.pci.7e100300 in the SOFTWARE to install field.
If a FDDI driver has already been installed and you want to continue with this
installation you need to type, Yes in the overwrite field.
A dialog box appears asking you to confirm your selection.
6 Press Return again to begin the installation.
Messages on the screen describe the installation process. When you see the
following message, installation is complete:
Installation Summary --------
Name Level Part Event Result
devices.pci.7e100300.rte 2.1.0.0 USR APPLY SUCCESS
devices.pci.7e100300.diag 2.1.0.0 USR APPLY SUCCESS
7 Press f10 to exit SMITTY, and then reboot the Network Server.
Configuring the FDDI AIX device driver A23Configuring the FDDI network interface
You’ll need to have the following information to configure the network
interface for the FDDI card:
m a name and IP address for each FDDI card installed on the Network Server
m the network mask
m the appropriate domain name server name and IP address
m the IP address of the router or gateway the Network Server uses for network
access.
If you don’t have this information, obtain it from your network administrator.
As when you install the device driver, you can configure the card with either
SMIT or SMITTY. The instructions that follow presume you are for using
SMITTY.
1 At the AIX prompt, type the following command and press Return:
smitty tcpip
The TCP/IP configuration screen appears:
A24 Chapter 2 / Installing and Configuring the Device Driver Software2 Select Minimum Configuration & Startup and then press Return.
The Available Network Interfaces screen appears.
3 Press fi0 and then press Return.
The Minimum Configuration & Startup screen appears.
4 Fill in or edit the entry fields in the Minimum Configuration & Startup screen.
Enter the name and IP address assigned to the FDDI card, the network mask,
the name and IP address of the appropriate domain name server, and the IP
address of the router or gateway the Network Server uses for network access.
If you are connecting more than one FDDI card to the server, each FDDI card
must have a unique IP address
5 Press Return.
6 Press f10 to exit SMITTY, and then reboot the Network Server.
Configuring the FDDI network interface A25This chapter suggests possible solutions to common problems that may come
up while you’re using the Network Server with an Apple PCI Dual-Attached
FDDI Card. Try the suggestions in the order they are listed, until you resolve
the problem.
The chapter gives you information about using FDDI diagnostic routines.
Finally, the chapter includes information on obtaining service and support if
you encounter problems you can’t solve.
3 Troubleshooting and DiagnosticsTroubleshooting
AIX won’t boot.
1. Check to see that the system is plugged in and turned on
2. Check to see that the card you just installed is properly seated in the slot.
3. Try installing the card in a different PCI slot.
4. Remove the card and see if the system boots up and works normally.
5. Try installing another card that you know is good. If the problem continues,
see “Obtaining Service and Support,” later in this chapter.
A network application no longer works.
If an application worked prior to the installation of the card, there is probably a
hardware conflict. See “Obtaining Service and Support,” later in this chapter.
The Network Server card cannot connect to the ring or communicate with other hosts on
the network.
1. Make sure the card is seated correctly in the bus expansion slot.
2. Verify that both cables are properly connected, and that Ports A and B are
connected to the correct ports on their adjacent nodes.
3. Use a utility such as PING to test the Network Server’s ability to
communicate on the network.
4. Install the card in another PCI slot and try again.
5. Try installing another card that you know is good. If the problem continues,
see “Obtaining Service and Support,” later in this chapter.
A28 Chapter 3 / Troubleshooting and DiagnosticsUsing FDDI diagnostic routines
A number of diagnostic routines were installed when you installed the FDDI
device driver software. To run these routines, use either SMIT or smitty to
open the AIX diagnostics utility. Complete information on AIX diagnostics
and on the AIX diagnostics utility is available through InfoExplorer. Chapter 5
of Using AIX, AppleTalk Services, and Mac OS Utilities on the Apple Network
Server tells you how to access and use InfoExplorer.
Obtaining service and support
See the service and support information packaged with your Network Server
for phone numbers and other information that can help you solve problems
that may come up with your Apple PCI Dual-Attached FDDI Card.
Obtaining service and support A29Apple PCI Dual-Attached FDDI Card Specifications
Host Bus Interface PCI Revision 2.0
Network Interface ANSI X3T9.5 for FDDI @ 100 Mbps
Host Data Transfer 32-bit bus master DMA transfers to 132 Mbps
IEEE Compliance IEEE P1386 adapter card specification
Mechanical 5511 occupies a full-size, short card PCI slot
Operating Power +5 volts DC +/-5% @ 2.10 Amps (maximum)
Software Drivers AIX version 4.1.4.1
Operating
Environment Temperature: 0° to 55° C (32° to 131° F)
Relative Humidity: 10–90%, non-condensing
Altitude: sea level to 15,000 feet
Storage: -20° to 70° C (-4° to 158° F)
Network
Connections Dual Mode Fiber (62.5/125): ST or SC Duplex
Appendix SpecificationsInstallation et configuration
de la carte PCI FDDI Apple
FrançaisPréface / B5
1 Installation de la carte et connexion au réseau / B7
Ouverture du module logique du Network Server / B8
Déballage de la carte / B11
Installation de la carte / B12
Branchement des câbles et connexion au réseau / B16
2 Installation et configuration du gestionnaire de périphérique / B19
Installation des ressources / B19
Installation du gestionnaire de périphérique FDDI AIX / B22
Configuration de l’interface réseau FDDI / B24
3 Dépannage et diagnostics / B27
Dépannage / B28
Utilisation des programmes de diagnostic FDDI / B29
Dépannage et assistance / B29
Annexe Spécifications techniques / B31
Table des matièresLa carte PCI FDDI Apple se présente sous la forme d’une carte FDDI (Fiber
Distributed Data Interface) à connecteur unique, d’un débit de 100 mégabits
par seconde (Mbps). Elle s’utilise avec le Network Server d’Apple. La carte
fournit des services physiques et de liaison de données en utilisant le protocole
TCP/IP, comme mentionné dans les spécifications
ANSI X3T9.5 pour le FDDI.
IMPORTANT Avant de pouvoir utiliser la carte FDDI, vous devez d’abord
installer la version 4.1.4.1 d’AIX. Reportez-vous aux instructions de mise à
jour d’AIX pour le Network Server.
La carte PCI FDDI Apple possède les caractéristiques suivantes :
m compatibilité avec Bus Local PCI, version 2.1
m FDDI Station Management (SMT) intégré à la carte
m DMA (Accès direct à la mémoire) PCI à état d’attente nul 32 bits
m taux de transmission de données en rafales jusqu’à 132 Mbps sur le bus PCI
m commandes PCI pour une utilisation efficace de la mémoire cache
m support pour dispositifs à fibre optique
m support pour un double branchement direct au réseau
m 128 Ko de cache locale
m jeu de composants Motorola MC68840 FDDI
Ces fonctionnalités sont toutes disponibles dès que la carte est installée dans le
Network Server. Aucune configuration particulière n’est nécessaire.
PréfaceÀ propos de ce manuel
Ce manuel est destiné aux administrateurs du Network Server. Il suppose une
bonne maîtrise matérielle de ce produit, que vous pouvez obtenir grâce au
manuel Mise en œuvre du Network Server (fourni dans son kit d’accessoires).
Vous devez également avoir une bonne connaissance du système d’exploitation
AIX. Le manuel intitulé Utilisation d’AIX®, des services AppleTalk, et des
utilitaires Mac OS du Network Server, également fourni dans votre kit
d’accessoires, propose une introduction aux principes de base.
Une documentation détaillée sur AIX est disponible en ligne via l’application
InfoExplorer. Vous trouverez comment accéder à InfoExplorer et l’utiliser au
chapitre 5 du manuel Utilisation d’AIX, des services AppleTalk, et des
utilitaires Mac OS du Network Server.
Informations complémentaires
De nombreux ouvrages concernant FDDI et les réseaux FDDI à jeton sont
disponibles dans la plupart des librairies spécialisées. Le Consortium FDDI
de l’université du New Hampshire est également une excellente source
d’information et d’apprentissage concernant FDDI. Vous pouvez accéder au
Consortium par Internet à l’adresse suivante :
http://www.iol.unh.edu/consortiums/fddi/fddi_consortium.html
B6 PréfaceCe chapitre donne toutes les instructions nécessaires à l’installation de la carte
PCI FDDI Apple dans le Network Server. Avant de procéder à cette
installation, prenez connaissance de la section traitant de l’installation des
cartes PCI du manuel Mise en œuvre du Network Server. Suivez attentivement
toutes les recommandations concernant la manipulation et l’installation de la
carte pour ne pas endommager celle-ci, ni l’ordinateur.
1 Installation de la carte et connexion au réseauOuverture du module logique du Network Server
Il n’est pas nécessaire d’ôter le capot du Network Server pour installer une carte.
Il suffit d’ouvrir le module logique en suivant les instructions ci-après.
1 Éteignez le Network Server.
Si vous avez besoin d’un complément d’informations pour éteindre le Network
Server sans risque, référez-vous à la section Utilisation d’AIX, des services
AppleTalk et des utilitaires Mac OS du Network Server.
2 Mettez un bracelet de mise à la terre.
Un bracelet de mise à la terre est fortement recommandé pour éviter tout
endommagement de la carte ou de l’ordinateur dû à une décharge
d’électricité statique.
3 Déverrouillez le tiroir arrière en plaçant la clé en position verticale.
B8 Chapitre 1 / Installation de la carte et connexion au réseau4 Dévissez entièrement les vis à molette.
Ouverture du module logique du Network Server B95 Tirez le module logique par ses poignées pour le faire coulisser vers l’extérieur.
6 Retirez le couvercle correspondant au connecteur d’extension que vous
souhaitez utiliser.
Conservez la vis. Elle servira plus tard pour maintenir la carte en place.
Placez le couvercle en lieu sûr au cas où vous retireriez cette carte ultérieurement.
B10 Chapitre 1 / Installation de la carte et connexion au réseauDéballage de la carte
La boîte contenant la carte PCI FDDI Apple comprend un CD-ROM
d’installation, la carte elle-même et ce manuel.
1 Dégagez la carte de tous ses éléments de protection.
Conservez-les soigneusement car ils seront utiles si vous devez retourner la
carte pour une réparation.
2 Retirez précautionneusement la carte de son étui antistatique.
Vérifiez que la carte n’a pas été endommagée durant son transport. Si vous
constatez un défaut, contactez votre distributeur Apple Network Server.
Déballage de la carte B11Installation de la carte
Les ports câble de la carte PCI FDDI Apple sont un peu trop grands pour le
Network Server. Vous devez donc modifier légèrement la procédure utilisée
pour installer d’autres cartes. Servez-vous des illustrations suivantes pour
installer la carte FDDI :
B12 Chapitre 1 / Installation de la carte et connexion au réseauInstallation de la carte B13B14 Chapitre 1 / Installation de la carte et connexion au réseauUne fois la carte installée, replacez le module logique dans son compartiment,
serrez les vis à molette, placez la clé en position horizontale pour verrouiller le
tiroir arrière et reconnectez tous les câbles. N’allumez pas l’ordinateur avant
d’avoir connecté la carte au réseau.
Installation de la carte B15Branchement des câbles et connexion au réseau
La carte PCI FDDI Apple s’utilise avec un câble en fibres SC Duplex pour
un branchement simple ou deux câbles pour un branchement double. Chaque
câble possède deux connecteurs, comme illustré ci-dessous.
Ces câbles, disponibles en différentes longueurs, ne sont pas fournis avec la
carte, mais vous pouvez facilement vous les procurer chez la plupart des
revendeurs informatiques.
Connectez chaque câble au Port A ou au Port B sur la carte FDDI, en suivant
les instructions données par le fabricant du câble (si elles vous ont été fournies).
Si l’on regarde l’ordinateur de l’arrière (vers le module logique), le port A se
trouve à gauche comme illustré ci-après.
B16 Chapitre 1 / Installation de la carte et connexion au réseauIMPORTANT Ne connectez pas le Network Server au nœud suivant sur le réseau
sans en informer votre administrateur réseau. Le point de connexion, les
modalités de connexion et les conséquences de l’ajout d’un nœud dépendent
de votre réseau.
Branchement des câbles et connexion au réseau B17Lorsque vous installez une carte FDDI, vous devez installer les ressources
FDDI ainsi que le gestionnaire de périphérique FDDI. Vous devez également
configurer le gestionnaire de périphérique FDDI pour que le Network Server
puisse communiquer sur le réseau FDDI. Ce chapitre vous explique comment
y parvenir.
IMPORTANT Pour pouvoir utiliser la carte FDDI, vous devez utiliser AIX
version 4.1.4.1 d’Apple ou toute version ultérieure. Si AIX 4.1.4.l n’est pas
installé sur votre Network Server, vous devez mettre à jour ce logiciel avant
d’installer le logiciel FDDI. Consultez les instructions de mise à jour d’AIX en
version 4.1.4.1 livrées avec votre carte FDDI.
Installation des ressources FDDI
Une fois AIX version 4.1.4.1 (ou ultérieure) installé sur votre Network Server,
vous devez installer les ressources FDDI avant d’installer le gestionnaire de
périphérique FDDI. La procédure est différente selon que vous disposez du
CD d’installation complète ou du CD de mise à jour. Reportez-vous à la
section correspondant au CD dont vous disposez.
2 Installation et configuration du gestionnaire
de périphériqueSi vous disposez du CD d’installation d’AIX version 4.1.4.1 (ou
ultérieure)
Suivez les instructions ci-dessous :
1 Entrez
lslpp -l devices.mca.8ef4.com
Le plus souvent, un message indiquant que le logiciel n’est pas installé
apparaît. Passez à l’étape 2.
Si un message indiquant que ce logiciel est installé apparaît, passez directement
à la section suivante “Installation du gestionnaire de périphérique FDDI AIX.”
2 Insérez le CD d’installation d’AIX dans le lecteur.
3 À l’invite d’AIX, entrez la commande suivante, puis appuyez sur la touche Retour :
smitty devinst
La fenêtre permettant d’installer des ressources supplémentaires apparaît.
4 Appuyez sur la touche F4 (ou ESC-4).
Un menu déroulant indiquant les différents lecteurs pouvant être utilisés pour
installer de nouvelles ressources apparaît.
5 Sélectionnez le lecteur approprié (dans ce cas, le lecteur de CD-ROM) et appuyez
sur Retour.
Un menu apparaît.
6 Sélectionnez “Software to install” dans le menu puis entrez :
devices.mca.8ef4.com
7 Appuyez sur Retour.
Une zone de dialogue demandant de confirmer l’installation apparaît. Appuyez
sur Retour pour lancer l’installation ou sur F3 (ou ESC 3) pour l’annuler.
Lorsque l’installation est terminée, passez à la section suivante, “Installation
du gestionnaire de périphérique FDDI AIX.”
B20 Chapitre 2 / Installation et configuration du gestionnaire de périphériqueSi vous disposez du CD de mise à jour
Suivez les instructions ci-dessous :
1 Entrez
lslpp -l devices.mca.8ef4.com
Le plus souvent, un message indiquant que le logiciel n’est pas installé
apparaît. Passez à l’étape 2.
Si un message indiquant que ce logiciel est installé apparaît, passez
directement à la section suivante “Installation du gestionnaire de périphérique
FDDI AIX”.
2 Insérez le CD de mise à jour du Network Server dans le lecteur.
3 Pour monter le CD, entrez la commande suivante, puis appuyez sur la touche Retour :
mount -r -v cdrfs /dev/cd0 /mnt
4 À l’invite d’AIX, entrez la commande suivante, puis appuyez sur la touche Retour :
smitty devinst
Un menu déroulant indiquant les différents lecteurs pouvant être utilisés pour
installer de nouvelles ressources apparaît.
5 Dans la zone “INPUT device/directory for software”, entrez :
/mnt/new
6 Dans la zone “SOFTWARE to install”, entrez :
devices.mca.8ef4.com
7 Appuyez sur Retour.
Une zone de dialogue demandant de confirmer l’installation apparaît. Appuyez
sur Retour pour lancer l’installation ou sur F3 (ou ESC 3) pour l’annuler.
8 Pour éjecter le CD, entrez :
umount /mnt
Lorsque l’installation est terminée, passez à la section suivante, “Installation
du gestionnaire de périphérique FDDI AIX”.
Installation des ressources FDDI B21Installation du gestionnaire de périphérique FDDI AIX
Le gestionnaire de périphérique se trouve sur la disquette d’installation.
Pour l’installer, vous pouvez utiliser soit la version X-windows du System
Management Interface Tool (SMIT) ou la version de ligne de commande
(SMITTY). L’exemple suivant utilise SMITTY, mais les étapes sont les mêmes.
Remarque : pour réaliser l’installation, vous devez être connecté en tant que root.
1 Insérez la disquette d’installation.
2 À l’invite d’AIX, entrez la commande suivante et appuyez sur la touche Retour :
smitty devinst
Le menu suivant s’affiche :
3 Entrez la commande suivante dans le champ INPUT :
/dev/fd0
B22 Chapitre 2 / Installation et configuration du gestionnaire de périphérique4 Appuyez sur Retour pour afficher les options de configuration présentées dans l’écran
ci-dessous :
5 Entrez devices.pci.7e100300 dans le champ SOFTWARE to install.
Si un gestionnaire FDDI a déjà été installé et si vous souhaitez continuer
l’installation en cours, il vous suffit d’entrer Yes dans le champ overwrite.
Une zone de dialogue s’affiche vous invitant à confirmer votre sélection.
6 Appuyez une nouvelle fois sur Retour pour commencer l’installation.
Une succession de messages à l’écran décrivent le processus d’installation.
L’installation est terminée lorsque le message suivant apparaît :
Installation Summary --------
Name Level Part Event Result
devices.pci.7e100300.rte 2.1.0.0 USR APPLY SUCCESS
devices.pci.7e100300.diag 2.1.0.0 USR APPLY SUCCESS
7 Appuyez sur f10 pour quitter SMITTY et redémarrez le Network Server.
Installation du gestionnaire des périphérique FDDI AIX B23Configuration de l’interface réseau FDDI
Les informations suivantes sont nécessaires pour configurer l’interface réseau
pour la carte FDDI :
m un nom et une adresse IP pour chaque carte FDDI installée sur le
Network Server
m le masque du réseau
m le nom du serveur de noms de domaines approprié et l’adresse IP
m l’addresse IP du routeur ou de la passerelle utilisés par le Network Server
pour accéder au réseau.
Si vous ne connaissez pas ces informations, contactez votre administrateur
système.
Lorsque vous installez le gestionnaire de périphérique, vous pouvez configurer
la carte soit avec SMIT soit avec SMITTY. Les instructions suivantes
supposent que vous utilisez SMITTY.
1 À l’invite d’AIX, entrez la commande suivante et appuyez sur Retour :
smitty tcpip
L’écran de configuration TCP/IP apparaît :
B24 Chapitre 2 / Installation et configuration du gestionnaire de périphérique2 Sélectionnez Minimum Configuration & Startup, puis appuyez sur Retour.
L’écran Available Network Interfaces s’affiche :
3 Appuyez sur f10 puis sur Retour.
L’écran Minimum Configuration & Startup s’affiche :
4 Remplissez ou modifiez les champs de l’écran Minimum Configuration & Startup.
Entrez le nom et l’adresse IP donnés à la carte FDDI, le masque du réseau,
le nom et l’adresse IP du serveur de noms de domaines approprié, et l’adresse
IP du routeur ou de la passerelle utilisés par le Network Server pour accéder
au réseau.
Si vous connectez plusieurs cartes FDDI au serveur, chacune doit avoir sa
propre adresse IP.
5 Appuyez sur Retour.
6 Appuyez sur f10 pour quitter SMITTY, puis redémarrez le Network Server.
Configuration de l’interface réseau FDDI B25Ce chapitre donne quelques solutions aux problèmes courants qui risquent de
survenir lorsque vous utilisez le Network Server avec une carte PCI FDDI Apple.
Essayez les suggestions dans l’ordre dans lequel elles sont présentées jusqu’à
ce que votre problème soit résolu.
Ce chapitre vous donne également des renseignements sur l’utilisation des
programmes de diagnostic FDDI. Il contient aussi les informations nécessaires
pour obtenir une aide ou une assistance si vous ne parvenez pas à résoudre
votre problème.
3 Dépannage et diagnosticsDépannage
AIX ne démarre pas.
1. Vérifiez que l’ordinateur est branché et allumé.
2. Vérifiez que la carte que vous venez d’installer est correctement positionnée
dans le connecteur.
3. Essayez d’installer la carte dans un connecteur PCI différent.
4. Retirez la carte et vérifiez si le système démarre et fonctionne normalement.
5. Essayez d’installer une autre carte, dont vous êtes sûr du bon état de marche.
Si le problème n’est pas résolu, reportez-vous au paragraphe “Dépannage et
assistance,” plus loin dans ce chapitre.
Une application du réseau ne fonctionne plus.
Si une application fonctionnait avant l’installation de la carte, il y a
probablement une incompatibilité matérielle. Reportez-vous au paragraphe
“Dépannage et assistance,” plus loin dans ce chapitre.
La carte du Network Server ne peut pas se connecter au réseau ni communiquer avec
d’autres ordinateurs hôtes sur le réseau.
1. Vérifiez que la carte est correctement positionnée dans le connecteur
d’extension de bus.
2. Vérifiez que les deux câbles sont bien connectés et que les ports A et B sont
connectés aux bons ports sur leurs nœuds adjacents.
3. Utilisez un utilitaire tel que PING pour tester les capacités de communication
du Network Server sur le réseau.
4. Installez la carte dans un autre connecteur PCI et essayez à nouveau.
5. Essayez d’installer une autre carte, dont vous êtes sûr du bon état de marche.
Si le problème n’est pas résolu, reportez-vous au paragraphe “Dépannage et
assistance,” plus loin dans ce chapitre.
B28 Chapitre 3 / Dépannage et diagnosticsUtilisation des programmes de diagnostic FDDI
Un certain nombre de programmes de diagnostic ont été installés au moment
de l’installation du gestionnaire de périphérique FDDI. Pour exécuter ces
programmes, utilisez SMIT ou SMITTY pour lancer l’utilitaire de diagnostic
d’AIX. Des informations détaillées sur les diagnostics d’AIX et l’utilitaire de
diagnostics d’AIX sont disponibles via InfoExplorer. Le chapitre 5 du manuel
Utilisation d’AIX, des services AppleTalk et des utilitaires MAC OS du
Network Server contient des renseignements sur les procédures d’accès
et d’utilisation d’InfoExplorer.
Dépannage et assistance
Vous trouverez les numéros de téléphone et d’autres informations utiles à la
résolution de problèmes liés à votre carte PCI FDDI Apple dans la
documentation livrée avec votre Network Server.
Dépannage et assistance B29Spécifications techniques de la carte PCI FDDI Apple
Interface du bus hôte PCI Révision 2.0
Interface du réseau ANSI X3T9.5 pour FDDI à 100 Mbps
Transfert de
données hôte Transfert DMA bus maître 32 bits à 132 Mbps
Conformité IEEE Spécification carte adaptateur IEEE P1386
Physique 5511 occupe un connecteur carte PCI court complet
Consommation +5 volts DC +/-5% @ 2,10 Amps (maximum)
Gestionnaire AIX version 4.1.4.1
Environnement Température d’utilisation : de 0° à 55° C
Humidité relative : de 10 à 90%, sans condensation
Altitude : du niveau de la mer à 4500 mètres
Température de stockage : de -20° à 70° C
Connexions réseaux Fibre Dual Mode (62,5/125) : ST ou SC Duplex
Annexe Spécifications techniquesInstallieren und Konfigurieren der
Apple PCI Dual-Attached FDDI Karte
DeutschVorwort C5
1 Installieren der Karte und Anschuß an das Netzwerk C7
Öffnen des Komponenteneinschubs des Apple Network Server C8
Auspacken der Karte C11
Installieren der Karte C12
Herstellen der Netzwerkverbindung C16
2 Installieren und Konfigurieren der Treibersoftware C19
Installieren der FDDI Standard-Software C19
Installieren des FDDI AIX Gerätetreibers C22
Konfigurieren der FDDI Netzwerkschnittstelle C24
3 Fehlerbeseitigung und Diagnosetechniken C27
Fehlerbeseitigung C28
Verwenden der FDDI Diagnoseroutinen C29
Hinweise zur technischen Unterstützung C29
Anhang Technische Daten C31
InhaltDie Apple PCI (Peripheral Connect Interface) Dual-Attached FDDI Karte
arbeitet mit dem FDDI Protokoll (Fiber Distributed Data Interface) der
„Single-Slot“-Methode. Sie belegt einen Steckplatz, arbeitet mit 100 Megabit
pro Sekunde (Mbps) und ist für den Einbau im Apple Network Server konzipiert. Die Karte und der zugehörige Treiber bieten Dienste der Schicht 0 und 1
des ISO/OSI Schichtenmodells. Sie werden unter dem TCP/IP Protokoll
gemäß den ANSI X3T9.5 Spezifikationen für FDDI arbeiten.
WICHTIG Sie müssen AIX 4.1.4.1 installieren, damit Sie die FDDI Karte verwenden können. Bitte beachten Sie die Hinweise, die mit der Aktualisierung
von AIX für den Apple Network Server auf Version 4.1.4.1 geliefert werden.
Die Apple PCI Dual-Attached FDDI Karte zeichnet sich durch folgende
Funktionen aus:
m Kompatibilität mit dem PCI Local Bus, Version 2.1
m Auf der Karte integriertes FDDI Station Management (SMT)
m 32-Bit-PCI-DMA- (Direct Memory Access) Master ohne Wartezyklen
m Bis zu 132 Mbps Burst-DMA-Rate
m PCI-Befehle für die effiziente Verwendung von Cache-Speicher
m Unterstützung für optische Glasfasermedien
m Unterstützung der Dual-Attachment-Technologie für den direkten Anschluß
an Ringnetzwerke
m 128 KB lokaler Pufferspeicher
m Motorola MC68840 FDDI Bausteine
Alle genannten Funktionen sind verfügbar, sobald die Karte im Apple
Network Server installiert ist. Weitere Schritte zur Konfiguration sind
nicht erforderlich.
VorwortÜber dieses Handbuch
Dieses Handbuch richtet sich an Apple Network Server Administratoren. Es
wird vorausgesetzt, daß Sie mit der Hardware des Apple Network Server
vertraut sind. (Die entsprechenden Informationen finden Sie im Handbuch
Installation des Apple Network Server, das sich in der Zubehörbox Ihres Apple
Network Server befindet.) Ferner sollten Sie die wichtigsten Funktionen des
AIX Betriebssystems kennen und verwenden können. Das Handbuch
Verwenden von AIX®, AppleTalk Diensten und Mac OS Dienstprogrammen
auf dem Apple Network Server, das ebenfalls mit Ihrem Server geliefert wird,
enthält eine Einführung und grundlegende Informationen hierzu. Die vollständige AIX Dokumentation ist über das Programm „InfoExplorer“ verfügbar. In Kapitel 5 des Handbuchs Verwenden von AIX, AppleTalk Diensten und
Mac OS Dienstprogrammen auf dem Apple Network Server finden Sie Anleitungen zum Verwenden von InfoExplorer.
Weitere Informationen
Über FDDI und FDDI Token-Passing-Verfahren sind zahlreiche Handbücher
im Fachhandel erhältlich. Darüber hinaus bietet das FDDI Consortium der
Universität von New Hampshire hervorragende Informations- und Trainingsmöglichkeiten an. Sie finden diese Informationen im Internet an der folgenden
Adresse:
http://www.iol.unh.edu/consortiums/fddi/fddi_consortium.html
C6 VorwortDieses Kapitel enthält ausführliche Anleitungen für die Installation der Apple
PCI Dual-Attached FDDI Karte in den Apple Network Server. Bitte lesen Sie
die Hinweise zum Einbau von PCI-Karten im Handbuch Installation des Apple
Network Server, bevor Sie mit den folgenden Anleitungen fortfahren. Beachten Sie alle Empfehlungen und Anweisungen zur Handhabung und Installation
der Karte gewissenhaft, damit Karte und Computer während der Installation
nicht beschädigt werden.
1 Installieren der Karte und Anschluß an das
NetzwerkÖffnen des Komponenteneinschubs des Apple Network Server
Für die Installation der Karte öffnen Sie einfach den Komponenteneinschub,
indem Sie die hier beschriebenen Schritte ausführen:
1 Schalten Sie den Apple Network Server aus und trennen Sie die Verbindung zum
Stromnetz sowie alle anderen Kabelverbindungen.
Beachten Sie die Hinweise im Handbuch Verwenden von AIX, AppleTalk
Diensten und Mac OS Dienstprogrammen auf dem Apple Network Server,
wenn Sie ausführliche Anweisungen zum korrekten Ausschalten des Apple
Network Server benötigen.
2 Legen Sie ein Erdungsarmband an.
Das Verwenden eines Erdungsarmbands wird empfohlen, um eine
Beschädigung der Karte oder des Computers durch elektrostatische
Entladungen zu vermeiden.
3 Drehen Sie den Schlüssel an der Rückseite des Servers in die senkrechte Position
(aufgeschlossen).
C8 Kapitel 1: Installieren der Karte und Anschluß an das Netzwerk4 Lösen Sie die Sicherungsschrauben an der Rückwand des Komponenteneinschubs.
Öffnen des Komponenteneinschubs des Apple Network Server C95 Ziehen Sie den Komponenteneinschub mit Hilfe der Griffe vollständig aus dem
Computergehäuse heraus.
6 Entfernen Sie die Abdeckung des Erweiterungssteckplatzes, den Sie verwenden wollen.
Legen Sie die Schraube beiseite. Sie benötigen sie später, um die Karte festzuschrauben. Bewahren Sie die Abdeckung sorgfältig auf, damit sie zur Hand ist,
falls Sie die Karte zu einem späteren Zeitpunkt wieder ausbauen wollen.
C10 Kapitel 1: Installieren der Karte und Anschluß an das NetzwerkAuspacken der Karte
Mit Ihrer Apple PCI Dual-Attached FDDI Karte werden eine Diskette und das
vorliegende Handbuch geliefert.
1 Entfernen Sie das Verpackungsmaterial der Karte.
Bewahren Sie das Verpackungsmaterial und den Karton auf, damit beides
zur Hand ist, falls Sie die Karte einmal ausbauen und aufbewahren oder zum
Kundendienst einschicken müssen.
2 Nehmen Sie die Karte vorsichtig aus der antistatischen Hülle.
Prüfen Sie, ob an der Karte während des Transports sichtbare Schäden entstanden sind. Sollte dies der Fall sein, wenden Sie sich bitte unverzüglich an Ihren
autorisierten Apple Händler.
Auspacken der Karte C11Installieren der Karte
Die Kabelanschlüsse der Apple PCI Dual-Attached FDDI Karte sind etwas
größer als die anderer PCI-Karten. Für die Installation der Karte im Apple
Network Server müssen Sie daher etwas anders vorgehen als im Handbuch
Installation des Apple Network Server beschrieben. Bitte installieren Sie die
FDDI Karte mit Hilfe der folgenden Anleitungen:
C12 Kapitel 1: Installieren der Karte und Anschluß an das Netzwerk
1. Stützen Sie den Komponenteneinschub mit einer Hand. Achten Sie
darauf, daß Sie die Kartenführung
beim Einsetzen der Karte nicht
versehentlich durch die Öffnung
des Steckplatzes schieben.
2. Setzen Sie zuerst den kleineren
Teil der Steckleiste ein und drehen
Sie die Karte dann leicht, um die
Anschlüsse durch die Öffnung zu
schieben und die Kartenführung
korrekt einzusetzen.Installieren der Karte C13
3. Setzen Sie die Karte ein, indem Sie wie hier gezeigt auf
die Kartenführung und den oberen Kartenrand drücken.C14 Kapitel 1: Installieren der Karte und Anschluß an das Netzwerk
4. Drücken Sie nochmals kräftig auf den
Kartenrand, damit die Karte fest in die
Steckleiste sitzt und die Steckverbindung
korrekt hergestellt ist.Nachdem Sie die Karte installiert haben, schieben Sie den Komponenteneinschub in den Computer zurück und drehen Sie die Sicherungsschrauben
wieder fest. Drehen Sie den Schlüssel dann in die horizontale Position (abgeschlossen) und schließen Sie alle zuvor herausgezogenen Kabel erneut an.
Schalten Sie den Computer bitte noch nicht wieder ein; warten Sie damit, bis
Sie die Karte mit dem Netzwerk verbunden haben.
Installieren der Karte C15
5. Sichern Sie die Karte im Steckplatz, indem Sie
die zuvor herausgedrehte Schraube wieder
einsetzen und festdrehen.Herstellen der Netzwerkverbindung
Für einen einfachen Anschluß der Apple PCI Dual-Attached FDDI Karte
benötigen Sie ein SC Duplex Glasfaserkabel. Für einen doppelten Anschluß
benötigen Sie entsprechend zwei Kabel. Beachten Sie bitte, daß jedes Kabel
zwei Anschlußstecker besitzt (vgl. Abbildung).
Diese Kabel werden nicht mit der Karte geliefert, können jedoch in vielen
verschiedenen Längen im Computerfachhandel erworben werden.
Schließen Sie jedes Kabel an Anschluß A oder Anschluß B der FDDI Karte
an. Beachten Sie dabei bitte die Hinweise des Kabelherstellers (falls
vorhanden).
C16 Kapitel 1: Installieren der Karte und Anschluß an das NetzwerkWenn Sie die Rückseite des Computers vor sich haben, befindet sich Anschluß A an der linken Seite. Bitte sehen Sie sich die folgende Abbildung an,
um die Kabel richtig anzuschließen.
WICHTIG Schließen Sie den Apple Network Server nicht an den nächsten
Netzwerkknoten an, ohne zuvor Rücksprache mit Ihrem Netzwerkadministrator gehalten zu haben. An welcher Stelle im Netzwerk und auf welche
Weise Ihr Server in das Netzwerk integriert werden muß und welchen Einfluß
die Installation eines neuen Knotens auf das übrige Netzwerk hat, hängt von
Ihrem Netzwerk ab.
Herstellen der Netzwerkverbindung C17
Richten Sie diese Führungen mit den
Führungen des Kabelanschlusses aus.Damit Sie mit dem FDDI Netzwerk kommunizieren können, müssen Sie die
FDDI Treibersoftware installieren und konfigurieren. In diesem Kapitel
erfahren Sie, wie Sie hierbei vorgehen müssen.
WICHTIG Sie benötigen AIX in der Version 4.1.4.1 oder einer neueren Version,
um die FDDI-Karte verwenden zu können. Wenn Ihr Apple Network Server
nicht mit AIX 4.1.4.l arbeitet, müssen Sie Ihre Software aktualisieren, bevor
Sie die FDDI Software installieren. Bitte beachten Sie die mit Ihrer FDDI
Karte gelieferten Anweisungen, um AIX korrekt auf Version 4.1.4.1 zu
aktualisieren.
Installieren der FDDI Standard-Software
Nachdem Sie AIX in der Version 4.1.4.1 (oder einer neueren Version) auf
Ihrem Apple Network Server installiert haben, müssen Sie ein FDDI Standardsoftwarepaket installieren, bevor Sie den FDDI Gerätetreiber installieren.
Wie Sie hierbei vorgehen müssen, hängt davon ab, ob Sie die CD-ROM
Installation CD oder die CD-ROM Software Update vorliegen haben.
2 Installieren und Konfigurieren der
TreibersoftwareCD-ROM AIX Installation CD Version 4.1.4.1 (oder neuer)
Bitte gehen Sie wie folgt vor, wenn Sie die Software mit der CD-ROM AIX
Installation CD installieren wollen:
1 Geben Sie folgenden Befehl ein:
lslpp -l devices.mca.8ef4.com
In den meisten Fällen wird die Nachricht angezeigt, daß die Software noch
nicht installiert ist. Fahren Sie mit Schritt 2 fort.
Wird die Nachricht angezeigt, daß die Software bereits vorhanden ist, fahren
Sie mit dem Abschnitt „Installieren des FDDI AIX Gerätetreibers“ fort.
2 Legen Sie die CD-ROM AIX Installation CD in das CD-ROM-Laufwerk ein.
3 Geben Sie an der AIX Eingabeaufforderung den folgenden Befehl ein und drücken Sie
den Zeilenschalter:
smitty devinst
Das Menü für die Installation weiterer Treibersoftware wird angezeigt.
4 Drücken Sie die Taste „F4“.
Ein Einblendmenü wird angezeigt, in dem die Gerätetreiber von den Geräten
aufgelistet werden, von denen Sie installieren können.
5 Wählen Sie das passenden CD-Gerät aus der Liste aus und drücken Sie den
Zeilenschalter.
Ein erweitertes Menü wird angezeigt.
6 Wählen Sie die Option „Software to install“ aus und geben Sie folgenden Befehl ein:
devices.mca.8ef4.com
7 Drücken Sie den Zeilenschalter.
In einem Dialogfenster werden Sie aufgefordert, Ihre Auswahl zu bestätigen.
Drücken Sie den Zeilenschalter, um die Installation zu starten, oder drücken
Sie die Taste „F3“, um den Vorgang abzubrechen.
Fahren Sie mit dem Abschnitt „Installieren des FDDI AIX Gerätetreibers“
fort, wenn die Installation beendet ist.
C20 Kapitel 2: Installieren und Konfigurieren der TreibersoftwareCD-ROM Software Update CD
Bitte gehen Sie wie folgt vor, wenn Sie die Software mit der CD-ROM
Software Update CD installieren wollen:
1 Geben Sie folgenden Befehl ein:
lslpp -l devices.mca.8ef4.com
In den meisten Fällen wird die Nachricht angezeigt, daß die Software noch
nicht installiert ist. Fahren Sie mit Schritt 2 fort.
Wird die Nachricht angezeigt, daß die Software bereits vorhanden ist, fahren
Sie mit dem Abschnitt „Installieren des FDDI AIX Gerätetreibers“ fort.
2 Legen Sie die CD-ROM Network Server Software Update Kit in das CD-ROM-Laufwerk ein.
3 Geben Sie den folgenden Befehl ein und drücken Sie den Zeilenschalter, um die
CD zu aktivieren:
mount -r -v cdrfs /dev/cd0 /mnt
4 Geben Sie an der AIX Eingabeaufforderung den folgenden Befehl ein und drücken Sie
den Zeilenschalter:
smitty devinst
Das Menü für die Installation weiterer Treibersoftware wird angezeigt.
5 Wählen Sie die Option „INPUT device/directory for software“ aus und geben Sie
folgenden Befehl ein:
/mnt/new
6 Wählen Sie die Option „SOFTWARE to install“ aus und geben Sie folgenden Befehl ein:
devices.mca.8ef4.com
7 Drücken Sie den Zeilenschalter.
A dialog box appears asking you to confirm the installation. Press Return to
begin the installation or press F3 (or ESC 3) to cancel the installation.
8 Geben Sie folgenden Befehl ein, um die CD zu deaktivieren:
umount /mnt
Fahren Sie mit dem Abschnitt „Installieren des FDDI AIX Gerätetreibers“
fort, wenn die Installation beendet ist.
Installieren der FDDI Standard-Software C21Installieren des FDDI AIX Gerätetreibers
Die Gerätetreibersoftware befindet sich auf der Installationsdiskette. Mit Hilfe
der folgenden Anleitungen können Sie die Treibersoftware entweder mit der
X-Window Version des Dienstprogramms „System Management Interface
Tool“ (SMIT) oder mit der Befehlszeilenversion des Programms (SMITTY)
installieren. In den hier gezeigten Beispielen wird die Programmversion
SMITTY verwendet. Die erforderlichen Schritte sind für beide Versionen
gleich.
Hinweis: Damit Sie die Installation ausführen können, müssen Sie sich mit
der Berechtigung „root“ angemeldet haben.
1 Legen Sie die Installationsdiskette ein.
2 Geben Sie an der AIX Eingabeaufforderung den folgenden Befehl ein und drücken Sie
anschließend den Zeilenschalter:
smitty devinst
Das folgende Menü wird angezeigt:
3 Geben Sie im Feld „INPUT device“ folgenden Befehl ein:
/dev/fd0
C22 Kapitel 2: Installieren und Konfigurieren der Treibersoftware4 Drücken Sie den Zeilenschalter, um die im folgenden Bildschirm dargestellten
Konfigurationsoptionen anzuzeigen:
5 Geben Sie devices.pci.7e100300 in das Feld „SOFTWARE to install“ ein.
Falls bereits ein FDDI Treiber installiert ist und Sie mit dieser Installation
fortfahren wollen, müssen Sie Yes in das Feld „OVERWRITE same or newer
versions“ eingeben.
In einem Dialogfenster werden Sie aufgefordert, Ihre Auswahl zu bestätigen.
6 Drücken Sie den Zeilenschalter erneut, um die Installation zu starten.
Verschiedene auf dem Bildschirm angezeigte Nachrichten beschreiben den
Installationsvorgang. Die Installation ist beendet, wenn Sie die folgende
Nachricht sehen:
Installation Summary --------
Name Level Part Event Result
devices.pci.7e100300.rte 2.1.0.0 USR APPLY SUCCESS
devices.pci.7e100300.diag 2.1.0.0 USR APPLY SUCCESS
7 Drücken Sie die Taste „F10“, um das Programm SMITTY zu beenden, und starten Sie den
Apple Network Server anschließend neu.
Installieren des FDDI Gerätetreibers C23Konfigurieren der FDDI Netzwerkschnittstelle
Sie benötigen die folgenden Informationen, um die FDDI Karte für die
Netzwerkschnittstelle zu konfigurieren:
m einen Namen und eine IP-Adresse für jede im Apple Network Server
installierte FDDI Karte
m die Netzwerkmaske
m den geeigneten Domain Name Server Namen sowie dessen IP-Adresse
m die IP-Adresse des Routers oder Gateways, die der Apple Network Server
für den Netzwerkzugang verwendet.
Bitte wenden Sie sich an Ihren Netzwerkadministrator, wenn Sie diese
Informationen noch nicht verfügbar haben.
Ebenso wie bei der Installation des Gerätetreibers können Sie die Karte
entweder mit dem Programm SMIT oder mit SMITTY konfigurieren. Für die
folgenden Anleitungen wird das Programm SMITTY verwendet.
1 Geben Sie an der AIX Eingabeaufforderung den folgenden Befehl ein und drücken Sie
anschließend den Zeilenschalter:
smitty tcpip
Der TCP/IP Konfigurationsbildschirm wird angezeigt:
C24 Kapitel 2: Installieren und Konfigurieren der Treibersoftware2 Aktivieren Sie die Option „Minimum Configuration & Startup“ und drücken Sie den
Zeilenschalter.
Der Bildschirm „Available Network Interfaces“ wird angezeigt.
3 Wählen Sie „fi0“ aus und drücken Sie dann den Zeilenschalter.
Der Bildschirm „Minimum Configuration & Startup“ wird angezeigt.
4 Tragen Sie die erforderlichen Werte in die Felder des Bildschirms „Minimum
Configuration & Startup“ ein bzw. ändern Sie sie wunschgemäß.
Geben Sie den Namen und die IP-Adresse, die der FDDI Karte zugewiesen
wurden, die Netzwerkmaske, die IP-Adresse und den Namen des geeigneten
Domain Name Servers und die IP-Adresse des Routers oder Gateways, die der
Apple Network Server für den Netzwerkzugang verwendet, ein.
Wenn Sie mehrere FDDI Karten in Ihren Server einbauen, benötigen Sie für
jede FDDI Karte eine einmalige, individuelle IP-Adresse und müssen die hier
beschriebenen Schritte ausführen.
5 Drücken Sie den Zeilenschalter.
6 Drücken Sie die Taste „F10“, um das Programm SMITTY zu beenden, und starten Sie den
Apple Network Server anschließend neu.
Konfigurieren der FDDI Netzwerkschnittstelle C25In diesem Kapitel finden Sie Lösungsvorschläge für einige Probleme, die
auftreten können, wenn Sie den Apple Network Server mit einer Apple PCI
Dual-Attached FDDI Karte verwenden. Bitte führen Sie die Vorschläge in der
hier genannten Reihenfolge aus, um den Fehler zu beheben.
Sie finden in diesem Kapitel außerdem Hinweise zu den FDDI Diagnosetechniken und erfahren, wo Sie Hilfe bekommen, falls Sie ein Problem mit
Ihrem Apple Network Server oder der FDDI Karte nicht selbst lösen können.
3 Fehlerbeseitigung und DiagnosetechnikenFehlerbeseitigung
AIX startet nicht.
1. Stellen Sie fest, ob das System korrekt am Stromnetz angeschlossen und
eingeschaltet ist.
2. Überprüfen Sie, ob die gerade installierte Karte korrekt im Steckplatz sitzt.
3. Versuchen Sie das Problem zu lösen, indem Sie die Karte in einen anderen
PCI-Steckplatz einsetzen.
4. Nehmen Sie die Karte aus dem Server heraus und stellen Sie fest, ob das
System anschließend normal startet und funktioniert.
5. Versuchen Sie, eine andere Karte zu installieren, von der Sie genau wissen,
daß sie ordnungsgemäß funktioniert. Tritt der Fehler weiterhin auf, lesen
Sie bitte die Informationen im Abschnitt „Hinweise zur technischen
Unterstützung“ am Ende dieses Kapitels.
Ein Netzwerkprogramm arbeitet nicht mehr.
Wenn das Programm vor der Installation der Karte korrekt funktioniert hat,
liegt vermutlich ein Hardwarefehler vor. Bitte lesen Sie die Hinweise im
Abschnitt „Hinweise zur technischen Unterstützung“ am Ende dieses Kapitels.
Die Apple Network Server Karte kann nicht mit dem Ring verbunden werden oder nicht
mit anderen Host-Rechnern im Netzwerk kommunizieren.
1. Überprüfen Sie, ob die gerade installierte Karte korrekt im Steckplatz sitzt.
2. Stellen Sie sicher, daß beide Kabel ordnungsgemäß anschlossen sind
und daß die Anschlüsse A und B mit den korrekten Anschlüssen der
benachbarten Knoten verbunden sind.
3. Verwenden Sie ein Dienstprogramm wie PING, um festzustellen, ob der
Apple Network Server im Netzwerk kommunizieren kann.
4. Installieren Sie die Karte in einem anderen PCI-Steckplatz und versuchen
Sie es erneut.
5. Versuchen Sie, eine andere Karte zu installieren, von der Sie genau wissen,
daß sie ordnungsgemäß funktioniert. Tritt der Fehler weiterhin auf, lesen
Sie bitte die Informationen im Abschnitt „Hinweise zur technischen
Unterstützung“ am Ende dieses Kapitels.
C28 Kapitel 3: Fehlerbeseitigung und DiagnosetechnikenVerwenden der FDDI Diagnoseroutinen
Bei der Installation der FDDI Gerätetreibersoftware wurden zahlreiche Diagnoseroutinen installiert. Um diese Routinen auszuführen, verwenden Sie
entweder das Programm SMIT oder SMITTY, um das AIX Diagnoseprogramm zu öffnen. Ausführliche Informationen zu den AIX Diagnosetechniken
und zum AIX Diagnoseprogramm stehen Ihnen über das Programm
„InfoExplorer“ zur Verfügung. In Kapitel 5 des Handbuchs Verwenden von
AIX, AppleTalk Diensten und Mac OS Dienstprogrammen auf dem Apple
Network Server erfahren Sie, wie Sie auf das Programm „InfoExplorer“
zugreifen und damit arbeiten können.
Hinweise zur technischen Unterstützung
Bitte beachten Sie die mit Ihrem Apple Network Server gelieferten Unterlagen
zum Kundendienst und zur technischen Unterstützung, wenn Sie Probleme bei
der Arbeit mit Ihrer Apple PCI Dual-Attached FDDI Karte nicht selbst lösen
können. Dort finden Sie Telefonnummern, unter denen Sie sofort Hilfe bekommen, sowie andere wichtige Informationen zur technischen Unterstützung.
Hinweise zur technischen Unterstützung C29Spezifikationen der Apple PCI Dual-Attached FDDI Karte
Host-Bus-Schnittstelle PCI Revision 2.0
Netzwerkschnittelle ANSI X3T9.5 für FDDI @ 100 Mbps
Host-Datentransfer 32-Bit-Bus-Master DMA überträgt bis zu 132 Mbps
IEEE-Kompatibilität IEEE P1386 Adapterkartenspezifikation
Steckplatzmerkmale 5511, belegt einen vollwertigen PCI-Steckplatz für
kurze Karten
Leistungsaufnahme +5 V Gleichstrom +/-5% @ 2,10 A (maximal)
Softwaretreiber AIX Version 4.1.4.1
Betriebsumgebung
Temperatur: 0 °C bis 55 °C
Relative
Luftfeuchtigkeit: 10 bis 90%, nicht kondensierend
Höhe über NN: 0 bis ca. 4600 m (ohne Druckausgleich)
Lagerung: -20 °C bis 70 °C
Netzwerkverbindungen Dual Mode Fiber (62.5/125): ST oder SC Duplex
Anhang Technische Daten
Installing and Configuring
the Apple PCI Dual-Attached
FDDI Card
Installation et configuration
de la carte PCI FDDI Apple
Installieren und Konfigurieren
der Apple PCI Dual-Attached FDDI KarteK
Installing and Configuring
the Apple PCI Dual-Attached FDDI Card
Installation et configuration
de la carte PCI FDDI Apple
Installieren und Konfigurieren
der Apple PCI Dual-Attached FDDI Karte© 1997 Apple Computer, Inc. All rights reserved.
Under the copyright laws, this manual may not be copied,
in whole or in part, without the written consent of Apple.
Your rights to the software are governed by the
accompanying software license agreement.
The Apple logo is a trademark of Apple Computer, Inc.,
registered in the U.S. and other countries. Use of the
“keyboard” Apple logo (Option-Shift-K) for commercial
purposes without the prior written consent of Apple may
constitute trademark infringement and unfair competition
in violation of federal and state laws.
Every effort has been made to ensure that the information
in this manual is accurate. Apple is not responsible for
printing or clerical errors.
Apple Computer, Inc.
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
http://www.apple.com
Apple, the Apple logo, and Mac are trademarks of Apple
Computer, Inc., registered in the U.S. and other countries.
Adobe, Acrobat, Adobe Illustrator, Adobe Photoshop, and
PostScript are trademarks of Adobe Systems Incorporated
or its subsidiaries and may be registered in certain
jurisdictions.
AIX is a registered trademark of IBM Corp., registered in
the U.S. and other countries, and is being used under
license.
Helvetica and Times are registered trademarks of
Linotype-Hell AG and/or its subsidiaries.
Simultaneously published in the United States and Canada.
Mention of third-party products is for informational
purposes only and constitutes neither an endorsement nor
a recommendation. Apple assumes no responsibility with
regard to the performance or use of these products.
K Apple Computer, Inc.Installing and Configuring
the Apple PCI Dual-Attached FDDI Card / A1
Installation et configuration
de la carte PCI FDDI Apple / B1
Installieren und Konfigurieren
der Apple PCI Dual-Attached FDDI Karte / C1
General Contentsiv Communications regulation information
Communications regulation information
FCC statement
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) this device may not cause harmful interference, and (2) this device must accept
any interference received, including interference that may cause undesired operation.
Radio frequency interference statement
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to Part 15, Subpart B of the FCC Rules. This equipment generates, uses, and
can radiate radio frequency energy. If not installed and used in accordance with the
instructions, it may cause interference to radio communications.
The limits are designed to provide reasonable protection against such
interference in a residential situation. However, there is no guarantee that interference will not
occur in a particular installation. If this equipment does cause interference to radio or television
reception, which can be determined by turning the equipment on and off, the user is
encouraged to try to correct the interference by one or more of the following measures:
m Reorient or relocate the receiving antenna of the affected radio or television.
m Increase the separation between the equipment and the affected receiver.
m Connect the equipment and the affected receiver to power outlets on separate circuits.
m Consult the radio/TV dealer or an experienced radio/TV technician for help.
Modifications
Changes or modifications not expressly approved by Interphase Corporation could void the
user's authority to operate the equipment.
Shielded Cables
Shielded cable must be used with this equipment to maintain compliance with FCC
Regulations.
Installation de votre logiciel
Les informations suivantes sont destinées à vous familiariser avec Aperture le plus
rapidement possible et traitent des rubriques présentées ci-dessous :
 À propos du disque d’installation d’Aperture (p. 2)
 Mise à niveau de Mac OS X (p. 2)
 Installation d’Aperture (p. 3)
 Enregistrement d’Aperture (p. 5)
 À propos des exemples de projets d’Aperture (p. 5)
 À propos de l’aide à l’écran (p. 5)
 Prise de contact avec l’assistance AppleCare (p. 8)
Passez également en revue le document Avant d’installer Aperture se trouvant sur le
disque d’installation d’Aperture. Pour accéder aux dernières informations sur Aperture,
rendez-vous sur le site Web d’Aperture à l’adresse http://www.apple.com/fr/aperture.2
À propos du disque d’installation d’Aperture
Le disque d’installation d’Aperture 1.5 contient les éléments suivants :
 Avant d’installer Aperture : ce document détaille la configuration requise et ce que
vous devez faire avant d’installer Aperture et le contenu l’accompagnant.
 Programme d’installation d’Aperture : double-cliquez sur l’icône du programme
d’installation d’Aperture pour lancer le processus d’installation.
 Dossier Documentation : ce dossier contient le document Installation de votre logiciel
(en version PDF) et le Manuel de l’utilisateur d’Aperture. Ouvrez ce Manuel de l’utilisateur d’Aperture pour y retrouver de la documentation supplémentaire au format PDF
concernant Aperture, dont les documents Programme d’ajustement d’image, Premiers
contacts avec Aperture et Référence rapide d’Aperture.
 Dossier Sample Projects : ce dossier inclut des images servant d’exemples à visualiser
dans Aperture, mais aussi un document concis reprenant des caractéristiques des
exemples de projets.
Remarque : le disque d’installation contient les fichiers requis pour installer Aperture 1.5
sur les ordinateurs Macintosh de type PowerPC ou à processeur Intel. Le processus d’installation est identique pour les deux types d’ordinateurs.
Mise à niveau de Mac OS X
Avant d’installer Aperture, mettez à jour votre logiciel système afin de vous assurer
que vous disposez bien de la toute dernière version de Mac OS X sur votre machine.
Important : vous devez faire l’acquisition de Mac OS X 10.4 Tiger ou ultérieur si vous
mettez votre système à niveau de Mac OS X 10.3 Panther ou antérieur.
Pour mettre à jour Mac OS X v10.4 à la dernière version disponible :
1 Choisissez le menu Pomme > « Mise à jour de logiciels ».
Une zone de dialogue apparaît alors pour vous indiquer les logiciels nouveaux ou mis
à jour, applicables à votre ordinateur.
2 Suivez les instructions à l’écran pour mettre à jour Mac OS X à la dernière version.3
Installation d’Aperture
Lorsque vous installez Aperture, l’application se place dans le dossier Applications du
disque dur précisé, généralement sur votre disque de démarrage.
Par défaut, le programme d’installation d’Aperture installe l’application Aperture en
tant que telle sur votre disque dur, mais aussi la documentation qui l’accompagne et
un exemple de projet destiné à vous aider à débuter dans l’utilisation des divers outils
mis à votre disposition dans Aperture pour la gestion, le traitement et la publication
de vos photos.
Remarque : avant de pouvoir installer Aperture, vous devez ouvrir une session sur votre
ordinateur sous un compte d’administrateur en respectant les données de connexion.
Pour en savoir plus, consultez l’Aide Mac.
Pour installer Aperture et taper le numéro de série :
1 Insérez le disque d’installation d’Aperture dans le lecteur de DVD de l’ordinateur.
2 Double-cliquez sur l’icône du programme d’installation d’Aperture, puis suivez
les instructions à l’écran.
3 Prenez connaissance du texte de bienvenue présenté dans l’introduction, puis cliquez
sur Continuer.
4 Lisez le Contrat de licence du logiciel. Vous pouvez l’imprimer ou l’enregistrer en cliquant
sur le bouton respectif Imprimer ou Enregistrer. Après l’avoir lu, cliquez sur Continuer,
puis, si vous êtes d’accord avec les termes du Contrat, sur Accepter.
5 Sélectionnez le disque de démarrage, puis cliquez sur Continuer.
Votre disque de démarrage doit disposer de la dernière version de Mac OS X v10.4.
Avertissement : si le système ne satisfait pas la configuration requise, l’installation
d’Aperture ne peut pas se faire. Reportez-vous au document Avant d’installer Aperture
se trouvant sur le disque d’installation pour connaître les détails de cette configuration. 4
6 Dans la sous-fenêtre « Informations de l’utilisateur », saisissez vos nom et prénom.
Préciser le nom de votre entreprise est facultatif.
7 Dans le champ Numéro de série, saisissez le numéro de série d’Aperture tel qu’il figure
sur l’étiquette prévue à cet effet, collée au recto de la couverture de ce document,
puis cliquez sur Continuer.
Nous vous présentons ci-après quelques conseils pour saisir correctement votre numéro
de série :
 Assurez-vous que le numéro de série que vous copiez est bien l’original se trouvant
au recto de la couverture de ce document.
 Assurez-vous que vous tapez bien le numéro de série du logiciel et non pas le numéro
d’identification pour bénéficier de l’assistance.
 Vérifiez que les caractères saisis correspondent bien à des zéros et non à la lettre O, et aux
chiffres Un et non à la lettre L en minuscule, si votre numéro prévoit de tels chiffres.
 N’oubliez pas les tirets du numéro de série.
 N’ajoutez aucun espace avant ou après le numéro.
8 Vérifiez enfin que le numéro de série soit tapé correctement.
9 Cliquez sur Installer pour procéder à une installation standard d’Aperture. Pour personnaliser votre installation d’Aperture, cliquez sur Personnaliser, indiquez les options
d’installation que vous désirez, puis cliquez enfin sur Installer.
10 Une zone de dialogue s’affiche pour vous authentifier grâce à vos nom et mot de passe.
Cliquez sur OK lorsque vous avez fini.
Remarque : à l’issue de trois tentatives échouées de saisie du numéro de saisie, le programme d’installation d’Aperture se ferme. Pour relancer le processus d’installation,
retournez à l’étape 2.
Le programme d’installation affiche une barre de progression pour vous indiquer où en
est l’installation.
Tapez votre nom
(obligatoire).
Tapez le nom de votre entreprise
(organisation ; facultatif).
Tapez votre numéro
de série sans oublier
les tirets (obligatoire).5
11 Lorsqu’elle est enfin terminée, cliquez sur Fermer.
Une fois le logiciel installé, vous pouvez commencer à utiliser Aperture.
Enregistrement d’Aperture
La première fois que vous ouvrez Aperture, vous êtes invité à fournir des informations
permettant l’enregistrement du produit. Par défaut, les données de votre fiche personnelle tirée de votre Carnet d’adresses sont automatiquement reprises dans les champs
appropriés.
Pour enregistrer Aperture sous un utilisateur autre que celui repris dans la fiche
personnelle de votre Carnet d’adresses :
1 Remplissez les champs Nom, Adresse, Organisation et Adresse électronique.
2 Si vous désirez recevoir sur votre compte de messagerie des informations sur l’actualité
et les mises à jour de logiciels Apple, cochez la case.
3 Si vous voulez prendre connaissance de l’Engagement de confidentialité Apple,
cliquez sur Confidentialité.
4 Lorsque vous avez terminé, cliquez sur S’enregistrer.
Aperture est à présent enregistré.
Remarque : si vous optez pour le bouton « S’enregistrer plus tard », le système vous
rappelle d’enregistrer Aperture toutes les cinq ouvertures de l’application.
À propos des exemples de projets d’Aperture
Aperture inclut plusieurs exemples de projets comprenant des images haute résolution. Lorsque vous ouvrez Aperture pour la première fois, une zone de dialogue vous
demande si vous voulez installer un exemple de projet. D’autres exemples de projets
sont également disponibles dans le dossier Sample Projects se trouvant sur le disque
d’installation d’Aperture. Vous pouvez ainsi importer ces projets dans Aperture à partir
du disque d’installation d’Aperture à tout moment après avoir installé l’application.
À propos de l’aide à l’écran
L’aide à l’écran, disponible à partir du menu Aide, vous permet d’afficher des informations au cours de vos manipulations dans Aperture. Vous retrouverez ainsi des liens
vers des exemplaires de documents au format PDF traitant d’Aperture ainsi que des
liens vers les sites Web du produit Aperture et sur son assistance dans le menu Aide.6
Pour obtenir les dernières informations sur Aperture, y compris de la documentation
d’assistance non disponible à partir du menu Aide d’Aperture, rendez-vous sur le site
Web de l’assistance Aperture en suivant une des procédures suivantes :
m Dans Aperture, choisissez Aide > Assistance Aperture.
m Rendez-vous à l’adresse http://www.apple.com/fr/support/aperture.
Manuel de l’utilisateur d’Aperture
Ce document contient des renseignements conceptuels, de référence et retraçant les tâches
qu’impliquent Aperture.
Pour accéder au Manuel de l’utilisateur d’Aperture :
m Dans Aperture, choisissez Aide > Manuel de l’utilisateur d’Aperture.
Programme d’ajustement d’image
Ce document reprend les détails des instructions pour utiliser les fonctionnalités de
réglage et les outils d’Aperture.
Pour accéder au document « Programme d’ajustement d’image » :
m Dans Aperture, choisissez Aide > « Programme d’ajustement d’image ».
Informations de dernière minute
Ce document contient des informations relatives aux problèmes que peuvent rencontrer
du matériel et des logiciels de tierce partie ainsi que d’autres problèmes déjà connus.
Remarque : vous devez pour cela être connecté à Internet pour pouvoir accéder à ce
document.
Pour accéder au document « Informations de dernière minute » :
m Dans Aperture, choisissez Aide > « Informations de dernière minute ».
Nouvelles fonctionnalités
Ce document répertorie les fonctionnalités introduites à Aperture depuis Aperture 1.1.
Remarque : vous devez pour cela être connecté à Internet pour pouvoir accéder à ce
document.
Pour accéder au document « Nouvelles fonctionnalités » :
m Dans Aperture, choisissez Aide > Nouvelles fonctionnalités.
Premiers contacts
Ce document explique comment importer des images, leur appliquer un classement
et des mots-clés, en rechercher, en exporter et en imprimer, le tout à partir d’Aperture. Ce
document correspond à la version PDF du manuel imprimé Premiers contacts avec Aperture.
Pour accéder au document « Premiers contacts » :
m Dans Aperture, choisissez Aide > Premiers contacts.7
Référence rapide
Ce document reprend les raccourcis clavier pour assurer les diverses tâches dans Aperture. Ce document correspond à la version PDF du volet imprimé Référence rapide
d’Aperture.
Pour accéder au document « Référence rapide » :
m Dans Aperture, choisissez Aide > Référence rapide.
Notions de base de la photographie numérique
Ce document propose des informations de base sur le mode de fonctionnement
des appareils photo numériques, sur l’apparence des photos numériques à l’écran
ou imprimées et sur le mode de mesure de la résolution des images adopté par
les appareils numériques.
Pour accéder au document « Principes fondamentaux de la photographie numérique » :
m Dans Aperture, choisissez Aide > « Principes fondamentaux de la photographie
numérique ».
Commande de livres et de tirages
Ce document reprend des informations et les étapes nécessaires pour la commande de
livres de qualité professionnelle pour vos images à travers le service de tirage d’Apple.
Remarque : vous devez pour cela être connecté à Internet pour pouvoir accéder à ce
document.
Pour accéder au document « Commande de livres et de tirages » :
m Dans Aperture, choisissez Aide > « Commande de livres et de tirages ».
Créer un profil de gestion
Dans certains cas où vous êtes amené à faire appel à l’assistance, AppleCare peut
nécessiter des informations sur votre ordinateur et sur la configuration adoptée pour
Aperture. La commande « Créer un profil de gestion » génère alors un fichier contenant les informations requises pour les envoyer à AppleCare sous forme de message
électronique. N’utilisez pas cette fonctionnalité à moins qu’un représentant AppleCare
ne vous le demande.
Pour créer un profil de gestion :
m Dans Aperture, choisissez Aide > « Créer un profil de gestion ».
Prise de contact avec l’assistance AppleCare
Des informations sur les options mises à votre disposition pour bénéficier de l’assistance
Apple se trouvent dans votre coffret d’Aperture. Plusieurs niveaux d’assistance ont été
mis en place.
Quelque soit votre problème, il est bon de garder les informations suivantes à portée
de main si vous devez contacter Apple pour obtenir de l’aide. Plus vous disposez de
données à fournir aux agents du service d’assistance, plus vite ils sont à même de
résoudre votre problème ou de vous aiguiller. Pensez donc aux points suivants :
 le numéro d’identification pour l’assistance sur Aperture (celui-ci se trouve au recto
de la couverture de ce document ;
Remarque : ce nombre de onze chiffres permettant de bénéficier de l’assistance
diffère du numéro de série du produit permettant, lui, d’installer Aperture) ;
 la version de Mac OS X installée (pour connaître la version de Mac OS X, choisissez
le menu Pomme > « À propos de ce Mac ») ;
 la version d’Aperture sur laquelle vous avez une question (pour retrouver la version
d’Aperture installée sur votre ordinateur, choisissez Aperture > « À propos d’Aperture ») ;
 le modèle d’ordinateur que vous utilisez ;
 la quantité de mémoire RAM installée sur votre ordinateur (pour connaître la capacité
de la RAM de votre ordinateur, choisissez le menu Pomme > « À propos de ce Mac ») ;
 le cas échéant, tout matériel de tierce partie branché à votre ordinateur ou qui y
est installé, ainsi que le nom de leur fabricant (cela inclut les disques durs, les cartes
graphiques, etc.).
L’assistance AppleCare est joignable en ligne à l’adresse http://www.apple.com/fr/support.
Vous y retrouverez des informations spécifiques sur l’assistance Aperture en cliquant sur
le lien relatif à Aperture.
Pour vous rendre sur le site Web d’assistance Aperture à partir de l’application
Aperture même :
m Choisissez Aide > Assistance Aperture.
© 2006 Apple Computer, Inc. Tous droits réservés.
Apple, le logo Apple, Mac, Macintosh, Mac OS et Panther sont des marques d’Apple Computer, Inc., déposées
aux États-Unis et dans d’autres pays. Aperture et Tiger sont des marques d’Apple Computer Inc. AppleCare est
une marque de service d’Apple Computer Inc., déposée aux États-Unis et dans d’autres pays. Intel et Intel Core
sont des marques d’Intel Corp. aux États-Unis et dans d’autres pays. PowerPC et le logo PowerPC sont des marques
d’International Business Machines Corporation, utilisés sous licence.
Mac OS X Server
Gestion des utilisateurs
Pour version 10.4 ou ultérieureK Apple Computer, Inc.
© 2005 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’un exemplaire
enregistré du logiciel Mac OS X Server peut reproduire
cette publication aux fins d’apprentissage du logiciel.
Cette publication ne peut être reproduite ou transmise
en tout ou partie à des fins commerciales, comme la
vente de copies de cette publication ou la fourniture
d’un service d’assistance payant.
Tout a été mis en œuvre pour que les informations
contenues dans ce manuel soient exactes. Apple
Computer, Inc., n’est pas responsable des erreurs
d’impression ou de typographie.
Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com
L’utilisation de ce logo à des fins commerciales via
le clavier (Option-1) pourra constituer un acte de
contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, AirPort, AppleShare, AppleTalk,
FireWire, iBook, Trousseau, LaserWriter, Mac, Mac OS,
Macintosh, PowerBook et QuickTime sont des marques
d’Apple Computer, Inc. déposées aux États-Unis et dans
d’autres pays. Gestionnaire d’extensions, Finder et
SuperDrive sont des marques d’Apple Computer, Inc.
Adobe et PostScript sont des marques d’Adobe Systems
Incorporated.
Java et tous les logos et marques dérivés de Java
sont des marques ou des marques déposées de Sun
Microsystems, Inc. aux États-Unis et dans d’autres pays.
UNIX est une marque déposée aux États-Unis et dans
d’autres pays, sous licence exclusive de X/Open
Company Ltd.
Tous les autres noms de produits sont des marques
de leurs propriétaires respectifs. Les produits
commercialisés par des entreprises tierces ne sont
mentionnés qu’à titre d’information, sans aucune
intention de préconisation ni de recommandation.
Apple décline toute responsabilité quant à leur
utilisation et à leur fonctionnement.
F019-0170/03-24-05
F0170.book Page 2 Monday, May 2, 2005 12:37 PM 3
1 Table de matières
Préface 13 À propos de ce guide
13 Nouveautés de la version 10.4
14 Contenu de ce guide
15 Utilisation de l’aide à l’écran
16 La suite Mac OS X Server
17 Informations complémentaires
17 Si vous êtes novice en gestion de serveur et de réseau
18 Si vous êtes un administrateur de serveur chevronné
Chapitre 1 19 Vue d’ensemble de la gestion des utilisateurs
19 Outils de gestion des utilisateurs
19 Gestionnaire de groupe de travail
22 Admin Serveur
23 NetBoot
24 Installation en réseau
24 Comptes
25 Comptes d’administrateur
26 Utilisateurs et utilisateurs gérés
26 Utilisateurs invités
27 Groupes, groupes principaux et groupes de travail
28 Listes d’ordinateurs
28 Utilisation côté utilisateur
29 Authentification
31 Validation de l’identité
31 Contrôle de l’accès aux informations
Chapitre 2 33 Introduction à la gestion des utilisateurs
33 Présentation générale de la configuration
40 Programmation de stratégies pour la gestion des utilisateurs
40 Analyse de votre environnement
40 Identification des besoins en matière de services de répertoire
41 Détermination des besoins en matière de serveur et de stockage
42 Utilisation de la gestion des clients
F0170.book Page 3 Monday, May 2, 2005 12:37 PM4 Table des matières
42 Utilisation de comptes mobiles
42 Répertoires de départ portables
42 Élaboration d’une stratégie en matière de répertoire de départ
43 Identification des groupes
43 Détermination des besoins d’administrateur
44 Utilisation du Gestionnaire de groupe de travail
44 Utilisation d’ordinateurs de versions antérieures à la 10.4 à partir de serveurs de
version 10.4
45 Ouverture du Gestionnaire de groupe de travail et authentification
46 Principales tâches dans le Gestionnaire de groupe de travail
47 Listage et recherche de comptes
47 Utilisation de listes de comptes dans le Gestionnaire de groupe de travail
48 Liste de comptes dans le domaine de répertoires local
48 Liste de comptes dans des domaines de répertoires de chemins de recherche
49 Liste de comptes dans des domaines de répertoires disponibles
49 Actualisation de listes de comptes
50 Recherche de comptes spécifiques dans une liste
50 Classement des listes d’utilisateurs et de groupes
51 Utilisation du bouton Rechercher de la barre d’outils
52 Raccourcis pour l’utilisation des comptes
52 Modification par lot
52 Utilisation de préréglages
53 Importation et exportation d’informations de compte
53 Sauvegarde et restauration des données de gestion des utilisateurs
53 Sauvegarde et restauration de fichiers de services de répertoires
53 Sauvegarde de comptes d’utilisateur root et administrateur
Chapitre 3 55 Gestion des utilisateurs pour des clients mobiles
55 Configuration des clients mobiles
55 Configuration d’ordinateurs portables
56 Utilisation de comptes mobiles
57 Création d’un compte mobile
57 Suppression d’un compte mobile
58 Utilisation de comptes mobiles côté utilisateur
58 Répertoires de départ portables
59 Éléments à prendre en compte pour l’affectation du contenu à synchroniser
60 Gestion des clients mobiles
60 Ordinateurs portables Mac OS X inconnus
60 Ordinateurs portables Mac OS X pour utilisateurs locaux multiples
61 Ordinateurs portables Mac OS X pour utilisateur local principal
62 Utilisation de services sans fil
62 Questions de sécurité concernant les clients mobiles
62 Services de répertoire
F0170.book Page 4 Monday, May 2, 2005 12:37 PMTable des matières 5
63 FileVault pour clients mobiles
63 Questions de sécurité concernant l’utilisation de répertoires de départ portables
63 Questions concernant la perte et la récupération des données
Chapitre 4 65 Configuration des comptes d’utilisateur
65 À propos des comptes d’utilisateur
65 Emplacement de stockage des comptes d’utilisateur
66 Comptes d’utilisateur prédéfinis
67 Administration de comptes d’utilisateur
67 Création de comptes d’utilisateur Mac OS X Server
68 Création de comptes d’utilisateur LDAPv3 en lecture/écriture
68 Modification des informations de compte d’utilisateur
69 Modification simultanée de plusieurs utilisateurs
69 Modification des comptes dans un maître Open Directory
70 Utilisation de comptes d’utilisateur en lecture seule
71 Définition d’un utilisateur invité
71 Suppression d’un compte d’utilisateur
72 Désactivation d’un compte d’utilisateur
72 Utilisation de préréglages pour les comptes d’utilisateur
72 Création d’un préréglage pour des comptes d’utilisateur
73 Utilisation de préréglages pour créer des comptes
73 Renommer des préréglages
74 Modification de préréglages
74 Suppression de préréglages
74 Travail avec des réglages élémentaires pour utilisateurs
74 Définition de noms complets d’utilisateurs
75 Définition de noms abrégés d’utilisateurs
77 Choix de noms abrégés permanents
77 Eviter les doublons de noms
79 Mesures de prévention contre les doublons de noms abrégés
81 Définition d’identifiants d’utilisateur
82 Définition de mots de passe
82 Réglage des options de mot de passe pour les utilisateurs importés
82 Attribution de droits d’administrateur pour un serveur
83 Attributions de droits d’administrateur pour un domaine de répertoire
84 GUID
84 Travail avec des réglages avancés pour utilisateurs
84 Définition de réglages d’ouverture de session
86 Définition d’un type de mot de passe
86 Création d’une liste maîtresse de mots-clés
87 Application de mots-clés aux comptes d’utilisateur
87 Modification de commentaires
88 Travail avec les réglages de groupe pour utilisateurs
F0170.book Page 5 Monday, May 2, 2005 12:37 PM6 Table des matières
88 Définition du groupe principal d’un utilisateur
89 Ajout d’un utilisateur à des groupes
90 Suppression d’un utilisateur dans un groupe
90 Vérification des différentes appartenances de groupe d’un utilisateur
91 Utilisation des réglages de répertoires de départ des utilisateurs
91 Utilisation des réglages de courrier des utilisateurs
91 Désactivation du service de courrier d’un utilisateur
92 Activation des options de compte de service de courrier
93 Faire suivre le courrier d’un utilisateur
93 Travail avec des réglages d’impression pour utilisateurs
94 Désactivation de l’accès d’un utilisateur aux files d’attente imposant des quotas
94 Activation l’accès d’un utilisateur aux files d’attente imposant des quotas
95 Suppression du quota d’impression d’un utilisateur pour une file spécifique
95 Réinitialisation du quota d’impression d’un utilisateur
96 Utilisation des réglages d’informations pour les utilisateurs
97 Choix de réglages pour les utilisateurs Windows
Chapitre 5 99 Configuration des comptes de groupe
99 À propos des comptes de groupe
99 Administration de comptes de groupe
99 Emplacement de stockage des comptes de groupe
100 Comptes de groupe prédéfinis
101 Création de comptes de groupe Mac OS X Server
101 Création de comptes de groupe LDAPv3 en lecture/écriture
102 Création d’un préréglage pour des comptes de groupe
102 Modification des informations d’un compte de groupe
103 Création de groupes imbriqués
104 Mise à niveau de groupes hérités
104 Utilisation de comptes de groupe en lecture seule
105 Travail avec des réglages de membres pour groupes
105 Ajout d’utilisateurs à un groupe
106 Suppression d’utilisateurs d’un groupe
106 Attribution d’un nom à un groupe
107 Définition d’un identifiant de groupe
108 Travail avec les réglages du dossier de groupe
108 Option Pas de dossier de groupe
109 Création d’un dossier de groupe dans un point de partage existant
110 Création d’un dossier de groupe dans un nouveau point de partage
112 Création d’un dossier de groupe dans un sous-dossier d’un point de partage existant
114 Désignation d’un dossier de groupe destiné à plusieurs groupes
114 Suppression de comptes de groupe
F0170.book Page 6 Monday, May 2, 2005 12:37 PMTable des matières 7
Chapitre 6 115 Configuration de listes d’ordinateurs
115 À propos des listes d’ordinateurs
116 Listes d’ordinateurs à usage spécial
116 Création d’une liste d’ordinateurs
118 Création d’un préréglage pour listes d’ordinateurs
119 Utilisation d’un préréglage de liste d’ordinateurs
119 Ajout d’ordinateurs à une liste d’ordinateurs existante
120 Modification d’informations sur un ordinateur
120 Déplacement d’un ordinateur vers une autre liste d’ordinateurs
121 Suppression d’ordinateurs d’une liste d’ordinateurs
121 Suppression d’une liste d’ordinateurs
122 Recherche de listes d’ordinateurs
122 Gestion des ordinateurs invités
124 Utilisation des réglages d’accès
124 Restriction de l’accès à des ordinateurs
125 Mise d’ordinateurs à la disposition de tous les utilisateurs
125 Utilisation de comptes d’utilisateur locaux
Chapitre 7 127 Configuration des répertoires de départ
127 À propos des répertoires de départ
128 Évitez les espaces et les noms très longs dans les chemins d’accès aux répertoires de
départ réseau
129 Répartition de répertoires de départ sur plusieurs serveurs
130 Spécification d’aucun répertoire de départ
131 Création d’un répertoire de départ pour un utilisateur local sur un serveur
133 Création d’un répertoire de départ de réseau
134 Création d’un répertoire de départ personnalisé
137 Configuration d’un point de partage AFP montable automatiquement pour des
répertoires de départ
138 Configuration d’un point de partage NFS ou SMB montable automatiquement pour des
répertoires de départ
140 Définition de quotas de disque
141 Définition de répertoires de départ par défaut à l’aide de préréglages
141 Déplacement de répertoires de départ
141 Suppression de répertoires de départ
Chapitre 8 143 Vue d’ensemble de la gestion des clients
144 Utilisation de ressources visibles sur le réseau
145 Définition de préférences
146 La puissance des préférences
147 Niveaux de contrôle
150 Degrés de permanence
151 Configuration de l’environnement d’ouverture de session
F0170.book Page 7 Monday, May 2, 2005 12:37 PM8 Table des matières
152 Qui peut ouvrir une session ?
153 Mise en mémoire cache des préférences
153 Aide aux utilisateurs pour trouver des applications
154 Aide aux utilisateurs pour trouver des dossiers de groupe
154 Installation et démarrage via le réseau
155 Administration quotidienne des clients
Chapitre 9 157 Gestion des préférences
157 Mode de fonctionnement du Gestionnaire de groupe de travail avec les préférences
Mac OS X
158 Gestion des préférences
159 À propos de la mémoire cache des préférences
159 Mises à jour régulières de la mémoire cache des préférences gérées
160 Mise à jour manuelle de la mémoire cache des préférences
161 Gestion des préférences d’utilisateur
161 Gestion des préférences de groupes
162 Gestion des préférences d’ordinateurs
163 Modification des préférences de plusieurs enregistrements
163 Désactivation de la gestion de préférences spécifiques
164 Gestion de l’accès aux applications
164 Création d’une liste d’applications accessibles pour les utilisateurs
165 Interdiction aux utilisateurs d’accéder à des applications situées sur des volumes
locaux
166 Gestion de l’accès aux utilitaires
167 Contrôle du fonctionnement des outils UNIX
167 Gestion des préférences de Classic
168 Sélection des options de démarrage de Classic
169 Choix d’un dossier Système Classic
170 Autorisations d’actions spéciales au démarrage
170 Contrôle de l’accès aux éléments du menu Pomme de l’environnement Classic
171 Réglage des paramètres de suspension d’activité de Classic
172 Maintien de la cohérence des préférences d’utilisateurs pour l’environnement Classic
173 Gestion des préférences du Dock
173 Contrôle du Dock de l’utilisateur
174 Accès aisé aux dossiers de groupes
175 Ajout d’éléments au Dock d’un utilisateur
175 Interdiction aux utilisateurs d’ajouter ou de supprimer des éléments au Dock
176 Gestion des préférences de l’Économiseur d’énergie
176 Utilisation des réglages de suspension d’activité et de réactivation pour les
ordinateurs de bureau
178 Utilisation des réglages de l’Économiseur d’énergie pour les ordinateurs portables
179 Affichage de l’état de la batterie pour les utilisateurs
F0170.book Page 8 Monday, May 2, 2005 12:37 PMTable des matières 9
180 Programmation du démarrage, de l’extinction ou de la suspension d’activité
automatiques
181 Gestion des préférences du Finder
181 Configuration du Finder simplifié
182 Masquage des disques et des serveurs sur le bureau de l’utilisateur
183 Contrôle du comportement des fenêtres du Finder
183 Masquage du message d’alerte présenté lorsque l’utilisateur veut vider la corbeille
184 Affichage des extensions de nom de fichier
184 Contrôle de l’accès des utilisateurs aux serveurs distants
185 Contrôle de l’accès des utilisateurs à un iDisk
185 Mesures contre l’éjection de disques par les utilisateurs
186 Masquage de la commande Graver le disque dans le Finder
186 Contrôle de l’accès des utilisateurs aux dossiers
187 Suppression des commandes Redémarrer et Éteindre du menu Pomme
187 Réglage de l’apparence et de la disposition des éléments du bureau
188 Réglage de l’apparence du contenu des fenêtres du Finder
189 Gestion des préférences Internet
189 Réglage des préférences de messagerie
190 Réglage des préférences du navigateur Web
191 Gestion des préférences d’ouverture de session
191 Spécification du mode d’ouverture de session de l’utilisateur
192 Ouverture automatique d’éléments après l’ouverture de session
194 Fourniture de l’accès au répertoire de départ réseau d’un utilisateur
194 Fourniture d’un accès aisé au point de partage de groupe
195 Interdiction de démarrer ou d’arrêter l’ordinateur lors de la connexion
196 Utilisation d’indices pour aider les utilisateurs à se souvenir de leur mot de passe
197 Activation de la prise en charge de plusieurs utilisateurs simultanés sur un
ordinateur client
197 Activation de la fermeture de session automatique pour les utilisateurs inactifs
198 Scripts d’ouverture et de fermeture de session
199 Gestion des préférences d’accès aux données
199 Contrôle de l’accès aux CD, DVD et disques inscriptibles
200 Contrôle de l’accès aux disques durs et aux disques
201 Éjection automatique d’éléments à la fermeture de session de l’utilisateur
201 Gestion des préférences de mobilité
201 Gestion des préférences Réseau
201 Configuration des serveurs proxy par port
202 Gestion des préférences d’Impression
202 Attribution d’imprimantes aux utilisateurs
203 Méthode pour empêcher les utilisateurs de modifier la liste d’imprimantes
204 Restriction de l’accès aux imprimantes connectées à un ordinateur
204 Définition d’une imprimante par défaut
205 Restriction de l’accès aux imprimantes
F0170.book Page 9 Monday, May 2, 2005 12:37 PM10 Table des matières
205 Gestion des préférences de mise à jour de logiciels
206 Gestion de l’accès aux préférences Système
207 Gestion des préférences Accès universel
207 Manipulation des réglages d’affichage pour l’utilisateur
208 Activation d’une alerte visuelle
209 Réglage de la réponse du clavier
210 Réglage du niveau de réponse de la souris et du pointeur
211 Activation des raccourcis d’Accès universel
211 Autorisation d’appareils d’aide pour les utilisateurs ayant des besoins particuliers
212 Utilisation de l’éditeur de préférences avec les manifestes de préférences
213 Ajout d’une préférence gérée en l’important depuis une application
213 Modification des valeurs de préférence d’une application
214 Suppression des valeurs de préférence via l’éditeur de préférences
Chapitre 10 215 Gestion des présentations de réseau
216 Types de présentations de réseau gérées
216 Création d’un présentation de réseau gérée
217 Modification de présentations de réseau gérées
219 Définition de voisinages pour présentations de réseau gérées
219 Ajout de voisinages à des présentations de réseau gérées
220 Suppression de voisinages de présentations de réseau gérées
220 Définition d’ordinateurs pour présentations de réseau gérées
220 Affichage d’ordinateurs dans des présentations de réseau gérées
222 Suppression d’ordinateurs de présentations de réseau gérées
222 Définition de listes dynamiques pour présentations de réseau gérées
223 Ajout de listes dynamiques à des présentations de réseau gérées
224 Suppression de listes dynamiques de présentations de réseau gérées
224 Définition de l’utilisation des présentations de réseau gérées par des ordinateurs clients
224 Comment un ordinateur trouve-t-il ses présentations de réseau gérées
225 Activation de la visibilité des présentations de réseau gérées
226 Désactivation de la visibilité des présentations de réseau gérées
228 Définition de la fréquence de rafraîchissement d’une présentation de réseau gérée
228 Définition du comportement du Finder avec des présentations de réseau gérées
Chapitre 11 229 Résolution des problèmes
229 Aide en ligne et site Web d’assistance et de service Apple
229 Résolution des problèmes liés aux comptes
229 Vous ne parvenez pas à modifier un compte à l’aide du Gestionnaire de groupe de
travail
230 Vous ne voyez pas certains utilisateurs dans la fenêtre de connexion
230 Vous ne parvenez pas à déverrouiller un répertoire LDAP
231 Vous ne pouvez pas modifier le mot de passe Open Directory d’un utilisateur
F0170.book Page 10 Monday, May 2, 2005 12:37 PMTable des matières 11
231 Vous ne pouvez pas changer le type de mot de passe d’un utilisateur en Open
Directory
231 Vous ne parvenez pas à attribuer des autorisations d’administrateur de serveur
232 Les utilisateurs ne parviennent pas à se connecter ni à être authentifiés
233 Les utilisateurs dépendant d’un Serveur de mots de passe ne parviennent pas à se
connecter
233 Les utilisateurs ne peuvent pas se connecter à l’aide de comptes dans un domaine
de répertoire partagé
234 Les utilisateurs ne peuvent pas accéder à leur répertoire de départ
234 Certains utilisateurs ne peuvent pas changer leur mot de passe
234 Un utilisateur Mac OS X d’un domaine NetInfo partagé ne parvient pas à se
connecter
234 Les utilisateurs ne peuvent pas s’authentifier à l’aide de la signature unique ou de
Kerberos
235 Résolution des problèmes de gestion des préférences
236 Vous ne parvenez pas à appliquer les réglages Web par défaut
236 Vous ne parvenez pas à appliquer les réglages de courrier par défaut
236 Les utilisateurs ne voient pas de liste de groupes de travail lors de la connexion
236 Les utilisateurs ne parviennent pas à ouvrir des fichiers
237 Les utilisateurs ne parviennent pas à ajouter des imprimantes à la liste
d’imprimantes
237 Les éléments d’ouverture ajoutés par un utilisateur ne s’ouvrent pas
238 Les éléments du Dock placés par un utilisateur sont manquants
238 Le Dock d’un utilisateur comporte des éléments en double
238 Un point d’interrogation apparaît dans le Dock des utilisateurs
239 Un message d’erreur inattendue est affiché à l’intention des utilisateurs
Annexe A 241 Importation et exportation d’informations de compte
241 Quels sont les éléments que l’on peut exporter et importer
243 Utilisation du Gestionnaire de groupe de travail pour importer des utilisateurs et des
groupes
244 Utilisation du Gestionnaire de groupe de travail pour exporter des utilisateurs et des
groupes
245 Utilisation de dsimport pour importer des utilisateurs et des groupes
245 Utilisation de fichiers XML créés avec Mac OS X Server 10.1 ou antérieur
246 Utilisation de fichiers XML créés avec AppleShare IP 6.3
247 Utilisation de fichiers délimités par des caractères
247 Écriture d’une description d’enregistrement
Annexe B 251 Autorisations de liste ACL et adhésions de groupe via GUID
251 Rôle des GUID
252 Les listes de contrôle d’accès ACL complètent les autorisations POSIX
252 Identifiants GUID et groupes
F0170.book Page 11 Monday, May 2, 2005 12:37 PM12 Table des matières
253 Autorisations et synchronisation de fichiers
253 Interopérabilité des identifiants de sécurité SID et de Windows
253 Importation et exportation d’utilisateurs
Glossaire 255
Index 267
F0170.book Page 12 Monday, May 2, 2005 12:37 PM 13
Préface
À propos de ce guide
Ce guide vous explique comment utiliser le Gestionnaire
de groupe de travail pour configurer et gérer les
répertoires de départ, les comptes, les préférences
et les réglages de vos clients.
Nouveautés de la version 10.4
• Répertoires de départ portables. Les utilisateurs équipés d’ordinateurs portables
peuvent désormais bénéficier de versions synchronisées de leurs dossiers de répertoire
de départ local et en réseau. Les répertoires de départ portables synchronisent le
contenu sélectionné entre le répertoire de départ local et le répertoire de départ
réseau, en prenant en compte la version la plus récente des fichiers.
• Liaison de répertoire sécurisée. Les utilisateurs équipés d’ordinateurs portables
peuvent utiliser la liaison sécurisée afin de s’assurer que les services auxquels ils
accèdent lors de leurs déplacements sont sûrs. Une liaison approuvée offre à un
ordinateur client un moyen de s’authentifier auprès d’un serveur LDAP et au serveur
LDAP un moyen de s’authentifier auprès du client. Pour en savoir plus, consultez le
chapitre 3, “Gestion des utilisateurs pour des clients mobiles” à la page 55.
• Présentations de réseau gérées. Il est désormais possible de contrôler ce que les
utilisateurs voient lorsqu’ils sélectionnent l’icône Réseau dans la barre latérale
d’une fenêtre du Finder (ou choisissent Aller > Réseau). Une présentation de réseau
gérée est constituée d’un ou plusieurs voisinages réseau, qui apparaissent dans le
Finder sous forme de dossiers. Chaque dossier contient une liste de ressources que
l’administrateur du serveur a associé au dossier. Les vues réseau gérées offrent un
moyen efficace de présenter les ressources réseau. Vous pouvez créer plusieurs vues
pour différents ordinateurs client. Étant donné que les présentations sont stockées
avec Open Directory, le voisinage réseau d’un ordinateur est automatiquement
disponible lorsqu’un utilisateur ouvre une session. Pour en savoir plus, consultez
le chapitre 10, “Gestion des présentations de réseau” à la page 215.
F0170.book Page 13 Monday, May 2, 2005 12:37 PM14 Préface À propos de ce guide
• Manifestes de préférences et éditeur de préférences. Si vous souhaitez contrôler
avec précision les réglages de préférences, vous pouvez utiliser le nouvel éditeur de
préférences du Gestionnaire de groupe de travail qui peut utiliser des manifestes de
préférences quand ils existent. Les manifestes de préférences sont des fichiers qui
décrivent la structure et les valeurs des préférences d’une application ou d’un utilitaire.
L’éditeur de préférences peut créer ou modifier n’importe quel fichier PLIST (fichier
de préférences) ; il contient des manifestes de préférences qui décrivent avec précision
les réglages de préférences qui personnalisent le comportement des applications et
des utilitaires. Pour plus d’informations, consultez la section “Utilisation de l’éditeur
de préférences avec les manifestes de préférences” à la page 212.
• Informations de l’utilisateur. Vous pouvez saisir et modifier les données personnelles
de chaque utilisateur, notamment son adresse, ses numéros de téléphone, ses noms
iChat et l’adresse URL de sa page Web. L’application Carnet d’adresses peut accéder
à ces informations. Pour plus d’informations, consultez la section “Utilisation des
réglages d’informations pour les utilisateurs” à la page 96.
Contenu de ce guide
Ce guide est organisé comme suit :
• le chapitre 1, “Vue d’ensemble de la gestion des utilisateurs” expose d’importants
concepts, présente les outils de gestion des utilisateurs et vous indique où trouver
des informations supplémentaires sur la gestion des utilisateurs et des sujets connexes ;
• le chapitre 2, “Introduction à la gestion des utilisateurs” décrit comment utiliser des
fonctions et des raccourcis afin d’obtenir une efficacité maximale lors de la configuration
et de la maintenance des comptes et des préférences gérées ;
• le chapitre 3, “Gestion des utilisateurs pour des clients mobiles” présente les éléments
à prendre en compte pour gérer des ordinateurs portables ;
• les chapitres 4, 5 et 6 décrivent l’utilisation du Gestionnaire de groupe de travail pour
configurer les utilisateurs, les groupes et les listes d’ordinateurs ;
• le chapitre 7, “Configuration des répertoires de départ” aborde la création des
répertoires de départ ;
• le chapitre 8, “Vue d’ensemble de la gestion des clients” présente les outils et les
concepts de gestion de clients tels que la personnalisation de l’environnement
de travail d’un utilisateur et l’accès aux ressources réseau ;
• le chapitre 9, “Gestion des préférences” explique comment utiliser le Gestionnaire
de groupe de travail pour contrôler les réglages de préférences des utilisateurs, des
groupes et des ordinateurs qui utilisent Mac OS X ;
• le chapitre 10, “Gestion des présentations de réseau” explique comment créer des
présentations de réseau dans le Gestionnaire de groupe de travail pour personnaliser
l’environnement de navigation de chaque ordinateur et contrôler le contenu du
dossier Réseau situé dans le Finder de l’ordinateur concerné ;
F0170.book Page 14 Monday, May 2, 2005 12:37 PMPréface À propos de ce guide 15
• le chapitre 11, “Résolution des problèmes” vous aide à résoudre les problèmes de
création de compte, de maintenance des répertoires de départ, de gestion des
préférences ou de configuration client, ainsi que les problèmes rencontrés par
vos clients gérés ;
• l’annexe A, “Importation et exportation d’informations de compte” fournit des
informations utiles pour transférer les informations d’un compte de ou vers un
fichier externe ;
• l’annexe B, “Autorisations de liste ACL et adhésions de groupe via GUID” décrit un
identifiant d’utilisateur disponible depuis la version 10.4 ;
• le glossaire définit les termes utilisés dans ce guide.
Remarque : étant donné qu’Apple publie régulièrement de nouvelles versions et mises
à jour de ses logiciels, les illustrations de ce document peuvent être différentes de
celles qui s’affichent à l’écran.
Utilisation de l’aide à l’écran
Si vous souhaitez manipuler des comptes, modifier des réglages de préférences,
configurer de nouveaux répertoires de départ ou effectuer d’autres tâches d’administration
quotidiennes, vous trouverez des instructions détaillées dans l’aide en ligne du Gestionnaire
de groupe de travail. Bien que toutes ces tâches d’administration soient également
décrites dans ce guide, il est parfois plus commode de les consulter à l’écran pendant
que vous utilisez le serveur.
Sur un ordinateur qui exécute Mac OS X Server, vous pouvez accéder à l’aide à l’écran
après avoir ouvert le Gestionnaire de groupe de travail ou Admin Serveur. À partir du
menu d’aide, sélectionnez l’une des options :
• Aide Gestionnaire de groupe de travail ou Aide Admin Serveur affiche des informations
sur l’application.
• Aide Mac OS X Server affiche la page d’aide principale du serveur, à partir de laquelle
vous pouvez rechercher des informations sur le serveur.
• Documentation vous permet d’accéder au site www.apple.com/fr/server/documentation,
à partir duquel vous pouvez télécharger la documentation du serveur.
Vous pouvez également accéder à l’aide à l’écran à partir du Finder ou d’autres
applications d’un serveur ou d’un ordinateur administrateur. Un ordinateur
administrateur est un ordinateur Mac OS X sur lequel est installé un logiciel
d’administration de serveur. Utilisez le menu Aide afin d’ouvrir Visualisation
Aide, puis choisissez Bibliothèque > Aide Mac OS X Server.
F0170.book Page 15 Monday, May 2, 2005 12:37 PM16 Préface À propos de ce guide
Pour consulter les toutes dernières rubriques d’aide, assurez-vous que l’ordinateur
serveur ou administrateur est connecté à Internet lorsque vous utilisez Visualisation
Aide. Visualisation Aide extrait et met en cache automatiquement les toutes dernières
rubriques d’aide sur Internet concernant le serveur. Lorsque vous n’êtes pas connecté
à Internet, Visualisation Aide affiche les rubriques d’aide mises en cache.
La suite Mac OS X Server
La documentation de Mac OS X Server comprend une série de guides présentant les
services offerts ainsi que les instructions relatives à leur configuration, leur gestion et
leur dépannage. Tous les guides sont disponibles au format PDF via :
www.apple.com/fr/server/documentation/
Ce guide … explique comment :
Mac OS X Server Premiers contacts
avec la version 10.4 ou ultérieure
installer Mac OS X Server et le configurer pour la première fois.
Mac OS X Server Mise à niveau et
migration vers la version 10.4 ou
ultérieure
utiliser les données et réglages des services actuellement utilisés
sur les versions antérieures du serveur.
Mac OS X Server Gestion
utilisateur pour la version 10.4 ou
ultérieure
créer et gérer les utilisateurs, groupes et listes d’ordinateurs ;
configurer les préférences gérées des clients Mac OS X.
Mac OS X Server Administration
du service de fichiers pour la
version 10.4 ou ultérieure
partager des volumes ou dossiers de serveur sélectionnés parmi
les clients du serveur via les protocoles suivants : AFP, NFS, FTP
et SMB/CIFS.
Mac OS X Server Administration
du service d'impression pour la
version 10.4 ou ultérieure
héberger les imprimantes partagées et gérer les files d’attente et
travaux d’impression associés.
Mac OS X Server Administration
de mises à jour de logiciels et
d'images de système pour la
version 10.4 ou ultérieure
utiliser NetBoot et Installation en réseau pour créer des images
disque à partir desquelles les ordinateurs Macintosh peuvent
démarrer sur le réseau ; configurer un serveur de mise à jour de
logiciels pour la mise à jour d’ordinateurs clients via le réseau.
Mac OS X Server Administration
du service de courrier pour la
version 10.4 ou ultérieure
installer, configurer et administrer les services de courrier sur le
serveur.
Mac OS X Server Administration
de technologies Web pour la
version 10.4 ou ultérieure
configurer et gérer un serveur Web, dont WebDAV, WebMail, et les
modules Web.
Mac OS X Server Administration
de services de réseaux pour la
version 10.4 ou ultérieure
installer, configurer et administrer DHCP, DNS, VPN, NTP, coupe-feu
IP et services NAT sur le serveur.
Mac OS X Server Administration
d'Open Directory pour la version
10.4 ou ultérieure
gérer les services de répertoires et d’authentification.
F0170.book Page 16 Monday, May 2, 2005 12:37 PMPréface À propos de ce guide 17
Informations complémentaires
La ressource suivante peut s’avérer utile quelle que soit votre expérience en tant
qu’administrateur de réseau :
Formation des clients Apple — cours en salle et autoformations afin de développer vos
compétences en termes d’administration de serveur.
train.apple.com/
Si vous êtes novice en gestion de serveur et de réseau
Pour plus d’informations, consultez les ressources suivantes :
Site Web de Mac OS X Server — passerelle vers des informations détaillées sur des
produits et technologies.
www.apple.com/fr/macosx/server/
Mac OS X Server Administration
du Serveur Enchaînement
QuickTime pour la version 10.4 ou
ultérieure
configurer et gérer les services d’enchaînement QuickTime.
Mac OS X Server Administration
des services Windows pour la
version 10.4 ou ultérieure
configurer et gérer des services tels que PDC, BDC, fichiers et
impression pour les utilisateurs d’ordinateurs Windows.
Mac OS X Server Migration à
partir de Windows NT pour la
version 10.4 ou ultérieure
déplacer des comptes, des dossiers partagés et des services
à partir de serveurs Windows NT vers Mac OS X Server.
Mac OS X Server Administration
du serveur d’applications Java
pour la version 10.4 ou ultérieure
configurer et administrer un serveur d’applications JBoss
sur Mac OS X Server.
Mac OS X Server Administration
de la ligne de commande pour la
version 10.4 ou ultérieure
utiliser les commandes et les fichiers de configuration pour
exécuter les tâches d’administration du serveur via l’interpréteur
de commandes UNIX.
Mac OS X Server Administration
des services de collaboration pour
la version 10.4 ou ultérieure
configurer et gérer Weblog, iChat et d’autres services qui facilitent
les interactions entre utilisateurs.
Mac OS X Server Administration
de la haute disponibilité pour la
version 10.4 ou ultérieure
gérer le basculement IP, l’agrégation des liens, l’équilibrage de
charge et d’autres configurations matérielles et logicielles pour
garantir la haute disponibilité des services Mac OS X Server.
Mac OS X Server Administration
d'Xgrid pour la version 10.4 ou
ultérieure
gérer des clusters de calcul Xserve à l’aide de l’application Xgrid.
Mac OS X Server Glossaire : inclut
la terminologie pour Mac OS X
Server, Xserve, Xserve RAID et
Xsan
interpréter les termes utilisés pour les produits de serveur
et les produits de stockage.
Ce guide … explique comment :
F0170.book Page 17 Monday, May 2, 2005 12:37 PM18 Préface À propos de ce guide
Service & Support AppleCare — accédez à des centaines d’articles provenant de
l’organisation d’assistance d’Apple.
www.apple.com/fr/support/
Groupes de discussion Apple — moyen de partager des questions, des connaissances et
des conseils avec d’autres administrateurs.
discussions.info.apple.com/
Documents de référence,— publications telles que les titres ci-dessous. Ces ouvrages
proposent des informations générales, des explications de concepts élémentaires et
des idées pour tirer le meilleur parti de votre réseau :
• Teach Yourself Networking Visually, de Paul Whitehead et Ruth Maran (Éd. IDG Books
Worldwide, 1998).
• Internet and Intranet Engineering, de Daniel Minoli (Éd. McGraw-Hill, 1997).
Si vous êtes un administrateur de serveur chevronné
Pour plus d’informations, consultez les ressources suivantes :
Documents Ouvrez-moi—mises à jour importantes et informations spécifiques.
Recherchez-les sur les disques du serveur.
Site Web de Mac OS X Server — passerelle vers des informations détaillées sur des
produits et technologies.
www.apple.com/fr/macosx/server/
Service & Support AppleCare — accédez à des centaines d’articles provenant de
l’organisation d’assistance d’Apple.
www.apple.com/fr/support/
Groupes de discussion Apple — moyen de partager des questions, des connaissances et
des conseils avec d’autres administrateurs. discussions.
info.apple.com/
Répertoire de listes de diffusion Apple — abonnez-vous à des listes de diffusion afin
de pouvoir communiquer par courrier électronique avec d’autres administrateurs.
www.lists.apple.com/
Documents de référence — de nombreuses publications sont disponibles à partir
de ressources en ligne telles que l’adresse suivante :
www.ora.com
Pour en savoir plus sur Apache, rendez-vous sur le site www.apache.org/.
F0170.book Page 18 Monday, May 2, 2005 12:37 PM1
19
1 Vue d’ensemble de la gestion
des utilisateurs
Ce chapitre présente d’importants concepts de gestion
des utilisateurs et décrit les applications que vous
utiliserez pour gérer les comptes et les autorisations.
La gestion des utilisateurs comprend toute une série de tâches allant de la configuration
des comptes d’accès aux réseaux et la création de répertoires de départ à la gestion
des préférences et des réglages d’utilisateur, de groupe et de liste d’ordinateurs.
Mac OS X Server fournit les outils permettant d’exécuter l’ensemble de ces tâches.
Outils de gestion des utilisateurs
Parmi les principaux outils et applications de gestion des utilisateurs de Mac OS X
Server, on trouve le Gestionnaire de groupe de travail, Admin Serveur, NetBoot et
Installation en réseau.
Gestionnaire de groupe de travail
Le Gestionnaire de groupe de travail est un outil puissant qui offre toute une gamme
de fonctions destinées à la gestion complète des clients Macintosh. Vous pouvez soit
utiliser le Gestionnaire de groupe de travail directement à partir du serveur, soit l’installer
indépendamment du logiciel Mac OS X Server sur un ordinateur client non serveur.
Le Gestionnaire de groupe de travail fournit aux administrateurs de réseau une méthode
centralisée pour gérer des stations de travail Mac OS X, contrôler l’accès aux logiciels et
aux disques amovibles et garantir aux utilisateurs une expérience à la fois homogène
et personnalisée, tant pour les élèves débutants d’une classe que pour des utilisateurs
expérimentés travaillant dans une entreprise.
F0170.book Page 19 Monday, May 2, 2005 12:37 PM20 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Le Gestionnaire de groupe de travail vous permet de créer des comptes d’utilisateur
et de configurer des groupes afin d’offrir un accès aisé aux ressources. Il est possible
d’ajouter et de configurer des listes d’ordinateurs afin d’autoriser ou de refuser à des
utilisateurs ou des groupes l’accès à certains ordinateurs ou certaines imprimantes.
Vous pouvez gérer les réglages d’utilisateur pour le courrier électronique, l’impression
et les dossiers de départ. Le Gestionnaire de groupe de travail vous aide à configurer et
à gérer les points de partage. Il est également possible d’utiliser les réglages de compte
et les préférences gérées pour une flexibilité plus ou moins importante, en fonction du
niveau de contrôle d’administration souhaité.
Lorsque le Gestionnaire de groupe de travail est utilisé conjointement avec d’autres
services Mac OS X Server, vous pouvez :
• connecter les utilisateurs entre eux à l’aide de services tels que le courrier, le partage
de fichiers, iChat et Weblog ;
• partager des ressources système, telles qu’imprimantes et ordinateurs, en optimisant
leur disponibilité lorsque les utilisateurs se déplacent et en veillant à ce que l’espace
disque et l’utilisation des imprimantes soient partagés de façon équitable ;
• personnaliser les environnements de travail, tels que les ressources de bureau et les
fichiers personnels, des utilisateurs du réseau.
Gestion des préférences
Vous pouvez utiliser le Gestionnaire de groupe de travail de Mac OS X Server pour adapter
les environnements de travail des clients Mac OS X. Les préférences que vous définissez
pour des utilisateurs et des groupes individuels procurent un environnement uniforme
de bureau, d’application et de réseau, quel que soit l’ordinateur Macintosh utilisé pour la
connexion. Les préférences définies pour les listes d’ordinateurs permettent aux utilisateurs
de disposer des mêmes conditions d’utilisation sur les ordinateurs de la liste.
Pour en savoir plus sur les outils et les concepts de gestion des clients, lisez
le chapitre 8, “Vue d’ensemble de la gestion des clients”.
Répertoires de départ
Un répertoire de départ est un dossier servant à stocker les fichiers et préférences d’un
utilisateur. Les autres utilisateurs peuvent voir le répertoire de départ d’un utilisateur et
lire des fichiers dans son dossier Public mais ils ne peuvent pas (par défaut) accéder à
autre chose dans ce répertoire. Ceci est valable uniquement pour les utilisateurs dont
les dossiers de départ figurent sur le même serveur ou point de partage.
Lorsque vous créez un utilisateur dans un domaine de répertoire réseau, vous devez
spécifier l’emplacement de son répertoire de départ sur le réseau. Cet emplacement
est stocké dans le compte d’utilisateur et utilisé par divers services, dont la fenêtre
d’ouverture de session et les services clients gérés par Mac OS X.
F0170.book Page 20 Monday, May 2, 2005 12:37 PMChapitre 1 Vue d’ensemble de la gestion des utilisateurs 21
La fonctionnalité de répertoire de départ portable permet de synchroniser
automatiquement (ou à la demande) le dossier de départ local et le dossier de départ
réseau d’un utilisateur mobile. Il est possible également de contrôler la synchronisation
via des préférences gérées. Pour plus d’informations sur les comptes mobiles, lisez
le chapitre 3, “Gestion des utilisateurs pour des clients mobiles”.
Réglages de courrier
Pour créer le compte de service de courrier Mac OS X Server d’un utilisateur, configurez
les réglages du courrier dans son compte d’utilisateur. Pour utiliser le compte de courrier
électronique, il suffit à l’utilisateur de configurer un client de courrier à l’aide des réglages
de courrier que vous spécifiez.
Les réglages de compte de courrier vous permettent de contrôler l’accès d’un utilisateur
aux services de courrier exécutés sur un ordinateur Mac OS X Server particulier. Vous
pouvez également gérer des caractéristiques de compte, telles que le mode de gestion
de la notification automatique des messages entrants, pour les comptes de courrier
résidant sur les serveurs qui utilisent des versions de Mac OS X antérieures à 10.3.
Pour plus de détails sur les réglages du service de courrier Mac OS X, consultez le guide
d’administration du service de courrier.
Utilisation de ressources
Les quotas de disque, d’impression et de courrier peuvent être stockés dans un compte
d’utilisateur.
Les quotas de courrier et de disque limitent le nombre de méga-octets disponibles
pour le courrier et les fichiers d’un utilisateur.
Les quotas d’impression limitent le nombre de pages qu’un utilisateur peut imprimer à
l’aide des services d’impression de Mac OS X Server. Les quotas d’impression peuvent
également servir à désactiver complètement l’accès au service d’impression d’un
utilisateur. Les réglages d’impression d’un utilisateur fonctionnent conjointement
avec ceux du serveur d’impression décrits dans le guide d’administration du service
d’impression.
F0170.book Page 21 Monday, May 2, 2005 12:37 PM22 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Admin Serveur
L’application Admin Serveur fournit l’accès à divers outils et services qui jouent un rôle
dans la gestion du serveur. Ceci a un impact direct sur la gestion de l’utilisateur. Une fois
que vous avez installé le logiciel Mac OS X Server, configuré les services de répertoire et
mis en place votre réseau, vous pouvez commencer à créer et à gérer des comptes à
l’aide du Gestionnaire de groupe de travail. Après avoir configuré des comptes et des
répertoires de départ, vous pouvez utiliser Admin Serveur pour configurer des services
supplémentaires et fournir le service de courrier, héberger des sites Web ou partager des
imprimantes. Vous pouvez ensuite utiliser le Gestionnaire de groupe de travail pour
créer des points de partage et autoriser les utilisateurs à partager des dossiers et des
fichiers une fois le serveur configuré.
Pour plus d’informations sur l’utilisation des outils Admin Serveur, reportez-vous aux
documents figurant dans le tableau ci-dessous.
Pour renseignez-vous sur dans le document
attribuer des autorisations
d’accès aux dossiers et fichiers
d’un point de partage
le gestionnaire de groupe de
travail
Administration des services de
fichiers Mac OS X Server, version
10.4 ou ultérieure
partager des imprimantes entre
les utilisateurs
le service d’impression Administration du service
d’impression Mac OS X Server,
version 10.4 ou ultérieure
installer des sites Web ou la
gestion WebDAV sur le serveur
le service Web Administration des technologies
Web de Mac OS X Server, version
10.4 ou ultérieure
fournir des services de
messagerie électronique
aux utilisateurs
le service de courrier Administration du service de
courrier Mac OS X Server, version
10.4 ou ultérieure
diffuser des données
multimédias en temps r
éel à partir du serveur
le service d’enchaînement
QuickTime
Administration du Serveur
Enchaînement QuickTime de
Mac OS X Server, version 10.4 ou
ultérieure
fournir un système
d’exploitation et des dossiers
d’applications identiques aux
ordinateurs clients
l’Admin Serveur Mac OS X Server Administration
de mises à jour de logiciels et
d'images de système pour la
version 10.4 ou ultérieure
installer des applications sur
l’ensemble d’un réseau
l’installation en réseau Mac OS X Server Administration
de mises à jour de logiciels et
d'images de système pour la
version 10.4 ou ultérieure
partager des informations entre
plusieurs ordinateurs Mac OS X
Server ou Mac OS X
les services de répertoires Administration d’Open Directory
de Mac OS X Server, version 10.4
ou ultérieure
F0170.book Page 22 Monday, May 2, 2005 12:37 PMChapitre 1 Vue d’ensemble de la gestion des utilisateurs 23
NetBoot
Avec NetBoot, les ordinateurs Mac OS 9 et Mac OS X peuvent démarrer à partir d’une
image disque système en réseau, ce qui permet de configurer rapidement et aisément
des services, des salles de classe et des systèmes individuels, ainsi que de serveurs Web
et d’applications sur l’ensemble d’un réseau. Lorsque vous mettez à jour des images
NetBoot, tous les ordinateurs qui utilisent NetBoot ont immédiatement accès à la
nouvelle configuration.
Les clients Macintosh peuvent démarrer à partir d’une image disque système située sur
Mac OS X Server au lieu du disque dur de l’ordinateur client. Vous pouvez configurer
plusieurs images de disque NetBoot et ainsi faire démarrer des clients dans Mac OS 9
ou X, ou même personnaliser des environnements Macintosh pour différents groupes
de clients.
NetBoot peut simplifier l’administration et réduire la gestion normalement associée
aux déploiements à grande échelle des systèmes Macintosh en réseau. NetBoot est
la solution idéale pour les organisations dont bon nombre des ordinateurs client ont
besoin d’être configurés de manière identique. NetBoot peut par exemple constituer
une solution idéale pour un centre de données nécessitant plusieurs serveurs
d’applications et serveurs Web configurés de manière identique.
Avec NetBoot, les administrateurs peuvent configurer et mettre à jour les ordinateurs
clients instantanément, en mettant simplement à jour une image de démarrage
stockée sur le serveur. Chaque image contient le système d’exploitation et les dossiers
d’application de tous les clients du serveur. Toutes les modifications apportées au
serveur sont automatiquement reportées sur les clients lorsqu’ils redémarrent. Les
systèmes endommagés ou altérés de quelque autre façon peuvent être restaurés
de manière instantanée par simple redémarrage.
Il existe plusieurs autres applications d’administration NetBoot :
• NetBoot Desktop Admin (pour la modification des images Mac OS 9)
• Utilitaire d’images de système (pour la création et la modification d’images
Mac OS X)
• DHCP et NetBoot (utilisés ensemble pour enregistrer des images NetBoot)
Pour en savoir plus sur ces outils ou sur l’installation d’un système d’exploitation sur
l’ensemble d’un réseau, lisez le guide d’administration des images système et de mise
à jour de logiciels.
F0170.book Page 23 Monday, May 2, 2005 12:37 PM24 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Installation en réseau
L’application Installation en réseau est un service d’installation de logiciels de réseau
centralisé. Grâce à elle, vous pouvez, de manière automatique et sélective, installer,
restaurer ou mettre à jour des systèmes Macintosh en réseau, où que ce soit dans une
structure. Utilisez PackageMaker (accès via Xcode) pour créer des paquets d’Installation
en réseau. Les images d’installation peuvent contenir la dernière version de Mac OS X,
une mise à jour de logiciels, des applications personnalisées ou dotées d’une licence de
site et des scripts de configuration.
• Installation en réseau est la solution idéale pour la migration de systèmes d’exploitation,
l’installation de mises à jour de logiciels et de progiciels personnalisés, la restauration
de salles d’informatique ainsi que pour réimager des ordinateurs de bureau ou portables.
• Dans une structure, vous pouvez définir des images d’installation personnalisées
pour divers départements :marketing, ingénierie et ventes par exemple.
Avec Installation réseau, inutile d’insérer plusieurs CD pour configurer un système.
L’ensemble des fichiers et des paquets d’installation se trouvent sur le serveur et sont
installés en une fois sur l’ordinateur client. Installation réseau contient aussi des scripts
de pré et post-installation servant à invoquer des actions avant ou après l’installation
d’un ensemble de logiciels ou d’une image système.
Pour en savoir plus sur l’utilisation d’Installation réseau, lisez le guide d’administration
des images système et de mise à jour de logiciels.
Comptes
Vous pouvez configurer trois types de comptes à l’aide du Gestionnaire de groupe de
travail : comptes d’utilisateur, comptes de groupe et listes d’ordinateurs.
Lorsque vous définissez un compte d’utilisateur, vous devez fournir les informations
nécessaires pour prouver l’identité de l’utilisateur : nom d’utilisateur, mot de passe et
numéro d’identification d’utilisateur (ID utilisateur) D’autres informations de compte
d’utilisateur sont requises par plusieurs services afin de déterminer ce que l’utilisateur
a le droit de faire et de personnaliser éventuellement son environnement. Outre les
comptes que vous créez, Mac OS X Server dispose de comptes d’utilisateur et de comptes
de groupe prédéfinis, certains étant réservés au système Mac OS X.
F0170.book Page 24 Monday, May 2, 2005 12:37 PMChapitre 1 Vue d’ensemble de la gestion des utilisateurs 25
Comptes d’administrateur
Les utilisateurs dotés d’autorisations d’administration de serveur ou de domaine de
répertoires sont appelés administrateurs. Un administrateur peut être administrateur
de serveur ou de domaine ou les deux à la fois. Les autorisations d’administrateur de
serveur déterminent si l’utilisateur est autorisé à accéder aux informations sur les réglages
d’un serveur donné ou à modifier ces réglages. Les autorisations d’administrateur de
domaine déterminent dans quelle mesure l’utilisateur est autorisé à voir ou à modifier
les réglages de compte des utilisateurs, des groupes et des listes d’ordinateurs du
domaine de répertoires.
Administration du serveur
Les autorisations d’administration de serveur déterminent les pouvoirs dont dispose
un utilisateur lorsqu’il est connecté à un Mac OS X Server spécifique. Par exemple :
• Un administrateur de serveur peut utiliser Admin Serveur et modifier la politique
de recherche d’un serveur à l’aide de Format de répertoire.
• Un administrateur de serveur ne voit pas seulement les points de partage, il peut
également voir tous les répertoires AFP sur le serveur (depuis un ordinateur autre
que le serveur).
Lorsque vous attribuez des autorisations d’administration de serveur à un utilisateur, ce
dernier est ajouté au groupe prédéfini appelé “admin” dans le domaine de répertoire
local du serveur. De nombreuses applications Mac OS X, telles qu’Admin Serveur, Format
de répertoire et Préférences Système, utilisent le groupe admin pour déterminer si un
utilisateur donné peut réaliser certaines opérations d’administration à l’aide de l’une
d’entre elles. Dans le répertoire local du serveur, l’identifiant d’utilisateur de l’administrateur
principal (l’utilisateur admin) est 501.
Administration d’ordinateurs Mac OS X locaux
Quiconque appartenant au groupe “admin” du domaine de répertoires local de tout
ordinateur Mac OS X bénéficie de droits d’administration sur cet ordinateur.
Administration de domaines de répertoires
Lorsque vous créez un domaine de répertoires dans Mac OS X Server, un compte
d’administrateur de domaine est également créé et ajouté au groupe admin du
domaine. L’identifiant d’utilisateur par défaut de l’administrateur de domaine est
1000 lorsque la zone de dialogue de création du compte s’affiche ; c’est également
dans cette zone de dialogue que vous devez choisir vos nom et mot de passe. Le
compte d’administrateur de domaine est également un compte d’administrateur
de serveur, mais l’administrateur de serveur n’est pas un administrateur de domaine
par défaut. Chaque répertoire dispose d’un compte d’administrateur de domaine
indépendant et un administrateur de domaine peut créer des administrateurs
supplémentaires dans le même domaine.
F0170.book Page 25 Monday, May 2, 2005 12:37 PM26 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Vous pouvez autoriser certains utilisateurs à gérer des comptes spécifiques. Par exemple,
vous pouvez faire d’un administrateur de réseau l’administrateur de tous les serveurs
de votre salle de classe, mais donner à chaque professeur les autorisations pour gérer
les comptes d’étudiant dans des domaines de répertoires spécifiques. Tout utilisateur
disposant d’un compte d’utilisateur dans un domaine de répertoires peut être nommé
administrateur de domaine de répertoires (administrateur de ce domaine).
Vous pouvez contrôler dans quelle mesure un administrateur de domaine de répertoire
peut modifier les données de compte stockées dans un domaine. Vous pouvez, par
exemple, configurer des autorisations de domaine de répertoire afin que votre
administrateur de réseau puisse ajouter et supprimer des comptes d’utilisateur, mais
que d’autres utilisateurs puissent modifier les informations concernant des utilisateurs
particuliers. Vous pouvez également désigner plusieurs administrateurs pour gérer
différents groupes.
Lorsque vous attribuez des autorisations d’administration de domaine de répertoires à
un utilisateur, cet utilisateur est ajouté au groupe d’administration du serveur sur lequel
est situé le domaine de répertoires.
Utilisateurs et utilisateurs gérés
En fonction de la configuration de votre serveur et de vos comptes d’utilisateur, les
utilisateurs peuvent se connecter à l’aide d’ordinateurs Mac OS 9 et Mac OS X, Windows
ou UNIX et être pris en charge par Mac OS X Server.
La plupart des utilisateurs disposent d’un compte individuel qui sert à les authentifier et
à contrôler leur accès aux services. Si vous souhaitez personnaliser l’environnement d’un
utilisateur, vous devez définir des préférences d’utilisateur, de groupe ou d’ordinateur
pour cet utilisateur. Le terme client géré ou utilisateur géré désigne un utilisateur dont
les préférences associées à son compte sont contrôlées par un administrateur. Le terme
client géré est également utilisé pour désigner des listes d’ordinateurs dont les préférences
ont été définies.
Lorsqu’un utilisateur géré ouvre une session, les préférences qui prennent effet sont
une combinaison de ses préférences d’utilisateur et des préférences configurées pour
tout groupe de travail ou toute liste d’ordinateurs auxquels il appartient. Pour obtenir
des informations sur les utilisateurs gérés, consultez le chapitre 9, “Gestion des
préférences”, à la page 157.
Utilisateurs invités
Vous serez amené à fournir des services à des personnes anonymes, qui ne peuvent
être authentifiées car elles ne disposent pas d’un nom d’utilisateur et d’un mot de
passe valides. Ces utilisateurs sont appelés utilisateurs invités.
F0170.book Page 26 Monday, May 2, 2005 12:37 PMChapitre 1 Vue d’ensemble de la gestion des utilisateurs 27
Certains services, par exemple AFP, vous permettent de spécifier si vous souhaitez que
les utilisateurs invités puissent accéder aux fichiers. Si vous permettez l’accès aux invités,
les utilisateurs se connectant de façon anonyme ne pourront accéder qu’aux fichiers
et dossiers dont les autorisations sont réglées sur Tous. Le compte d’utilisateur invité
est utilisé lorsqu’aucun enregistrement d’utilisateur concordant n’est trouvé pendant
l’authentification.
Groupes, groupes principaux et groupes de travail
Un groupe consiste simplement en un ensemble d’utilisateurs ayant des besoins
similaires. Vous pouvez, par exemple, constituer un seul groupe avec tous vos
professeurs d’anglais et lui donner des autorisations d’accès à certains fichiers
ou dossiers d’un volume.
Les groupes simplifient l’administration des ressources partagées. Plutôt que d’accorder
individuellement l’accès de diverses ressources à chaque utilisateur qui en a besoin,
vous pouvez tout simplement ajouter les utilisateurs à un groupe et accorder l’accès
à tous les utilisateurs de ce groupe.
Les informations des comptes de groupe sont utilisées pour aider à contrôler l’accès
des utilisateurs aux répertoires et aux fichiers. Consultez “Accès par d’autres utilisateurs
aux répertoires et fichiers” à la page 32 pour en savoir plus à ce sujet.
Les groupes peuvent en outre être imbriqués dans d’autres groupes. Un groupe peut,
par exemple, faire partie d’un autre groupe. Un groupe qui contient un autre groupe
est appelé “groupe parent” ; le groupe inclus est appelé “groupe imbriqué”. Les groupes
imbriqués permettent d’hériter d’autorisations d’accès et de préférences gérées à
l’ouverture de session.
Dossiers de groupe
Lorsque vous définissez un groupe, vous pouvez également spécifier un dossier pour
le stockage des fichiers que vous souhaitez voir partagés par les membres du groupe.
L’emplacement du dossier est enregistré dans le compte du groupe.
Vous pouvez attribuer à un utilisateur donné une autorisation en écriture sur un dossier
de groupe ou l’autoriser à modifier les attributs d’un dossier de groupe dans le Finder.
Goupes de travail
Un groupe pour lequel vous définissez des préférences est appelé groupe de travail.
Un groupe de travail vous permet de gérer l’environnement de travail des membres
de ce groupe.
Toute préférence définie pour un groupe de travail Mac OS X est stockée dans le
compte de groupe. Pour obtenir une description des préférences de groupe de
travail, consultez le chapitre 9, “Gestion des préférences”, à la page 157.
F0170.book Page 27 Monday, May 2, 2005 12:37 PM28 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Listes d’ordinateurs
Une liste d’ordinateurs comprend un ou plusieurs ordinateurs possédant les mêmes
réglages de préférence et disponibles pour des utilisateurs et des groupes particuliers.
Vous pouvez créer et modifier des listes d’ordinateurs dans le Gestionnaire de groupe
de travail.
Pour en savoir plus sur la configuration de listes d’ordinateurs pour des ordinateurs
clients Mac OS X, consultez le chapitre 6, “Configuration de listes d’ordinateurs” Pour
spécifier les préférences des listes d’ordinateurs Mac OS X, consultez le chapitre 9,
“Gestion des préférences”.
Ordinateurs hôtes
La plupart des ordinateurs de votre réseau sont répertoriés dans une liste d’ordinateurs
dotée d’un nom. Si un ordinateur inconnu (ne figurant pas sur une liste d’ordinateurs)
se connecte à votre réseau et tente d’accéder à des services, il doit être traité en tant
qu’ordinateur hôte. Les réglages choisis pour la liste d’ordinateurs hôtes s’appliquent
à ces ordinateurs inconnus.
Une liste d’ordinateurs hôtes est automatiquement créée pour un domaine de répertoires
local de serveur. Si le serveur est un maître ou une réplique Open Directory, une liste
d’ordinateurs hôtes est également créée pour son domaine de répertoires LDAP.
Utilisation côté utilisateur
Une fois que vous avez créé un compte d’utilisateur, ce dernier peut accéder aux
ressources du serveur en fonction des autorisations que vous lui avez accordées.
Pour la plupart des utilisateurs, le flux habituel d’événements allant de la connexion
à la déconnexion se déroule comme suit :
• Authentification L’utilisateur saisit un nom et un mot de passe.
• Validation de l’identité Le nom d’utilisateur et le mot de passe sont vérifiés par
les services de répertoires.
• Ouverture de session L’utilisateur obtient le droit d’accéder au serveur et aux
ressources réseau.
• Accès L’utilisateur se connecte aux serveurs, aux points de partage et aux applications
autorisés afin de les utiliser.
• Fermeture de session La session de l’utilisateur est terminée.
Les détails de l’expérience d’utilisateur peuvent varier selon le type d’utilisateur, les
autorisations accordées, le type d’ordinateur client (Windows ou UNIX, par exemple)
utilisé, le fait que l’utilisateur est membre d’un groupe ou non, ainsi que le niveau
d’implémentation de la gestion des préférences (utilisateur, groupe ou ordinateur).
F0170.book Page 28 Monday, May 2, 2005 12:37 PMChapitre 1 Vue d’ensemble de la gestion des utilisateurs 29
Vous trouverez des informations sur l’expérience d’utilisateur Mac OS X au chapitre 8,
“Vue d’ensemble de la gestion des clients”. Les informations de base sur l’authentification,
la validation du mot de passe et le contrôle de l’accès aux informations sont données
dans les sections suivantes. Pour obtenir des informations détaillées sur ces sujets, lisez
le guide d’administration des services de fichiers.
Authentification
Avant qu’un utilisateur ne puisse ouvrir une session ou se connecter sur un ordinateur
Mac OS X, il doit entrer un nom et un mot de passe associés à un compte d’utilisateur
identifiable par l’ordinateur.
Un ordinateur Mac OS X peut situer des comptes d’utilisateur stockés dans un domaine
de répertoires de la politique de recherche.
• Un domaine de répertoire conserve des informations sur les utilisateurs et les
ressources. Il est similaire à une base de données à laquelle la configuration d’un
ordinateur prévoit un accès en vue de recueillir des informations de configuration.
• Une politique de recherche est une liste de domaines de répertoires dans laquelle
l’ordinateur procède à des recherches lorsqu’il a besoin d’informations de
configuration, en commençant par le domaine de répertoires local situé sur
l’ordinateur de l’utilisateur.
Le guide d’administration Open Directory décrit les différents types de domaines de
répertoires et explique la configuration des politiques de recherche sur tout ordinateur
Mac OS X. Il détaille également différents types de méthodes et d’instructions
d’authentification pour la configuration des options d’authentification de l’utilisateur.
L’illustration suivante montre un utilisateur qui ouvre une session sur un ordinateur
Mac OS X capable de situer le compte de cet utilisateur dans un domaine de
répertoires de sa politique de recherche.
Se connecter
à Mac OS X
Domaines de répertoires
dans la politique de recherche
F0170.book Page 29 Monday, May 2, 2005 12:37 PM30 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Après connexion, l’utilisateur peut se connecter à un ordinateur Mac OS X distant si son
compte d’utilisateur peut être repéré dans la politique de recherche de cet ordinateur
distant.
Si Mac OS X localise un compte d’utilisateur contenant le nom saisi par l’utilisateur,
il tente de valider le mot de passe associé au compte. Si le mot de passe est validé,
l’utilisateur est authentifié et le processus de connexion terminé.
Une fois sa session ouverte sur l’ordinateur Mac OS X, l’utilisateur peut accéder à
l’ensemble des ressources définies dans les répertoires compris dans le chemin de
recherche de son ordinateur, notamment les répertoires de départ, les imprimantes
et les points de partage. Un point de partage est un disque dur (ou une partition de
disque dur), un CD-ROM ou un dossier qui contient les fichiers que vous souhaitez
voir partagés entre les utilisateurs. Les utilisateurs peuvent accéder à leur répertoire
de départ en cliquant sur leur dossier de départ dans une fenêtre du Finder ou en
choisissant Départ dans le menu Aller du Finder.
L’utilisateur n’est toutefois pas obligé de se connecter à un serveur pour accéder
aux ressources réseau. Par exemple, lorsqu’un utilisateur se connecte à un ordinateur
Mac OS X, il peut accéder aux fichiers pour lesquels il dispose d’une autorisation
d’accès sur l’ordinateur, même si le système de fichiers l’invite à saisir au préalable
un nom et un mot de passe d’utilisateur. Lorsqu’un utilisateur accède aux ressources
publiques d’un serveur sans avoir ouvert de session sur le serveur, c’est la politique de
recherche de l’ordinateur de l’utilisateur qui est appliquée et non celle de l’ordinateur
auquel l’utilisateur s’est connecté.
Domaines de répertoires
dans la politique de recherche
Se connecter à
Mac OS X Server
F0170.book Page 30 Monday, May 2, 2005 12:37 PMChapitre 1 Vue d’ensemble de la gestion des utilisateurs 31
Validation de l’identité
Lors de la procédure d’authentification d’un utilisateur, Mac OS X commence par
repérer le compte de cet utilisateur, puis recourt à la stratégie de mot de passe
désignée dans ce compte pour valider le mot de passe.
Open Directory vous offre plusieurs options de validation du mot de passe d’un
utilisateur. Pour obtenir des informations détaillées sur les options de validation
de mot de passe, lisez le guide d’administration Open Directory.
Contrôle de l’accès aux informations
Voici les autorisations que vous pouvez spécifier pour chaque répertoire (dossier)
ou fichier d’un ordinateur Mac OS X :
• le propriétaire du fichier ;
• le groupe du fichier ;
• tous les autres.
Mac OS X utilise une donnée particulière de compte d’utilisateur, l’identifiant
d’utilisateur, pour effectuer le suivi des autorisations d’accès aux répertoires
et aux fichiers.
Compte de
l'utilisateur
Le mot de passe peut être
validé à l'aide de la valeur stockée
dans le compte de l'utilisateur
ou dans la base de données
d'authentification Open Directory.
Le mot de passe peut
également être validé
à l'aide d'une autre
autorité d'authentification.
Centre de distribution
de clés Kerberos
Liaison LDAP
Authentification
Open
Directory
Possesseur 127 : lecture et écriture
Groupe 2017 : lecture seulement
Autres : aucun
MonDoc
F0170.book Page 31 Monday, May 2, 2005 12:37 PM32 Chapitre 1 Vue d’ensemble de la gestion des utilisateurs
Accès de propriétaire à des répertoires et des fichiers
Lorsqu’un répertoire ou un fichier est créé, le système de fichiers stocke l’identifiant de
l’utilisateur qui l’a créé. Si un utilisateur doté de cet identifiant accède au répertoire ou
au fichier, il dispose par défaut d’autorisations de lecture et d’écriture pour l’élément
concerné. De plus, tous les processus initiés par le créateur disposent d’autorisations de
lecture et d’écriture pour tous les fichiers associés à l’identifiant d’utilisateur du créateur.
Si vous modifiez l’identifiant d’un utilisateur, ce dernier risque de ne plus pouvoir modifier
ni même accéder aux fichiers et répertoires qu’il a créés. De même, si l’utilisateur ouvre
une session avec un identifiant différent de celui qu’il a utilisé pour créer les fichiers et
répertoires, il n’aura plus d’autorisations d’accès de propriétaire à ces derniers.
Accès par d’autres utilisateurs aux répertoires et fichiers
L’identifiant d’utilisateur, en association avec un identifiant de groupe, est également
utilisé pour contrôler l’accès des utilisateurs membres de groupes particuliers ou de
groupes parents.
Chaque utilisateur appartient à un groupe principal. L’identifiant de groupe principal
d’un utilisateur est enregistré dans le compte de l’utilisateur. Lorsqu’un utilisateur
accède à un répertoire ou à un fichier dont il n’est pas le propriétaire, le système de
fichiers vérifie les autorisations de groupe de ce fichier.
• Si l’identifiant de groupe principal de l’utilisateur correspond à l’identifiant du groupe
associé au fichier, l’utilisateur hérite des autorisations d’accès du groupe.
• Si l’identifiant de groupe principal de l’utilisateur ne correspond pas à l’identifiant
de groupe du fichier, Mac OS X recherche le compte de groupe qui possède des
autorisations d’accès. Le compte de groupe contient une liste des noms abrégés
des utilisateurs membres du groupe. Le système de fichiers fait correspondre chaque
nom abrégé du compte de groupe à un identifiant d’utilisateur et, si l’identifiant de
l’utilisateur correspond à l’identifiant d’un membre du groupe, l’utilisateur bénéficie
des autorisations d’accès du groupe pour le fichier ou le répertoire.
• Si l’identifiant de groupe principal de l’utilisateur (ou l’identifiant d’un groupe parent)
correspond à l’identifiant du groupe associé au fichier (ou à un groupe parent),
l’utilisateur hérite des autorisations d’accès de groupe.
• Pour tous les autres cas, l’accès de l’utilisateur est réglé par défaut sur les autorisations
génériques “tout le monde/monde”.
Identifiants uniques globaux (GUID)
Disponible depuis Mac OS X 10.4, l’identifiant universel appelé identifiant unique global
(GUID) fournit à l’utilisateur et au groupe une identité pour les autorisations ACL. Le GUID
associe également un utilisateur à des adhésions de groupe et de groupe imbriqué.
Vous trouverez des informations sur les GUID et leurs implications à l’Annexe B.
F0170.book Page 32 Monday, May 2, 2005 12:37 PM2
33
2 Introduction à la gestion
des utilisateurs
Ce chapitre fournit des informations sur la configuration
d’un environnement de gestion des utilisateurs.
Il contient des directives générales pour la planification, ainsi que des astuces pour
l’utilisation du Gestionnaire de groupe de travail, le principal outil de gestion des
utilisateurs :
• Une présentation générale de la configuration est proposée ci-après.
• La planification des stratégies de gestion des utilisateurs est décrite à partir de
la page 40.
• Les instructions d’utilisation du Gestionnaire de groupe de travail sont décrites
à partir de la page 44.
• Les instructions pour le listage et la recherche de comptes dans le Gestionnaire
de groupe de travail sont décrites à partir de la page 47.
• Les raccourcis pour l’utilisation de comptes sont décrits à partir de la page 52.
• La sauvegarde et la restauration des fichiers de gestion des utilisateurs sont
décrites à partir de la page 53.
Présentation générale de la configuration
Cette section fournit une présentation générale des tâches de configuration de
la gestion des utilisateurs, afin de vous aider à comprendre l’ordre dans lequel un
administrateur doit créer un environnement géré. Toutes les étapes décrites ne seront
pas nécessaires dans tous les cas :
• Étape 1 : Élaboration d’un programme avant de commencer
• Étape 2 : Configuration de l’infrastructure du serveur
• Étape 3 : Configuration d’un ordinateur administrateur
• Étape 4 : Configuration d’un point de partage de répertoire de départ
• Étape 5 : Création de comptes d’utilisateur et de répertoires de départ
• Étape 6 : Configuration des ordinateurs clients
• Étape 7 :Définition des préférences de comptes d’utilisateur
• Étape 8 : Création des comptes de groupe et des dossiers de groupe
• Étape 9 :Définition des préférences de comptes de groupe
• Étape 10 :Définition des listes et des préférences d’ordinateurs
• Étape 11 : Plan de maintenance continue des comptes
F0170.book Page 33 Monday, May 2, 2005 12:37 PM34 Chapitre 2 Introduction à la gestion des utilisateurs
Étape 1 : Élaboration d’un programme avant de commencer
Analysez les besoins de vos utilisateurs pour déterminer la configuration de service de
répertoires et la configuration de répertoire de départ appropriées. Consultez la section
“Programmation de stratégies pour la gestion des utilisateurs” à la page 40.
Étape 2 : Configuration de l’infrastructure du serveur
Assurez-vous qu’un ou plusieurs serveurs Mac OS X Server sont configurés pour
l’hébergement de comptes d’utilisateur, de comptes de groupe, de listes d’ordinateurs,
de répertoires de départ, de dossiers de groupe et d’autres dossiers partagés. Les
nouveaux serveurs sont livrés avec les logiciels Mac OS X Server préinstallés. Utilisez
Assistant du serveur (situé dans /Applications/Server/) pour procéder à la configuration
initiale du serveur. Si vous devez installer des logiciels de serveur, utilisez d’abord le
guide Premiers contacts pour comprendre la configuration système requise et les
options d’installation.
Configurez le serveur pour qu’il héberge des domaines de répertoires partagés ou
donne accès à ces derniers. Les domaines de répertoires partagés (appelés également
répertoires partagés) contiennent les informations d’utilisateurs, de groupes et d’ordinateurs
auxquelles vous souhaitez que de nombreux ordinateurs puissent accéder. Les utilisateurs
dont les comptes se trouvent dans un répertoire partagé sont appelés utilisateurs réseau.
Il existe différents types de répertoires partagés et différentes manières d’utiliser les
informations qui y sont stockées. Vous pouvez utiliser le Gestionnaire de groupe de
travail pour ajouter et modifier des comptes d’utilisateur et de groupe qui sont stockés
dans le répertoire LDAP d’un maître Open Directory, dans un domaine NetInfo ou dans
d’autres domaines de répertoires en lecture/écriture. Si vous utilisez des fichiers de
configuration LDAPv2, LDAPv3 en lecture seule, BSD ou d’autres répertoires en lecture
seule, assurez-vous qu’ils sont configurés pour gérer l’accès à Mac OS X Server et
fournissent les données dont vous avez besoin pour les comptes d’utilisateur et
de groupe. Il sera peut-être nécessaire d’ajouter, de modifier ou de réorganiser les
informations dans un répertoire afin qu’elles soient au format requis.
Le guide d’administration d’Open Directory contient des instructions pour la
configuration d’un répertoire partagé sous Mac OS X Server ou la configuration
de l’accès à un répertoire partagé sur un autre ordinateur. L’une des annexes du
guide d’administration d’Open Directory décrit les formats de données de compte
reconnus par Mac OS X (informations utiles si vous devez utiliser des répertoires
qui ne résident pas sur des ordinateurs Mac OS X Server).
F0170.book Page 34 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 35
Si certains de vos utilisateurs utilisent des ordinateurs Windows, consultez le guide
d’administration des services Windows pour apprendre comment configurer le
serveur pour la gestion d’utilisateurs, de groupes et d’ordinateurs Windows. Le guide
d’administration des services Windows décrit, par exemple, comment configurer des
comptes d’utilisateur dans un domaine de répertoires Mac OS X Server pour que le
serveur puisse fournir des services de fichiers, la connexion au domaine et des
répertoires de départ aux utilisateurs Windows.
Open Directory offre plusieurs options d’authentification des utilisateurs (y compris des
utilisateurs Windows) dont les comptes sont stockés dans des domaines de répertoires
sur Mac OS X Server. Open Directory peut en outre accéder à des comptes qui se trouvent
dans des répertoires existants sur votre réseau, tels qu’Active Directory sur un serveur
Windows. Consultez le guide d’administration Open Directory pour obtenir des
instructions sur la configuration.
Mac OS X Server rend les ressources importantes visibles sur le réseau. Ces ressources
comprennent les répertoires de départ réseau, les dossiers de groupe et d’autres dossiers
partagés. Comme ces dossiers résident sur le serveur, les utilisateurs peuvent y accéder
à partir de différents ordinateurs.
Pour obtenir des informations sur la configuration des services de fichiers qui conviennent
au partage de fichiers que vous souhaitez implémenter, consultez le guide d’administration
des services de fichiers. Vous pouvez utiliser AFP ou NFS pour les répertoires de départ,
AFP pour les dossiers de groupe et divers protocoles (AFP, Windows, NFS et FTP) pour
les autres dossiers partagés.
Étape 3 : Configuration d’un ordinateur administrateur
Comme les serveurs sont installés dans un lieu sûr et verrouillé, les administrateurs
effectuent les tâches de gestion d’utilisateurs à distance, à partir de n’importe quel
ordinateur Mac OS X exécutant la version 10.4 ou ultérieure. Nous appellerons cet
ordinateur l’ordinateur administrateur.
Pour configurer un ordinateur administrateur :
1 Procurez-vous un ordinateur sur lequel Mac OS X 10.4 ou ultérieur est installé.
Assurez-vous qu’il dispose d’au moins 256 Mo de mémoire RAM et de 1 Go d’espace
disque disponible.
2 Introduisez le disque Mac OS X Server Administration Tools dans le lecteur, puis
démarrez le programme d’installation (ServerAdmin.pkg).
3 Suivez les instructions à l’écran.
F0170.book Page 35 Monday, May 2, 2005 12:37 PM36 Chapitre 2 Introduction à la gestion des utilisateurs
4 Si vous devez gérer des préférences qui utilisent des chemins d’accès spécifiques
pour la recherche des fichiers (telles les préférences Classic et Dock), assurez-vous
que l’ordinateur administrateur possède la même structure de système de fichiers
que tous les ordinateurs clients gérés. En d’autres termes, les noms de dossiers, les
disques, l’emplacement des applications, etc. devront être identiques.
Pour pouvoir utiliser l’ordinateur administrateur afin de créer et gérer des comptes dans
un répertoire partagé, vous devez disposer d’un compte d’utilisateur dans le répertoire
partagé et vous devez être un administrateur de domaine. Un administrateur de domaine
peut utiliser le Gestionnaire de groupe de travail pour ajouter et modifier des comptes
qui se trouvent dans le répertoire LDAP d’un maître Open Directory, dans un domaine
NetInfo ou dans un autre domaine de répertoires en lecture/écriture.
Pour créer un compte d’administrateur de domaine :
1 Sur l’ordinateur administrateur, ouvrez Gestionnaire de groupe de travail, authentifiezvous comme l’administrateur créé lors de la configuration initiale du serveur.
2 Accédez au répertoire partagé en cliquant sur le globe qui se trouve au-dessus de la
liste des comptes.
Choisissez le répertoire souhaité. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur Nouvel utilisateur.
4 Cliquez sur Élémentaire pour fournir des informations élémentaires pour l’administrateur.
5 Pour attribuer d’autres responsabilités à l’administrateur de domaine, comme par
exemple la configuration des services de fichiers pour la gestion des dossiers partagés,
sélectionnez “L’utilisateur peut administrer ce domaine”.
Une fois que vous avez coché la case, une zone de dialogue apparaît dans laquelle vous
pouvez désactiver certaines autorisations pour le compte d’administrateur. Pour plus
d’informations, consultez la section “Attributions de droits d’administrateur pour un
domaine de répertoire” à la page 83.
6 Cliquer sur Enregistrer.
Les étapes restantes peuvent être exécutées par l’administrateur de domaine à partir
de l’ordinateur administrateur.
Étape 4 : Configuration d’un point de partage de répertoire de départ
Les répertoires de départ des comptes stockés dans des répertoires partagés peuvent
résider dans un point de partage réseau auquel l’ordinateur de l’utilisateur peut accéder.
Le point de partage doit être montable automatiquement, c’est-à-dire qu’il doit y avoir
un enregistrement de montage de réseau dans le domaine de répertoires où réside le
compte d’utilisateur.
F0170.book Page 36 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 37
Un point de partage montable automatiquement garantit que le répertoire de départ
est automatiquement visible dans /Network/Servers quand l’utilisateur se connecte à
un ordinateur Mac OS X configuré pour pouvoir accéder au répertoire partagé. Il
permet aussi à d’autres utilisateurs d’accéder au répertoire de départ à l’aide du
raccourci ~ nom-répertoire-départ.
Vous pouvez configurer des répertoires de départ réseau pour qu’ils soient accessibles
via AFP ou NFS. Vous pouvez également configurer des répertoires de départ pour les
utilisateurs Windows :
• Pour obtenir des instructions sur la configuration de points de partage AFP ou NFS
pour des répertoires de départ réseau destinés à des utilisateurs Macintosh, consultez
le chapitre 7, “Configuration des répertoires de départ”.
• Pour obtenir des informations sur la configuration de points de partage SMB/CIFS
destinés à des répertoires de départ d’utilisateurs Windows, consultez le guide
d’administration des services Windows.
Étape 5 : Création de comptes d’utilisateur et de répertoires de départ
Vous pouvez utiliser le Gestionnaire de groupe de travail pour créer des comptes
d’utilisateur dans des répertoires qui résident sur un ordinateur Mac OS X Server et
dans des répertoires non LDAP qui ne sont pas en lecture seule. Des instructions
détaillées sont disponibles à divers endroits du présent guide :
• Pour obtenir des informations sur la manière de créer des comptes d’utilisateur
Mac OS X, consultez le chapitre 4, “Configuration des comptes d’utilisateur”.
• Pour obtenir des informations sur la création de comptes d’utilisateur mobiles
Mac OS X, consultez le chapitre 3, “Gestion des utilisateurs pour des clients mobiles”.
• Pour obtenir des informations sur les répertoires de départ, consultez le chapitre 7,
“Configuration des répertoires de départ”.
• Pour obtenir des informations sur l’utilisation de comptes en lecture seule, consultez
la section “Utilisation de comptes d’utilisateur en lecture seule” à la page 70.
Vous pouvez également créer des comptes sous Mac OS X Server pour gérer des
utilisateurs Windows et fournir la connexion aux domaines Windows, des profils
d’utilisateurs itinérants, des répertoires de départ, le service de fichiers, le service
de courrier, etc. Pour obtenir des instructions, consultez le guide d’administration
des services Windows.
Étape 6 : Configuration d’ordinateurs clients
Mac OS X Server peut gérer des utilisateurs de Mac OS X, de Mac OS 9 ou d’ordinateurs
clients Windows.
F0170.book Page 37 Monday, May 2, 2005 12:37 PM38 Chapitre 2 Introduction à la gestion des utilisateurs
Pour les ordinateurs Mac OS X, configurez la politique de recherche de l’ordinateur pour
qu’il puisse localiser les domaines de répertoires partagés. Pour obtenir des instructions
et des informations complémentaires sur les politiques de recherche dans l’aide à l’écran,
consultez le guide d’administration d’Open Directory. Utilisez l’option d’authentification
automatique si vous avez configuré un serveur DHCP pour identifier l’emplacement
du répertoire partagé lorsqu’il fournit une adresse IP aux ordinateurs clients Mac OS X.
Sinon, utilisez l’option Chemin personnalisé pour identifier le serveur qui héberge le
répertoire partagé.
Pour obtenir des instructions de configuration d’ordinateurs Mac OS X mobiles qui
utilisent AirPort pour communiquer avec Mac OS X Server, consultez le document
Création de réseaux AirPort Extreme (accessible à l’adresse www.apple.com/fr/airport/).
Les stations de travail Windows qui sont utilisées pour la connexion aux domaines
Windows doivent se connecter au contrôleur de domaine principal Mac OS X Server de
la même manière que les stations de travail qui se connectent au domaine d’un serveur
Windows NT, comme l’explique le guide d’administration des services Windows.
Si vous devez configurer un grand nombre d’ordinateurs clients Macintosh, l’utilisation
d’Installation en réseau vous permettra de créer une image système qui automatise
la configuration des ordinateurs clients. Pour obtenir des options et des instructions,
consultez le guide d’administration des images système et des mises à jour de logiciels.
Étape 7 : Définition des préférences de comptes d’utilisateur
La gestion de l’environnement de travail des utilisateurs Macintosh dont les comptes
résident dans un domaine partagé s’effectue en définissant des préférences de compte
d’utilisateur. Pour obtenir des informations sur les préférences d’utilisateur Mac OS X,
consultez le chapitre 8, “Vue d’ensemble de la gestion des clients” et le chapitre 9,
“Gestion des préférences”.
Étape 8 : Création de comptes de groupe et de dossiers de groupe
Utilisez le Gestionnaire de groupe de travail pour créer des comptes de groupe dans
des répertoires qui résident sur un serveur Mac OS X Server et dans des domaines
Open Directory non LDAP qui ne sont pas en lecture seule. Des instructions détaillées
apparaissent à divers endroits du présent guide.
• Pour obtenir des informations sur la manière de créer des comptes de groupe
Mac OS X, consultez le chapitre 5, “Configuration des comptes de groupe”.
Bien que certaines informations de groupe ne s’appliquent pas aux utilisateurs
Windows, vous pouvez ajouter des utilisateurs Windows aux groupes que vous
créez. Les procédures de gestion des comptes de groupe pour utilisateurs
Windows sont identiques à celles des groupes qui ne contiennent que des
utilisateurs Mac OS X.
• Pour plus d’informations sur l’utilisation des comptes de groupe en lecture seule,
consultez “Utilisation de comptes de groupe en lecture seule” à la page 104.
F0170.book Page 38 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 39
Vous pouvez configurer un dossier de groupe destiné à être utilisé par les membres
d’un groupe. Utilisez le Gestionnaire de groupe de travail pour définir un point de
partage pour le dossier de groupe et associez le point de partage au groupe. Créez
le dossier de groupe à l’aide de la commande CreateGroupFolder dans l’application
Terminal. Pour obtenir des instructions, consultez la section “Travail avec les réglages
du dossier de groupe” à la page 108.
Pour les utilisateurs Mac OS X, utilisez des préférences de Dock ou d’ouverture de
session, afin de faciliter la localisation du répertoire de groupe. Pour les utilisateurs
Windows, partagez le point de partage du dossier de groupe via SMB/CIFS. Les
utilisateurs peuvent aller dans Favoris réseau (ou Voisinage réseau) pour accéder
au contenu du dossier de groupe.
Étape 9 : Définition des préférences de comptes de groupe
Vous pouvez gérer les préférences d’un groupe d’utilisateurs Macintosh. Un groupe dont
les préférences sont gérées est appelé groupe de travail. Pour obtenir des informations
sur les groupes de travail Mac OS X, consultez le chapitre 8, “Vue d’ensemble de la gestion
des clients” et le chapitre 9, “Gestion des préférences”.
Étape 10 : Définition de listes d’ordinateurs et de préférences
Utilisez des listes d’ordinateurs pour gérer des ordinateurs clients Macintosh ou Windows.
• Pour obtenir des informations sur la création de listes d’ordinateurs Mac OS X, consultez
le chapitre 6, “Configuration de listes d’ordinateurs”. Pour obtenir des informations
sur les préférences de listes d’ordinateurs, consultez le chapitre 8, “Vue d’ensemble
de la gestion des clients” et le chapitre 9, “Gestion des préférences”.
• Tout ordinateur Windows géré par le contrôleur de domaine principal Mac OS X
Server doit figurer sur la liste d’ordinateurs Windows. Pour plus de détails, consultez
le guide d’administration des services Windows.
Étape 11 : Procédez à la maintenance des comptes
Vous devrez mettre régulièrement à jour les informations de compte au fur et à mesure
des allées et venues de vos utilisateurs et des modifications des besoins de vos serveurs :
• Consultez les sections plus loin dans le chapitre, en commençant par “Listage et
recherche de comptes” à la page 47, pour obtenir des informations sur la localisation
des comptes et raccourcis existants en vue de leur maintenance.
• Les informations du chapitre 3 au chapitre 6 vous aideront à réaliser des tâches
courantes telles que la définition d’un compte d’invité, la désactivation de comptes
d’utilisateur, l’ajout et la suppression d’utilisateurs dans des groupes et la suppression
de comptes.
• Pour obtenir des solutions aux problèmes courants, consultez le chapitre 11,
“Résolution des problèmes”.
F0170.book Page 39 Monday, May 2, 2005 12:37 PM40 Chapitre 2 Introduction à la gestion des utilisateurs
Programmation de stratégies pour la gestion
des utilisateurs
Voici certaines des activités de planification à entreprendre avant de commencer
l’implémentation de la gestion des utilisateurs.
Analyse de votre environnement
Vos réglages de gestion d’utilisateurs doivent tenir compte des particularités
de votre environnement, notamment :
• de la taille et de la distribution de votre réseau ;
• du nombre d’utilisateurs qui accéderont à votre réseau ;
• du type d’ordinateur que les utilisateurs vont utiliser (Mac OS 9, Mac OS X
ou Windows) ;
• de la façon dont les utilisateurs vont utiliser les ordinateurs clients ;
• des ordinateurs qui sont des ordinateurs mobiles ;
• des utilisateurs qui devront bénéficier d’autorisations d’administrateur ;
• des utilisateurs qui devront avoir accès à certains ordinateurs particuliers ;
• de quels services et ressources ont besoin les utilisateurs (courrier électronique,
accès au stockage des données) ;
• de la manière de diviser les utilisateurs en groupes (par exemple, par catégorie
ou type d’emploi) ;
• de la manière de grouper des ensembles d’ordinateurs (par exemple, tous les
ordinateurs d’un laboratoire public).
Identification des besoins en matière de services de répertoire
Identifiez les répertoires dans lesquels vous stockerez les comptes d’utilisateur, les
comptes de groupe et les listes d’ordinateurs.
• Si vous disposez d’un serveur Active Directory ou LDAP déjà configuré, vous pourrez
profiter des enregistrements de compte existants. Pour des détails sur l’accès à des
répertoires existants, consultez le guide d’administration Open Directory.
• Si vous disposez d’un serveur Apple de version antérieure, vous pouvez
éventuellement migrer des enregistrements existants. Reportez-vous au guide de
migration pour connaître les options disponibles.
• Configurez un maître et des répliques Open Directory pour héberger des répertoires
LDAP destinés à stocker d’autres comptes d’utilisateur, comptes de groupe et listes
d’ordinateurs sur votre réseau. Pour obtenir des instructions et des informations
complètes sur les options de traitement des mots de passe, consultez le guide
d’administration d’Open Directory.
F0170.book Page 40 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 41
Remarque : si certains domaines ne sont pas finalisés au moment d’ajouter des comptes
d’utilisateur et de groupe, ajoutez simplement les comptes à un domaine de répertoires
quelconque qui existe sur votre serveur. (Vous pouvez utiliser le domaine de répertoires
local, toujours disponible.) Vous pourrez déplacer des utilisateurs et des groupes vers
un autre domaine de répertoires à l’aide des fonctions d’exportation et d’importation
de votre serveur décrites à l’Annexe A, “Importation et exportation d’informations de
compte” ultérieurement.
Détermination des besoins en matière de serveur et de stockage
Ces besoins varient en fonction du nombre d’utilisateurs et d’ordinateurs :
• Pour moins de 450 utilisateurs et moins de 150 ordinateurs, un seul serveur suffit
pour la gestion des comptes et l’authentification, les répertoires de départ et les
dossiers de groupe. (En comptant 1 Go d’espace de stockage par utilisateur et par
module de disque sur un ordinateur Xserve.) Il est possible de fournir un espace
de stockage plus important en ajoutant des modules de disque et/ou des disques
RAID supplémentaires.
• Pour 450 à 1000 utilisateurs et 150 à 450 ordinateurs, il faut un serveur dédié à la
gestion des comptes et à l’authentification. Vous devez disposer d’un serveur de
répertoires de départ et de dossiers de groupe par groupe de 150 ordinateurs. Le
serveur doit disposer d’environ 180 Go d’espace de stockage. L’un des serveurs doit
fonctionner comme maître Open Directory et doit également héberger des services
principaux tels que les services DNS, DHCP et Web, en fonction de vos besoins. S’il
vous faut plus de services dédiés, étudiez la possibilité d’utiliser des serveurs dédiés
spécifiquement à certaines tâches telles que l’enchaînement QuickTime. Les dossiers
de groupe sont souvent partagés simultanément entre plusieurs ordinateurs. Évitez
les connexions simultanées de 150 à 300 ordinateurs à un même dossier de groupe,
en créant plusieurs groupes de travail et en répartissant les utilisateurs sur plusieurs
groupes de travail.
• Pour plus de 1000 utilisateurs et plus de 450 ordinateurs, vous aurez besoin de plusieurs
serveurs pour la gestion des comptes et l’authentification. Pour obtenir des directives
générales en matière de réplication, consultez le guide d’administration d’Open
Directory. Vous devez également disposer d’un serveur de répertoires de départ
et de dossiers de groupe et de 180 Go d’espace de stockage par groupe de 150
ordinateurs connectés simultanément, si les utilisateurs disposent de répertoires
de départ réseau.
• N’utilisez pas plus de 3 points de partage montables automatiquement par serveur.
Il se peut que vous deviez créer moins de points de partage avec des sous-dossiers
destinés à répartir les utilisateurs de manière logique dans des ensembles de
répertoires de départ.
F0170.book Page 41 Monday, May 2, 2005 12:37 PM42 Chapitre 2 Introduction à la gestion des utilisateurs
Utilisation de la gestion des clients
Utilisez la gestion des clients Macintosh si vous souhaitez :
• fournir aux utilisateurs une interface cohérente et contrôlée tout en leur permettant
d’accéder à leurs fichiers à partir de n’importe quel ordinateur ;
• utiliser des comptes mobiles ;
• réserver certaines ressources à des groupes ou des individus spécifiques ;
• sécuriser l’utilisation des ordinateurs dans des zones clés telles que les bureaux
administratifs, les salles de cours ou les laboratoires ouverts.
Déterminez les utilisateurs, groupes et ordinateurs dont vous souhaitez gérer les
préférences. Pour obtenir des instructions de planification, consultez le chapitre 8, “Vue
d’ensemble de la gestion des clients”, à la page 143 et le chapitre 9, “Gestion des
préférences”, à la page 157.
Utilisation de comptes mobiles
Les comptes mobiles sont des comptes réseau qui ont été configurés pour être accessibles
même lorsque l’utilisateur n’est pas connecté au serveur sur lequel le compte réside. Les
utilisateurs de comptes mobiles reçoivent un répertoire de départ local sur le système
auquel ils sont connectés. Cette fonctionnalité réduit le trafic réseau et améliore les
performances générales.
Déterminez si les comptes mobiles peuvent vous être utiles avant de les implémenter.
Les comptes mobiles conviennent bien aux utilisateurs qui emportent leur ordinateur
d’un endroit à l’autre. Il sont également pratiques pour les utilisateurs qui n’ont pas
besoin d’un accès permanent au serveur pour leur travail quotidien. L’utilisation de
comptes mobiles réduit le trafic réseau en minimisant le besoin de monter des
ressources réseau (telles que les répertoires de départ réseau).
Les comptes mobiles sont abordés au chapitre 3, “Gestion des utilisateurs pour
des clients mobiles”.
Répertoires de départ portables
Un compte mobile peut être configuré pour utiliser un répertoires de départ portable
(en anglais “Portable Home Directory” ou PHD). Les répertoires de départ portables
répliquent les fichiers sur les répertoires de départ locaux et sur les répertoires de
départ réseau. De la sorte, votre contenu vous suit partout et est toujours à jour.
Les administrateurs peuvent choisir le contenu à répliquer utilisateur par utilisateur,
groupe par groupe ou liste d’ordinateurs par liste d’ordinateurs.
Élaboration d’une stratégie en matière de répertoire de départ
Déterminez quels sont les utilisateurs ayant besoin de répertoires de départ et identifiez
les ordinateurs sur lesquels vous souhaitez que se trouvent ces derniers. Afin de ne
pas affaiblir les performances du serveur, évitez d’utiliser des répertoires de départ
de réseau via les connexions réseau inférieures à 100 Mbps.
F0170.book Page 42 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 43
Il n’est pas nécessaire que le répertoire de départ réseau d’un utilisateur soit stocké sur
le même serveur que le répertoire contenant son compte d’utilisateur. De fait, la répartition
des domaines de répertoires et des répertoires de départ sur plusieurs serveurs peut
vous aider à équilibrer la charge de travail de votre réseau. “Répartition de répertoires
de départ sur plusieurs serveurs” à la page 129 décrit plusieurs de ces scénarios.
Vous pouvez par exemple stocker les répertoires de départ des utilisateurs dont le nom
commence par les lettres A à F sur un ordinateur, ceux dont le nom commence par les
lettres G à J sur un autre ordinateur, etc. Vous pouvez aussi stocker des répertoires de
départ sur un Mac OS X Server mais stocker les comptes d’utilisateur et de groupe sur
un serveur Active Directory ou LDAP.
Les répertoires de départ portables incitent à d’autres considérations d’ordre stratégique,
notamment la désignation des utilisateurs mobiles qui disposeront de comptes portables.
Des restrictions supplémentaires à prendre en compte sont décrites dans la section
“Répertoires de départ portables” à la page 58.
Choisissez une stratégie avant de créer des utilisateurs. Vous pouvez déplacer des
répertoires de départ, mais vous devrez alors éventuellement changer un grand
nombre de fiches d’utilisateurs.
Déterminez le protocole d’accès à utiliser pour les répertoires de départ. Vous utiliserez la
plupart du temps le protocole AFP car il offre la plus grande sécurité. Mais vous pouvez
également utiliser les protocoles NFS (utile pour les clients UNIX) et SMB/CIFS (pour les
clients Windows).
Identification des groupes
Identifiez les utilisateurs qui ont des besoins similaires et regroupez-les. Consultez
chapitre 5, “Configuration des comptes de groupe”.
Détermination des besoins d’administrateur
Choisissez quels sont les utilisateurs qui pourront administrer les comptes et assurezvous qu’ils disposent d’autorisations d’administrateur de domaine.
L’administrateur de domaine dispose du niveau de contrôle le plus élevé sur les autres
utilisateurs et sur leurs autorisations. L’administrateur de domaine peut créer des comptes
d’utilisateur, des comptes de groupe, ainsi que des listes d’ordinateurs et leur affecter
des réglages, des autorisations et des préférences gérées. Il peut également créer d’autres
comptes d’administrateur ou attribuer à certains utilisateurs (par exemple des professeurs
ou du personnel technique) des autorisations d’administration pour des domaines de
répertoires spécifiques.
F0170.book Page 43 Monday, May 2, 2005 12:37 PM44 Chapitre 2 Introduction à la gestion des utilisateurs
Déterminez quels sont les utilisateurs qui devront avoir des autorisations
d’administration de domaine. De même, de nombreuses autorisations d’administration
peuvent être données aux utilisateurs gérés, ce qui leur permet de gérer des groupes
d’utilisateurs spécifiques ou de modifier certains réglages de compte. Une hiérarchie
convenablement planifiée d’administrateurs et d’utilisateurs dotés d’autorisations
d’administration spéciales peut vous aider à répartir les tâches d’administration
système et à optimiser les flux de production et la gestion système.
Lorsque vous utilisez l’Assistant du serveur pour configurer votre serveur pour la
première fois, spécifiez un mot de passe pour le propriétaire/l’administrateur. Ce
dernier devient également le mot de passe racine de votre serveur. De nombreux
administrateurs de serveur n’ont pas besoin de connaître le mot de passe root, mais
ce dernier est parfois nécessaire pour exécuter des outils de ligne de commande (tels
que CreateGroupFolder). Pour les administrateurs qui n’ont pas besoin d’un accès root,
utilisez le Gestionnaire de groupe de travail pour créer un utilisateur administrateur
avec un mot de passe différent du mot de passe root.
Il est recommandé d’utiliser le mot de passe racine avec précaution et de le stocker
dans un emplacement sécurisé. L’utilisateur racine bénéficie d’un accès illimité au
système, y compris aux fichiers système. Le cas échéant, vous pouvez recourir au
Gestionnaire de groupe de travail pour changer le mot de passe racine.
Utilisation du Gestionnaire de groupe de travail
Après avoir installé le logiciel Mac OS X Server, vous pouvez accéder au Gestionnaire
de groupe de travail. La présente section contient une présentation de l’application.
Utilisation d’ordinateurs de versions antérieures à la 10.4 à partir
de serveurs de version 10.4
Les serveurs Mac OS X 10.3 et 10.2 peuvent être administrés à l’aide des outils
d’administration de la version 10.4. Le Gestionnaire de groupe de travail sur
un serveur de version 10.4 peut être utilisé pour gérer les clients Mac OS X
qui exécutent Mac OS X 10.2.4 ou ultérieur.
Une fois que vous avez modifié une fiche d’utilisateur à l’aide du Gestionnaire de groupe
de travail en version 10.4, elle n’est accessible que par le Gestionnaire de groupe de travail
en version 10.4. Les préférences des clients Mac OS 9 peuvent être gérées à partir d’un
serveur de version 10.4 via le Gestionnaire Macintosh uniquement si vous procédez à une
installation de mise à niveau avec la version 10.4 ; vous pouvez utiliser une installation de
mise à niveau pour installer la version 10.4 sur des serveurs 10.2.8 ou 10.3.
F0170.book Page 44 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 45
Ouverture du Gestionnaire de groupe de travail et
authentification
Le Gestionnaire de groupe de travail est installé dans /Applications/Server/ lors de
l’installation du serveur ou de la configuration d’un ordinateur administrateur. Vous
pouvez l’ouvrir à partir de ce dossier à l’aide du Finder. Vous pouvez également ouvrir
le Gestionnaire de groupe de travail en cliquant sur son icône dans le Dock ou dans la
barre d’outils de l’application Admin Serveur.
• Pour utiliser des domaines de répertoires sur un serveur particulier, tapez l’adresse IP
du serveur ou son nom DNS dans la fenêtre Se connecter du Gestionnaire de groupe
de travail ou cliquez sur Parcourir pour la sélectionner dans la liste des serveurs
disponibles. Tapez le nom d’utilisateur et le mot de passe d’un administrateur de
domaine, puis cliquez sur Se connecter Seuls les administrateurs de domaine du
serveur de domaine de répertoires disposeront d’autorisations d’administration
de répertoire.
• Vous pouvez voir un domaine de répertoires sans vous authentifier (en choisissant
Serveur > Afficher les répertoires). Vous aurez un accès en lecture seule aux informations
affichées dans le Gestionnaire de groupe de travail. Pour apporter des modifications
à un répertoire, vous devez vous authentifier à l’aide d’un compte d’administrateur
de domaine. Cette démarche est la plus indiquée lorsque vous administrez différents
serveurs et travaillez avec divers domaines de répertoires.
Après avoir ouvert le Gestionnaire de groupe de travail, vous pouvez ouvrir l’une de ses
fenêtres pour un autre ordinateur en cliquant sur Se connecter dans la barre d’outils ou
en choisissant Serveur > Se connecter.
F0170.book Page 45 Monday, May 2, 2005 12:37 PM46 Chapitre 2 Introduction à la gestion des utilisateurs
Principales tâches dans le Gestionnaire de groupe de travail
Une fois la session ouverte, une fenêtre affiche la liste des comptes d’utilisateurs.
Il s’agit initialement des comptes stockés dans le dernier domaine de répertoires
figurant dans le chemin de recherche du serveur. Voici comment s’initier aux
principales tâches possibles avec cette application :
• Pour spécifier le ou les répertoires dans lesquels sont stockés les comptes que
vous souhaitez utiliser, cliquez sur l’icône en forme de globe.
Pour utiliser simultanément des comptes stockés dans différents répertoires ou
utiliser différentes vues des comptes dans un même répertoire, ouvrez plusieurs
fenêtres du Gestionnaire de groupe de travail en cliquant sur l’icône Nouvelle
fenêtre dans la barre d’outils.
• Pour administrer des comptes dans le répertoire sélectionné, cliquez sur l’icône
Comptes dans la barre d’outils. Dans la partie gauche, cliquez sur le bouton
Utilisateurs, Groupes ou Ordinateurs pour afficher la liste des comptes qui existent
actuellement dans le ou les répertoires que vous utilisez. Pour filtrer la liste des
comptes à l’écran, utilisez la liste de recherche déroulante qui se trouve au-dessus
de la liste des comptes.
• Pour travailler avec des préférences gérées, sélectionnez la liste de comptes
souhaitée, puis cliquez sur l’icône Préférences dans la barre d’outils.
• Pour travailler avec des points partagés, cliquez sur l’icône Partage dans la barre d’outils.
Liste Comptes
Tapez ici pour faire une
recherche dans la liste
ci-dessous ou la filtrer.
Bouton Utilisateurs
Cliquez sur le globe pour
changer de répertoire.
Bouton
Groupes
Bouton Listes
d’ordinateurs
Domaine actuellement
sélectionné
Cliquez pour vous
authentifier.
F0170.book Page 46 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 47
• Pour importer ou exporter des comptes d’utilisateurs et de groupes, choisissez
Serveur > Importer ou Serveur > Exporter, respectivement.
• Pour récupérer des informations en ligne, utilisez le menu Aide. Le menu Aide donne
accès à de l’aide sur les tâches d’administration que le Gestionnaire de groupe de
travail permet d’effectuer, ainsi que d’autres rubriques relatives à Mac OS X Server.
• Pour ouvrir Admin Serveur afin de contrôler et utiliser des services sur des serveurs
particuliers, cliquez sur l’icône Admin dans la barre d’outils. Lisez le guide Premiers
contacts pour obtenir davantage d’informations sur l’application Admin Serveur.
Listage et recherche de comptes
La présente section décrit les différentes manières d’afficher des comptes d’utilisateur,
des comptes de groupe et des listes d’ordinateurs dans le Gestionnaire de groupe
de travail.
Utilisation de listes de comptes dans le Gestionnaire de groupe
de travail
Dans le Gestionnaire de groupe de travail, les comptes d’utilisateur, les comptes de
groupe et les listes d’ordinateurs sont affichés dans la partie gauche de la fenêtre
de l’application.
Plusieurs réglages influencent le contenu et l’apparence de la liste :
• Les préférences de Gestionnaire de groupe de travail permettent de contrôler si les
utilisateurs et les groupes système sont répertoriés et l’ordre dans lequel ils sont
classés. Choisissez Gestionnaire de groupe de travail > Préférences, pour configurer
les préférences du Gestionnaire de groupe de travail.
• La liste reflète le ou les répertoires que vous avez sélectionnés à l’aide du globe qui
se trouve au-dessus de la liste des comptes. Initialement, les comptes des domaines
de répertoires parents ne sont répertoriés que si vous êtes connecté au réseau.
Les domaines disponibles pour la sélection sont le répertoire local, tous les domaines de
répertoires qui figurent dans le chemin de recherche du serveur et tous les domaines
de répertoires disponibles (domaines auxquels la configuration du serveur lui permet
d’accéder, qu’ils figurent ou non dans le chemin de recherche). Pour obtenir des
instructions sur la configuration d’un serveur en vue d’accéder à des domaines
de répertoires, consultez le guide d’administration d’Open Directory.
Une fois que vous avez choisi des domaines de répertoires, tous les comptes qu’ils
contiennent sont répertoriés.
• Pour trier une liste, cliquez sur un en-tête de colonne. Une flèche indique l’ordre
de classement (croissant ou décroissant) que vous pouvez inverser en cliquant de
nouveau sur l’en-tête de colonne.
• Vous pouvez filtrer la liste à l’aide de la liste de recherche déroulante qui se trouve
au-dessus de la liste des comptes.
F0170.book Page 47 Monday, May 2, 2005 12:37 PM48 Chapitre 2 Introduction à la gestion des utilisateurs
• Vous pouvez rechercher des éléments spécifiques dans la liste en tapant quelques
caractères dans le champ situé au-dessus de la liste des comptes.
Pour travailler avec un ou plusieurs comptes répertoriés, faites votre choix. Les réglages
des comptes sélectionnés apparaissent dans la fenêtre à droite de la liste. Les réglages
disponibles dépendent de la sous-fenêtre affichée.
Liste de comptes dans le domaine de répertoires local
Les services et les programmes exécutés sur un serveur peuvent accéder au répertoire
local du serveur. Les programmes exécutés sur un ordinateur client, comme par exemple
la fenêtre d’ouverture de session de l’ordinateur client, ne peuvent pas accéder au
répertoire local du serveur. Par conséquent, le service de fichiers d’un serveur peut
authentifier les utilisateurs qui ont des comptes dans le répertoire local du serveur.
Les comptes d’utilisateur du répertoire local du serveur ne peuvent pas être utilisés
pour l’authentification dans la fenêtre d’ouverture de session des ordinateurs clients,
car cette fenêtre est un processus exécuté sur l’ordinateur client.
Pour répertorier les comptes d’un domaine de répertoires local d’un serveur :
1 Dans le Gestionnaire de groupe de travail, connectez-vous au serveur hébergeant le
domaine, puis cliquez sur le globe situé au-dessus de la barre d’outils et choisissez Local.
Le domaine local peut également être répertorié sous le nom /NetInfo/root/ ou ou /NetInfo/DefaultLocalNode.
2 Pour visualiser les comptes d’utilisateur, cliquez sur le bouton Utilisateurs (le bouton
le plus à gauche au-dessus du champ de recherche). Cliquez sur le bouton Groupes
(le bouton du milieu) pour afficher les comptes de groupe et cliquez sur le bouton
Listes d’ordinateurs (le bouton de droite) pour afficher les listes d’ordinateurs.
3 Pour travailler avec un compte en particulier, sélectionnez-le. Pour modifier le compte,
ce qui nécessite de disposer de privilèges d’administrateur, il se peut que vous deviez
cliquer sur le verrou pour vous authentifier.
Liste de comptes dans des domaines de répertoires de chemins
de recherche
Les domaines de répertoires de chemins de recherche sont ceux qui, dans la politique
de recherche, sont définis pour l’ordinateur Mac OS X Server auquel vous êtes connecté.
Le guide d’administration Open Directory vous indique comment établir des politiques
de recherche.
Pour répertorier des comptes dans des domaines de chemins de recherche
pour votre serveur :
1 Dans le Gestionnaire de groupe de travail, connectez-vous à un serveur dont la
politique de recherche contient les domaines de répertoires qui vous intéressent.
2 Cliquez sur le globe situé au-dessus de la barre d’outils, puis choisissez Chemin
de recherche.
F0170.book Page 48 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 49
3 Pour visualiser les comptes, cliquez sur le bouton Utilisateurs (le bouton le plus à
gauche au-dessus du champ de recherche). Cliquez sur le bouton Groupes pour
visualiser les comptes de groupe ou cliquez sur le bouton Listes des ordinateurs
pour visualiser les listes d’ordinateurs.
Liste de comptes dans des domaines de répertoires disponibles
Vous pouvez utiliser le Gestionnaire de groupe de travail pour dresser la liste de tous
les comptes d’utilisateur, comptes de groupe et listes d’ordinateurs résidant dans
tout domaine de répertoires spécifique accessible depuis le serveur auquel vous êtes
connecté. Sélectionnez le domaine dans une liste de tous les domaines de répertoires
configurés pour être accessibles à partir du serveur que vous utilisez.
Veillez à ne pas confondre les domaines de répertoires disponibles avec ceux d’une
politique de recherche. Une politique de recherche est constituée des domaines de
répertoires dans lesquels un serveur effectue des recherches à l’aide d’une routine,
lorsqu’il doit par exemple récupérer un compte d’utilisateur. Toutefois, il se peut que
ce même serveur soit configuré pour accéder aux domaines de répertoires n’ayant
pas été ajoutés à sa politique de recherche.
Pour apprendre comment configurer l’accès au domaines de répertoires, consultez le
guide d’administration d’Open Directory.
Pour répertorier des comptes dans des domaines de répertoires accessibles
à partir d’un serveur :
1 Dans le Gestionnaire de groupe de travail, connectez-vous à un serveur à partir duquel
les domaines de répertoires qui vous intéressent sont accessibles.
2 Cliquez sur le globe situé au-dessus de la liste des comptes, puis choisissez Autre.
3 Sélectionnez le ou les domaine dans la boîte de dialogue à l’écran, puis cliquez sur OK.
Pour visualiser les comptes d’utilisateur résidant dans les domaines de répertoires
sélectionnés, cliquez sur le bouton Utilisateurs (le bouton le plus à gauche au-dessus
du champ de recherche). Cliquez sur le bouton Groupes pour visualiser les comptes
de groupe ou cliquez sur le bouton Listes d’ordinateurs pour visualiser les listes
d’ordinateurs.
4 Pour travailler avec un compte en particulier, sélectionnez-le. Pour modifier un compte
qui nécessite de disposer d’autorisations d’administrateur de domaine, il se peut que
vous deviez cliquer sur le cadenas pour vous authentifier.
Actualisation de listes de comptes
Si plus d’un administrateur peut apporter des modifications aux répertoires, actualisez
les listes pour vous assurer que la liste (de comptes d’utilisateur, de comptes de groupe
ou de listes d’ordinateurs) affichée est bien la plus récente. Pour actualiser les listes,
vous pouvez :
• cliquer sur Actualiser ;
F0170.book Page 49 Monday, May 2, 2005 12:37 PM50 Chapitre 2 Introduction à la gestion des utilisateurs
• saisir les termes de recherche dans le champ au-dessus de la liste pour obtenir une
nouvelle liste filtrée ;
• supprimer les termes du champ au-dessus de la liste pour afficher la liste originale
non filtrée ;
• cliquer sur le globe situé au-dessus de la barre d’outils, choisir un autre élément dans
la liste, puis sélectionner à nouveau le ou les domaines avec lesquels vous étiez en
train de travailler.
Recherche de comptes spécifiques dans une liste
Après avoir affiché une liste de comptes dans le Gestionnaire de groupe de travail, vous
pouvez la filtrer afin de localiser des utilisateurs ou des groupes présentant un intérêt
particulier.
Pour filtrer des éléments dans la liste des comptes :
1 Après avoir répertorier les comptes, cliquez sur le bouton Utilisateurs, Groupes ou Listes
d’ordinateurs.
2 Dans le menu local au-dessus de la liste des comptes (identifié par une loupe),
sélectionnez une option pour décrire ce que vous souhaitez trouver, puis saisissez des
termes de recherche dans le champ texte.
La liste d’origine est remplacée par des éléments répondant à vos critères de recherche.
Si vous entrez un nom d’utilisateur, tant les noms entiers qu’abrégés d’utilisateurs ou
de groupes sont recherchés.
3 Choisissez Gestionnaire de groupe de travail > Préférences pour rendre la recherche de
comptes plus pratique lorsque les domaines avec lesquels vous travaillez contiennent
des milliers de comptes.
Pour éviter de répertorier des comptes tant que vous n’avez pas spécifié de filtre,
sélectionnez “Limiter les résultats aux fiches requises”. Lorsque le champ de filtrage
est vide, aucun compte n’est répertorié.
Pour répertorier tous les comptes des domaines sélectionnés dans le menu local À,
tapez “*” dans le champ de filtrage.
Pour répertorier les comptes des domaines qui correspondent aux critères de filtrage,
sélectionnez une option dans le menu local en regard du champ de filtrage, puis tapez
la chaîne de caractères avec laquelle vous souhaitez filtrer les comptes.
Pour spécifier le nombre maximum de comptes à répertorier, sélectionnez “Répertorier
un maximum de”, puis tapez un nombre inférieur à 25 000. Gestionnaire de groupe de
travail peut afficher jusqu’à 25 000 comptes.
Classement des listes d’utilisateurs et de groupes
Après avoir affiché une liste de comptes dans le Gestionnaire de groupe de travail,
cliquez sur un en-tête de colonne pour trier les entrées selon les valeurs de cette
colonne. Cliquez de nouveau sur cet en-tête pour inverser l’ordre des entrées
de la liste.
F0170.book Page 50 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 51
Utilisation du bouton Rechercher de la barre d’outils
Vous pouvez utiliser le bouton Rechercher, dans les sous-fenêtres Comptes ou
Préférences, pour localiser des utilisateurs ou des groupes spécifiques en recherchant
des valeurs de champ déterminées.
Pour localiser des utilisateurs ou des groupes spécifiques via les sous-fenêtres
Comptes ou Préférences :
1 Après avoir sélectionné la sous-fenêtre dans laquelle vous souhaitez travailler, cliquez
sur Rechercher dans la barre d’outils.
2 Le champ dans lequel vous souhaitez faire la recherche avec les conditions
d’application dans la zone de dialogue Recherche.
3 Tapez le texte à rechercher et d’éventuelles conditions supplémentaires.
4 Vous pouvez choisir d’enregistrer, de renommer ou de supprimer des préréglages
à l’aide du menu local Préréglages de la recherche.
Vous pouvez également effectuer des modifications par lot sur les résultats de la
recherche. Si vous cochez cette option, vous avez le choix entre “Afficher un aperçu
et modifier les résultats de la recherche avant d’appliquer des changements” et
“Afficher le rendu des modifications et des erreurs”.
5 Cliquez sur Rechercher une fois que vos critères de recherche sont définis.
Une fois que les résultats de la recherche sont affichés à l’écran, vous pouvez soir
effacer les critères de recherche pour revenir à l’affichage par défaut, soit modifier
les critères de recherche pour les affiner. Toute recherche peut être enregistrée sous
la forme d’un préréglage si vous souhaitez la réutiliser.
F0170.book Page 51 Monday, May 2, 2005 12:37 PM52 Chapitre 2 Introduction à la gestion des utilisateurs
Raccourcis pour l’utilisation des comptes
Il existe plusieurs techniques permettant de gérer les comptes avec une plus grande
efficacité. Vous pouvez :
• modifier plusieurs comptes simultanément ;
• utiliser des préréglages comme modèles pour la création de nouveaux comptes ;
• importer des informations de compte d’utilisateur et de groupe à partir d’un fichier.
Modification par lot
Vous pouvez modifier les réglages de plusieurs comptes d’utilisateur, comptes de
groupe ou listes d’ordinateurs à la fois. On appelle la modification simultanée de
plusieurs comptes la modification par lot.
Maintenez la touche Maj enfoncée, puis cliquez pour sélectionner une plage de comptes
et/ou maintenez la touche Commande enfoncée, puis cliquez pour sélectionner des
comptes individuellement. Vous pouvez aussi choisir Édition > Tout sélectionner, puis
maintenir la touche Commande enfoncée et cliquer sur des comptes individuels pour
les désélectionner un à un.
La modification par lot peut notamment vous faire gagner du temps lorsque vous
devez modifier les préférences d’un grand nombre de comptes. Consultez la section
“Modification des préférences de plusieurs enregistrements” à la page 163.
Utilisation de préréglages
Vous pouvez sélectionner des réglages de compte d’utilisateur, de compte de groupe
ou de liste d’ordinateurs, puis les enregistrer sous la forme d’un préréglage. Les
préréglages fonctionnent comme des modèles et permettent d’appliquer des réglages
prédéfinis à un nouveau compte. Grâce aux préréglages, vous pouvez configurer en
toute simplicité plusieurs comptes de façon similaire.
Vous ne pouvez utiliser les préréglages que lors de la création d’un compte. Vous ne
pouvez pas utiliser de préréglage pour modifier un compte existant. Vous pouvez
utiliser des préréglages lorsque vous créez des comptes manuellement ou lorsque
vous en importez à partir d’un fichier.
Si vous modifiez un préréglage après son utilisation pour la création d’un compte, les
comptes déjà créés à l’aide de ce préréglage ne sont pas mis à jour pour reproduire
ces changements.
Pour plus d’informations, consultez la section “Création d’un préréglage pour des
comptes d’utilisateur” à la page 72.
F0170.book Page 52 Monday, May 2, 2005 12:37 PMChapitre 2 Introduction à la gestion des utilisateurs 53
Importation et exportation d’informations de compte
Vous pouvez utiliser des fichiers XML ou des fichiers de texte délimités par des caractères
pour importer et exporter des informations de compte d’utilisateur ou de groupe.
Cette méthode d’importation facilite la configuration rapide d’un grand nombre de
comptes. L’exportation d’informations dans un fichier peut s’avérer utile pour archiver
ou sauvegarder les données d’utilisateur.
Pour plus d’informations, voir l’Annexe A, “Importation et exportation d’informations de
compte”.
Sauvegarde et restauration des données de gestion des
utilisateurs
Sauvegarde et restauration de fichiers de services de répertoires
Pour obtenir des informations sur la sauvegarde et la restauration de domaines
de répertoires et de fichiers de base de données d’authentification, consultez
l’aide à l’écran.
Sauvegarde de comptes d’utilisateur root et administrateur
Les fichiers système sont la propriété des identifiants des administrateurs système
et des utilisateurs root existant au moment de leur création. Si vous devez restaurer
des fichiers système, les mêmes identifiants doivent exister sur le serveur afin que
les autorisations d’origine soient conservées.
Pour vous assurer de pouvoir recréer ces identifiants d’utilisateur, exportez
régulièrement les informations sur les utilisateurs et les groupes du serveur vers un
fichier, comme décrit à l’Annexe A, “Importation et exportation d’informations de
compte”.
F0170.book Page 53 Monday, May 2, 2005 12:37 PMF0170.book Page 54 Monday, May 2, 2005 12:37 PM3
55
3 Gestion des utilisateurs pour
des clients mobiles
Ce chapitre contient des suggestions pour la gestion
d’ordinateurs portables utilisés par un ou plusieurs
utilisateurs.
Configuration des clients mobiles
Si vous possédez un certain nombre d’ordinateurs portables destinés à être distribués
à des utilisateurs ou groupes d’utilisateurs donnés, vous pouvez mettre en œuvre un
éventail de techniques de gestion pour personnaliser l’environnement de l’utilisateur
et contrôler le niveau d’accès d’un utilisateur aux ressources locales et réseau.
Configuration d’ordinateurs portables
Lors de la préparation des ordinateurs portables à utiliser sur votre réseau, suivez
les instructions ci-après.
Étape 1 : Installez le système d’exploitation, les applications et les utilitaires.
La plupart des ordinateurs sont livrés avec un système d’exploitation installé. Toutefois,
si vous devez en installer un nouveau, assurez-vous que l’ordinateur répond aux
configurations requises minimum pour l’installation du système d’exploitation
Mac OS X ou Mac OS et des autres applications et utilitaires souhaités.
Étape 2 : Création de comptes locaux sur les ordinateurs Mac OS X.
Créez au moins un compte d’administrateur local et autant de comptes d’utilisateur
locaux que nécessaire. Veillez à éviter toute confusion entre le nom et le mot de passe
de compte local et le nom et le mot de passe réseau d’un utilisateur.
Étape 3 : Configuration de listes d’ordinateurs sur votre serveur
Pour les ordinateurs Mac OS X, utilisez le Gestionnaire de groupe de travail afin d’ajouter
des ordinateurs à une liste d’ordinateurs et d’activer la gestion des préférences au niveau
de l’ordinateur. Vous pouvez aussi définir des réglages de préférences au niveau
utilisateur pour le compte réseau de l’utilisateur.
F0170.book Page 55 Monday, May 2, 2005 12:37 PM56 Chapitre 3 Gestion des utilisateurs pour des clients mobiles
Vous trouverez plus de détails sur la configuration des services de répertoires dans le
guide d’administration Open Directory. Pour plus d’informations sur l’utilisation des
listes d’ordinateurs, consultez le chapitre 6, “Configuration de listes d’ordinateurs”.
Pour en savoir plus sur l’utilisation des réglages de préférences gérées, consultez
le chapitre 9, “Gestion des préférences”.
Utilisation de comptes mobiles
Un compte mobile, sous Mac OS X Server, est un compte d’utilisateur synchronisé avec
un ordinateur (généralement portable) local. L’utilisateur peut ouvrir une session sur
l’ordinateur portable en utilisant le nom et le mot de passe d’un compte réseau, même
si l’ordinateur n’est pas connecté au réseau. Cette fonctionnalité est utile à la fois pour
les systèmes portables et pour les autres cas de déploiement “un à un” dans lesquels
un utilisateur est affecté à un seul et unique ordinateur. Elle s’avère également utile
dans les situations où le fait d’avoir des répertoires de départ locaux améliore les
performances comme, par exemple, dans la production vidéo.
Lorsqu’un utilisateur de compte mobile se connecte au réseau, les données du compte
(c’est-à-dire les nom, le mot de passe et les préférences gérées du compte) sont
synchronisées automatiquement avec le compte du serveur afin que les deux
emplacements contiennent des données identiques. Quand l’ordinateur est
déconnecté du réseau, les réglages de préférences gérées restent en vigueur.
Le répertoire de départ d’un compte mobile réside dans l’ordinateur de l’utilisateur,
celui d’un compte de réseau sur le serveur. Quand l’ordinateur est connecté au réseau,
l’utilisateur s’authentifie directement auprès du compte réseau sans que le compte
mobile ne soit pris en compte, mais en utilisant toujours un répertoire de départ local.
Lorsque le répertoire de départ local d’un compte mobile est configuré pour la
synchronisation avec un répertoire de départ réseau, il devient un répertoire de
départ portable qui permet à un utilisateur réseau de travailler sur une copie
de son contenu réseau hors connexion.
Le contenu peut être synchronisé entre les deux répertoires de départ, en fonction
de la manière dont le compte mobile est configuré. Un répertoire de départ portable
peut être configuré pour synchroniser le contenu modifié d’un utilisateur lors de la
connexion en arrière-plan, via le réseau et lors de la déconnexion.
La synchronisation de certains contenus peut également être lancée manuellement
afin que le contenu modifié d’un emplacement soit accessible immédiatement partout.
F0170.book Page 56 Monday, May 2, 2005 12:37 PMChapitre 3 Gestion des utilisateurs pour des clients mobiles 57
Si les utilisateurs disposent de répertoires de départ AFP, leur répertoire de départ réseau
est créé la première fois qu’ils tentent d’accéder à leur répertoire de départ réseau. Si
certains de vos utilisateurs de compte mobile accèdent à un serveur hébergeant des
répertoires de départ réseau non-AFP, vous devez créer les répertoires de départ réseau
manuellement (voir “Création d’un répertoire de départ personnalisé” à la page 134).
Création d’un compte mobile
Une fois qu’un compte mobile a été créé, il est affiché dans la liste des comptes située
dans les Préférences Système Comptes. Le type de compte est qualifié de Mobile et la
plupart des éléments du volet Comptes sont grisés à sa sélection. Vous pouvez utiliser
le Gestionnaire de groupe de travail pour créer automatiquement un compte mobile
à l’ouverture d’une session.
Pour créer un compte mobile à l’aide du Gestionnaire de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez un compte d’utilisateur, puis cliquez sur Préférences.
3 Cliquez sur Mobilité, puis définissez les réglages de gestion sur Toujours.
4 Sélectionnez “Créer un compte mobile lors de l’ouverture de session” et sélectionnez
la case “Synchroniser le compte pour l’utilisation hors connexion”.
5 Sélectionnez l’option Exiger une confirmation avant de créer un compte mobile si
vous souhaitez laisser à l’utilisateur le choix de créer ou non un compte mobile à
sa connexion.
Si cette option est sélectionnée, une boîte de dialogue de confirmation s’affiche à
l’ouverture de session de l’utilisateur. Ce dernier peut alors cliquer sur Créer pour
créer immédiatement le compte mobile ou sur Continuer pour se connecter en tant
qu’utilisateur du réseau sans création.
6 Cliquez sur Appliquer.
Vous pouvez utiliser le Gestionnaire de groupe de travail pour modifier à votre gré
le compte de serveur correspondant. Toutes les modifications apportées au compte
mobile prennent effet la prochaine fois que l’ordinateur se connecte au réseau.
Suppression d’un compte mobile
Si un utilisateur n’a plus besoin d’un compte mobile, vous pouvez supprimer le compte
individuel sur l’ordinateur client. Cette action supprime le compte mobile et son répertoire
de départ local. La suppression d’un compte mobile ne peut être effectuée que par un
administrateur local ou un administrateur de domaine doté des autorisations nécessaires
pour gérer la liste d’ordinateurs à laquelle le système appartient, car l’opération doit
être effectuée localement sur l’ordinateur sur lequel réside le compte. L’administrateur
ne peut pas utiliser la console d’administration du Gestionnaire de groupe de travail
pour effectuer cette opération à distance.
F0170.book Page 57 Monday, May 2, 2005 12:37 PM58 Chapitre 3 Gestion des utilisateurs pour des clients mobiles
Pour supprimer un compte mobile :
1 Ouvrez les Préférences Système de l’ordinateur client.
2 Cliquez sur Comptes, puis sélectionnez l’utilisateur dans la liste.
3 Sélectionner le compte que vous souhaitez supprimer.
Le compte mobile est reconnaissable par le terme Mobile qui apparaît dans la
colonne Type.
4 Cliquez sur le bouton Supprimer (–), puis sur OK.
5 Dans la zone de dialogue qui apparaît, choisissez soit d’Archiver, soit de Supprimer
le répertoire de départ.
Utilisation de comptes mobiles côté utilisateur
Si l’ordinateur est configuré pour afficher une liste d’utilisateurs lors d’une ouverture de
session, le compte mobile est affiché avec les utilisateurs locaux. L’utilisateur sélectionne
son compte, puis saisit son mot de passe pour achever l’ouverture de session. Quant
aux clients gérés, si l’administrateur réseau a spécifié la création de comptes mobiles à
l’ouverture de session, la liste des comptes de la fenêtre d’ouverture de session affiche
tous les utilisateurs. Une fois que l’utilisateur a sélectionné son compte et saisi correctement
son mot de passe, une copie locale du compte réseau est immédiatement créée et
devient le compte mobile. Le compte mobile devient permanent sur ce système
lorsque l’utilisateur ferme sa session ou se déconnecte du réseau. L’utilisateur peut
se déconnecter du réseau et poursuivre sa session avec ce compte sur ce système.
Répertoires de départ portables
Un compte mobile est un compte d’utilisateur dont l’enregistrement de compte est
synchronisé avec un compte d’utilisateur réseau sur un ordinateur Mac OS X Server.
L’utilisateur peut ouvrir une session à l’aide du nom et du mot de passe d’un compte
réseau, même si son ordinateur n’est pas connecté au réseau.
Les utilisateurs finaux qui sont des administrateurs peuvent créer des comptes mobiles
à partir de la sous-fenêtre Comptes des Préférences Système après avoir saisi un nom
et un mot de passe d’administrateur. Les administrateurs de serveur peuvent empêcher
un utilisateur de créer un compte mobile soit en désélectionnant la case “Synchroniser
le compte pour l’utilisation hors connexion” dans la sous-fenêtre Mobilité/Synchronisation
du Gestionnaire de groupe de travail, soit en désactivant les Préférences Système Comptes
dans la sous-fenêtre Préférences Système du Gestionnaire de groupe de travail.
F0170.book Page 58 Monday, May 2, 2005 12:37 PMChapitre 3 Gestion des utilisateurs pour des clients mobiles 59
Un utilisateur final (à l’aide de la sous-fenêtre Comptes des Préférences Système) ou
un administrateur de serveur (à l’aide du Gestionnaire de groupe de travail) peut
configurer le répertoire de départ local d’un compte mobile pour qu’il soit synchronisé
avec le répertoire de départ réseau, créant ainsi un répertoire de départ portable. Un
administrateur de serveur contrôle les réglages de synchronisation du répertoire de
départ portable d’un utilisateur via la sous-fenêtre Mobilité/Règles du Gestionnaire
de groupe de travail.
La synchronisation d’un répertoire de départ portable est effectuée à l’ouverture
de session, directement après la création du compte mobile. Après la première
synchronisation, les synchronisations suivantes se font en arrière-plan ou lorsque
l’utilisateur sélectionne Synchroniser, dans la sous-fenêtre Comptes des Préférences
Système, ou Synchroniser Départ, dans le supplément du menu de synchronisation
de répertoire de départ.
Notez que toute synchronisation requiert une connexion au serveur du répertoire de
départ réseau de l’utilisateur. La synchronisation n’est pas effectuée si l’ordinateur
de l’utilisateur n’est pas connecté au réseau ou si le serveur du répertoire de départ
de l’utilisateur n’est pas disponible.
Éléments à prendre en compte pour l’affectation du contenu à
synchroniser
Il est recommandé aux administrateurs de serveur d’évaluer les avantages et les
inconvénients des différents types de mécanismes de création de comptes mobiles et
des réglages de synchronisation de répertoires de départ portables. Le Gestionnaire de
groupe de travail permet le contrôle à base de règles de la synchronisation en arrièreplan ainsi que de la synchronisation à la connexion et à la déconnexion. La sous-fenêtre
Comptes des Préférences Système ne permet que le contrôle de la synchronisation en
arrière-plan des dossiers de départ du niveau supérieur.
Les opérations de synchronisation en arrière-plan sont effectuées soit régulièrement, soit
à la demande lorsque l’utilisateur sélectionne Synchroniser Départ dans le supplément
du menu de synchronisation de répertoire de départ. La synchronisation affecte
également les fichiers ouverts ou affichés à l’écran, mais ne rallonge pas la durée
de connexion ou de déconnexion.
Une synchronisation à la connexion ou à la déconnexion copie tous les fichiers avant
et après leur modification par l’utilisateur, mais rallonge la durée de la connexion ou
de la déconnexion en fonction du nombre de fichiers à vérifier ainsi que de la taille
et du nombre de fichiers à copier pour effectuer la synchronisation.
F0170.book Page 59 Monday, May 2, 2005 12:37 PM60 Chapitre 3 Gestion des utilisateurs pour des clients mobiles
Gestion des clients mobiles
Une fois les ordinateurs portables ou dédiés configurés, de nombreuses fonctions du
Gestionnaire de groupe de travail vous permettent d’appliquer des restrictions ou
d’autoriser les utilisateurs à accéder aux services réseau.
Si un utilisateur possède un compte réseau et si son ordinateur se lie à Open Directory,
il peut se connecter à l’aide du nom et du mot de passe de son compte réseau pour
accéder aux ressources disponibles. Pour en savoir plus sur la liaison d’un ordinateur
au service Open Directory, consultez le guide d’administration d’Open Directory.
Pour les utilisateurs sans comptes réseau qui disposent d’ordinateurs portables
personnels mais requièrent toutefois un accès à vos ressources réseau, vous pouvez
utiliser les fonctions du Gestionnaire de groupe de travail pour appliquer des réglages
aux ordinateurs inconnus ou invités.
Ordinateurs portables Mac OS X inconnus
Pour gérer les utilisateurs d’ordinateurs portables fonctionnant sous Mac OS X, vous
pouvez utiliser le compte Ordinateurs invités afin d’appliquer la gestion au niveau
de l’ordinateur à des ordinateurs inconnus ou invités en réseau. Si ces utilisateurs se
connectent via un compte d’utilisateur de Mac OS X Server, les préférences gérées
d’utilisateurs et de groupes ainsi que les réglages de comptes s’appliquent également.
Pour plus d’informations sur la configuration du compte Ordinateurs invités pour les
utilisateurs de Mac OS X, consultez la section “Gestion des ordinateurs invités” à la
page 122.
Ordinateurs portables Mac OS X pour utilisateurs locaux multiples
Les iBook d’un laboratoire mobile sans fil constituent un exemple de partage
d’ordinateurs. Ce type de laboratoire contient 10 à 15 iBook pour les étudiants
(et un iBook supplémentaire pour le professeur), une Borne d’Accès AirPort et
une imprimante, le tout sur un chariot mobile. Le chariot permet de distribuer
les ordinateurs aux utilisateurs (par exemple d’une salle de cours à l’autre).
Pour gérer les iBook de votre chariot, créez des comptes locaux d’utilisateur, identiques
sur chaque ordinateur (par exemple, l’ensemble des comptes peut utiliser Math comme
nom d’utilisateur et Étudiant comme mot de passe). Vous pouvez créer des comptes
locaux génériques distincts à d’autres fins, par exemple pour dédier l’un d’eux aux cours
d’histoire, un autre aux cours de biologie, etc. Chaque compte doit avoir un répertoire de
départ local et ne disposer d’aucune autorisation d’administration. Utilisez un compte
d’administrateur local séparé sur chaque ordinateur afin de permettre aux administrateurs
de serveur (ou autres) de procéder à des tâches de maintenance et à des mises à niveau,
d’installer des logiciels et de gérer les comptes d’utilisateur locaux.
F0170.book Page 60 Monday, May 2, 2005 12:37 PMChapitre 3 Gestion des utilisateurs pour des clients mobiles 61
Une fois les comptes d’utilisateur locaux créés, ajoutez les ordinateurs à une liste et
gérez les préférences pour celle-ci. Comme plusieurs utilisateurs peuvent stocker des
éléments dans le répertoire de départ local du compte générique, il est recommandé,
dans le cadre de tâches routinières d’entretien, de vider régulièrement ce dossier.
Vous pouvez également créer des comptes mobiles pour les utilisateurs ou recourir
à la gestion des préférences du Gestionnaire de groupe de travail pour créer
automatiquement un compte mobile quand un utilisateur ouvre une session.
Ordinateurs portables Mac OS X pour utilisateur local principal
Deux méthodes vous permettent de configurer les ordinateurs portables d’un utilisateur
n’employant pas de compte mobile.
• L’utilisateur ne dispose pas d’autorisations d’administrateur mais possède
un compte local.
Configurez un compte d’administrateur local sur votre ordinateur (ne divulguez
aucune information sur ce compte à l’utilisateur), puis un compte local pour
l’utilisateur. Les utilisateurs possédant des comptes locaux sans autorisation
d’administration ne peuvent pas installer de logiciel : ils peuvent uniquement
ajouter ou supprimer des éléments de leurs propres répertoires de départ. Un
utilisateur local peut partager des éléments avec d’autres via le dossier Public
situé dans son répertoire de départ.
Si cet utilisateur dispose d’un compte mobile, celui-ci doit fonctionner comme un
compte local mais ne peut pas être géré comme un compte de réseau. Si l’utilisateur
possède un compte de réseau, vous pouvez modifier les réglages de préférences gérées
de manière à créer un compte mobile durant sa première ouverture de session. De
plus, si la synchronisation est activée pour cet utilisateur (PHD), le contenu de son
répertoire de départ est également synchronisé lorsqu’il est connecté au réseau.
• L’utilisateur est l’administrateur de l’ordinateur.
Mac OS X 10.4 permet d’autoriser ou de refuser aux administrateurs la possibilité
de désactiver la gestion durant la connexion.
Remarque : il arrive souvent que l’administrateur local puisse encore annuler les
réglages de gestion.
Si l’utilisateur dispose également d’un compte d’utilisateur Mac OS X Server et si le
réseau est accessible, il peut toutefois choisir d’ouvrir une session à l’aide du compte
local pour ne pas encombrer le réseau. Il peut se connecter à son propre répertoire de
départ (pour stocker ou extraire des documents, par exemple) à l’aide de la commande
Aller au dossier du menu Aller situé dans le Finder.
Les éléments à prendre en compte sont différents selon qu’il s’agit d’un compte mobile
avec des répertoires de départ portables et d’un compte mobile qui est également un
administrateur.
F0170.book Page 61 Monday, May 2, 2005 12:37 PM62 Chapitre 3 Gestion des utilisateurs pour des clients mobiles
Utilisation de services sans fil
Vous pouvez fournir aux clients gérés des services réseau sans fil à l’aide d’AirPort, par
exemple. Lorsqu’un utilisateur d’ordinateur portable quitte la zone sans fil ou change
de serveur de répertoires réseau (en passant d’une zone sans fil à une autre), les
réglages de gestion des clients peuvent varier. L’utilisateur peut s’apercevoir que
certains services réseau, comme les serveurs de fichiers, les imprimantes, les volumes
de groupes partagés, etc., ne sont pas disponibles à partir du nouvel emplacement. Il
peut alors purger ces ressources en se déconnectant, puis en se reconnectant.
Pour plus d’informations sur l’utilisation d’AirPort, consultez la documentation s’y
rapportant ou visitez le site Web à l’adresse suivante : www.apple.com/fr/airport/.
Questions de sécurité concernant les clients mobiles
Vous pouvez protéger davantage les clients mobiles en exigeant des mots de passe
alphanumériques régulièrement renouvelés. Les économiseurs d’écran doivent être
réglés sur un délai d’activation minimum et un mot de passe doit être demandé pour
la reprise d’activité. Il est recommandé de restreindre la création d’images de disque
dur et le démarrage à froid directement sur le disque à l’aide du mode disque cible.
Pour en savoir plus sur la configuration de mots de passe de programmes internes
ouverts, consultez l’article 106482 du site Web d’assistance et de service Apple, à
l’adresse docs.info.apple.com/article.html?artnum=106482.
Assurez-vous que SSH est désactivé pour empêcher toute connexion d’utilisateurs non
gérés. Un utilisateur connecté via SSH ne sera pas affecté par les préférences gérées
modifiant ses autorisations. La connexion à distance et tout autre type d’accès externe
tel que FTP et AFP ne doivent être activés que si vous en avez réellement besoin. Apple
Remote Desktop peut être utilisé pour fournir un accès à distance sécurisé et permettre
la gestion des ordinateurs.
Services de répertoire
Il est recommandé de désactiver la liaison DHCP sans restriction pour les clients
mobiles car l’ordinateur fera implicitement confiance à tout répertoire trouvé sur
d’autres réseaux. La liaison de répertoire authentifiée offre la meilleure sécurité, mais
exige la configuration individuelle de chaque ordinateur. La liaison de répertoire
statique peut s’avérer plus simple mais n’est pas aussi sûre.
Le guide d’administration d’Open Directory contient des informations détaillées sur
les différents mécanismes de liaison de répertoires.
F0170.book Page 62 Monday, May 2, 2005 12:37 PMChapitre 3 Gestion des utilisateurs pour des clients mobiles 63
FileVault pour clients mobiles
Mac OS X permet d’activer FileVault pour les comptes mobiles. Activez d’abord le
compte mobile, puis connectez-vous à l’aide du compte mobile (qui sera alors créé).
Une fois connecté, activez FileVault dans les Préférences Système. Vous devez disposer
d’autorisations d’administrateur local et définir un mot de passe maître.
Questions de sécurité concernant l’utilisation de répertoires de
départ portables
Les répertoires de départ portables permettent aux clients mobiles d’emporter des
versions locales (ou portables) de leur répertoire de départ réseau, de travailler sur des
fichiers hors connexion et de les synchroniser lorsqu’ils se reconnectent au réseau.
Toutes les questions de sécurité qui concernent les comptes de réseau concernent
également les clients mobiles qui utilisent des répertoires de départ portables. Les
clients mobiles peuvent modifier leurs autorisations d’accès sur le répertoire de départ
réseau afin que ce dernier soit plus ouvert. Par conséquent, les questions de sécurité
concernant les répertoires de départ portables font partie des questions de sécurité
concernant les utilisateurs réseau.
Remarque : il est possible de disposer d’un compte mobile sans répertoire de départ
portable. C’est le cas si vous disposez, par exemple, d’un répertoire de départ réseau
non synchronisé avec le répertoire de départ du compte local ou d’un compte réseau
sans aucun répertoire de départ réseau.
Connexions VPN
La création d’un nouveau compte mobile ou la configuration d’un compte mobile pour
la synchronisation doit se faire en étant connecté directement au réseau, pas en étant
connecté via VPN. La première fois que vous vous connectez à un compte mobile et à
un répertoire de départ portable, il se synchronise automatiquement avec le répertoire
de départ réseau. Une fois que le compte mobile a été créé, vous pouvez ouvrir une
session hors connexion, établir une connexion VPN, puis lancer une synchronisation
manuelle.
Questions concernant la perte et la récupération des données
N’utilisez pas les répertoires de départ portables à la place d’un système de sauvegarde
systématique. Les répertoires de départ portables ne synchronisent que les nouveaux
fichiers créés, les fichiers modifiés et les préférences gérées modifiées depuis la
dernière synchronisation. Une synchronisation ne constitue jamais une image fidèle
de l’environnement d’un utilisateur. Ce n’est qu’une partie du contenu modifié parmi
l’ensemble du contenu désigné par l’administrateur. De plus, contrairement aux
solutions de sauvegarde spécialisées, les répertoires de départ portables ne vous
permettent pas de récupérer spécifiquement tout contenu synchronisé avant la
dernière synchronisation.
F0170.book Page 63 Monday, May 2, 2005 12:37 PMF0170.book Page 64 Monday, May 2, 2005 12:37 PM4
65
4 Configuration des comptes
d’utilisateur
Ce chapitre vous explique comment configurer, modifier
et gérer des comptes d’utilisateur.
À propos des comptes d’utilisateur
Un compte d’utilisateur stocke les données dont Mac OS X Server a besoin pour valider
l’identité de l’utilisateur et lui fournir des services. Cette section propose une vue
d’ensemble des comptes d’utilisateur.
Emplacement de stockage des comptes d’utilisateur
Les comptes d’utilisateur, les comptes de groupe et les listes d’ordinateurs peuvent être
stockés dans n’importe quel domaine Open Directory accessible depuis tout ordinateur
Mac OS X. Un domaine de répertoire peut résider soit sur un ordinateur Mac OS X (le
répertoire LDAP d’un maître Open Directory, un domaine NetInfo ou tout autre domaine
de répertoire en lecture/écriture, par exemple), soit sur un serveur non Apple (un serveur
LDAP ou Active Directory par exemple).
Vous pouvez utiliser le Gestionnaire de groupe de travail pour travailler avec des comptes
dans tous les types de domaines de répertoires, sachant toutefois qu’il permet de ne
mettre à jour que le répertoire LDAP d’un maître Open Directory, d’un domaine NetInfo
ou de tout autre domaine de répertoire en lecture/écriture.
Pour obtenir des informations complètes sur les différents types de domaines Open
Directory reportez-vous au guide d’administration Open Directory.
F0170.book Page 65 Monday, May 2, 2005 12:37 PM66 Chapitre 4 Configuration des comptes d’utilisateur
Comptes d’utilisateur prédéfinis
Le tableau suivant fournit une description de certains comptes d’utilisateur créés
automatiquement lorsque vous installez Mac OS X Server (sauf indication contraire).
Pour obtenir la liste complète, ouvrez le Gestionnaire de groupe de travail et choisissez
Présentation > Afficher les utilisateurs et groupes du système.
Nom d’utilisateur prédéfini
Nom
abrégé
Identifiant
d’utilisateur Utilisation
Utilisateur FTP anonyme ftp 98 Le nom d’utilisateur attribué à
quiconque utilise FTP en tant
qu’utilisateur anonyme. Cet
utilisateur est créé au moment du
premier accès au serveur FTP si ce
dernier est activé, si l’accès FTP
anonyme est activé et si l’utilisateur
anonyme ftp n’existe pas encore.
Utilisateur du Gestionnaire
Macintosh
mmuser -17 L’utilisateur créé par le serveur
Gestionnaire Macintosh lorsque
l’application est lancée pour la
première fois sur un serveur
particulier. Il ne dispose d’aucun
répertoire de départ et son mot de
passe est régulièrement modifié.
Serveur My SQL mysql 74 L’utilisateur que le serveur de base
de données MySQL utilise pour les
processus qui traitent les requêtes.
Utilisateur Sendmail smmsp 25 Utilisateur sous lequel sendmail est
exécuté.
sshd (séparation des autorisations) sshd 75 Utilisateur pour les processus
enfants sshd qui traitent les
données réseau.
Administrateur système root 0 Utilisateur ayant le plus de
pouvoirs.
Services système daemon 1 Utilisateur UNIX hérité.
Utilisateur inconnu unknown 99 Utilisateur employé lorsque le
système ne connaît pas le disque
dur.
F0170.book Page 66 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 67
Administration de comptes d’utilisateur
Cette section explique comment administrer les comptes d’utilisateur stockés
dans différents types de domaines de répertoires.
Création de comptes d’utilisateur Mac OS X Server
Pour créer un compte d’utilisateur dans un domaine de répertoires particulier,
vous devez disposer d’autorisations d’administration sur ce domaine.
Pour créer un compte d’utilisateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez
ont été configurés pour accéder au domaine qui vous intéresse.
Pour obtenir des instructions, reportez-vous au guide de l’administrateur Open
Directory.
3 Cliquez sur le petit globe situé sous la liste des comptes, puis choisissez le domaine
dans lequel vous voulez que le compte d’utilisateur réside.
Local, /NetInfo/root/ et /NetInfo/DefaultLocalNode, par exemple,
se réfèrent tous au domaine de répertoire local. /NetInfo/root se réfère à un domaine
NetInfo partagé si le serveur est configuré pour accéder à un tel domaine ; sinon,
/NetInfo/root constitue le domaine local.
4 Pour être authentifié, cliquez sur le cadenas.
5 Choisissez Serveur > Nouvel utilisateur ou cliquez sur Nouvel utilisateur dans la barre
d’outils.
6 Spécifiez des réglages pour l’utilisateur dans les onglets fournis.
Consultez “Définition de noms complets d’utilisateurs” à la page 74 et “Faire suivre le
courrier d’un utilisateur” à la page 93 pour plus de détails.
Utilisateur sans autorisation nobody -2 À l’origine, cet utilisateur a été créé
de manière à ce que les services
système n’aient pas à être exécutés
en tant qu’administrateur système.
À présent toutefois, les utilisateurs
spécifiques aux services, le serveur
Web notamment, sont souvent
utilisés à cette fin.
Serveur World Wide Web www 70 L’utilisateur sans autorisation
qu’Apache utilise pour les
processus qui traitent les requêtes.
Nom d’utilisateur prédéfini
Nom
abrégé
Identifiant
d’utilisateur Utilisation
F0170.book Page 67 Monday, May 2, 2005 12:37 PM68 Chapitre 4 Configuration des comptes d’utilisateur
Pour créer un utilisateur, vous pouvez également utiliser un préréglage ou un fichier
d’importation.
Remarque : le Gestionnaire de groupe de travail ne peut pas être utilisé pour créer
des utilisateurs, des groupes ou des ordinateurs dans un domaine Active Directory
standard. Le système Active Directory doit être étendu pour permettre la création
d’utilisateurs, de groupes ou d’ordinateurs.
Pour plus de détails, consultez les sections “Utilisation de préréglages pour créer des
comptes” à la page 73 et “Utilisation du Gestionnaire de groupe de travail pour
importer des utilisateurs et des groupes” à la page 243.
Création de comptes d’utilisateur LDAPv3 en lecture/écriture
Vous pouvez créer un compte d’utilisateur sur un serveur LDAPv3 non Apple s’il a été
configuré pour un accès en écriture.
Pour créer un compte d’utilisateur LDAPv3 :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour employer le serveur LDAP pour les comptes d’utilisateur.
Le guide d’administration Open Directory propose des informations sur les attributs
standards des comptes d’utilisateur et des instructions sur le mappage des attributs.
Pour en savoir plus sur les éléments du compte d’utilisateur qui peuvent nécessiter un
mappage, consultez l’Annexe A, “Importation et exportation d’informations de compte”.
3 Cliquez sur le petit globe situé au-dessus de la liste des comptes, puis choisissez le
domaine LDAPv3 dans lequel vous souhaitez faire résider le compte d’utilisateur.
4 Pour être authentifié, cliquez sur le cadenas.
5 Choisissez Serveur > Nouvel utilisateur ou cliquez sur Nouvel utilisateur dans la barre
d’outils.
6 Spécifiez des réglages pour l’utilisateur dans les onglets fournis.
Pour plus de détails, lisez la section “Travail avec des réglages élémentaires pour
utilisateurs” à la page 74 jusqu’à “Travail avec des réglages d’impression pour
utilisateurs” à la page 93.
Pour créer un utilisateur, vous pouvez également utiliser un préréglage ou un fichier
d’importation. Pour plus de détails, consultez les sections “Utilisation de préréglages
pour créer des comptes” à la page 73 et “Utilisation du Gestionnaire de groupe de
travail pour importer des utilisateurs et des groupes” à la page 243.
Modification des informations de compte d’utilisateur
Le Gestionnaire de groupe de travail permet de modifier un compte d’utilisateur qui
réside dans le répertoire LDAP d’un maître Open Directory, d’un domaine NetInfo ou
de tout autre domaine de répertoire.
F0170.book Page 68 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 69
Pour apporter des modifications à un compte d’utilisateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire qui vous intéresse.
3 Pour obtenir des instructions, reportez-vous au guide d’administration Open Directory.
Cliquez sur le petit globe situé au-dessus de la liste des comptes, puis choisissez le
domaine dans lequel réside le compte d’utilisateur.
4 Pour être authentifié, cliquez sur le cadenas.
5 Cliquez sur le bouton Utilisateurs et sélectionnez l’utilisateur.
6 Modifiez les réglages de l’utilisateur dans les onglets fournis.
Pour plus de détails, lisez la section “Travail avec des réglages élémentaires pour
utilisateurs” à la page 74 jusqu’à “Travail avec des réglages d’impression pour
utilisateurs” à la page 93.
Modification simultanée de plusieurs utilisateurs
Vous pouvez utiliser le Gestionnaire de groupe de travail pour apporter simultanément
les mêmes modifications à plusieurs comptes d’utilisateur qui résident dans le répertoire
LDAP d’un maître Open Directory, d’un domaine NetInfo ou de tout autre domaine de
répertoire.
Pour modifier plusieurs utilisateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez les comptes d’utilisateur à modifier.
Cliquez sur l’icône en forme de globe située sous la barre d’outils, choisissez le domaine
de répertoire, puis cliquez sur chaque utilisateur tout en maintenant la touche
Commande enfoncée.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez pour afficher la sous-fenêtre à utiliser, puis procédez à vos modifications dans
les champs que le Gestionnaire de groupe de travail vous autorise à mettre à jour.
Modification des comptes dans un maître Open Directory
Vous pouvez modifier les comptes du répertoire LDAP d’un Open Directory si vous êtes
autorisé à administrer le maître de domaine de répertoire mais pas le serveur lui-même.
L’option “L’utilisateur peut administrer ce domaine de répertoire” de la sous-fenêtre
Élémentaire de Comptes, dans Gestionnaire de groupe de travail, doit être cochée.
F0170.book Page 69 Monday, May 2, 2005 12:37 PM70 Chapitre 4 Configuration des comptes d’utilisateur
Si vous ne disposez pas de cette autorisation, vous devez vous authentifier auprès
du domaine de répertoire via le compte d’administrateur de répertoire créé dans
Mac OS X Server lorsque vous spécifiez que votre serveur est un répertoire maître
dans l’utilitaire Admin Serveur. L’identifiant d’utilisateur UID, le nom d’utilisateur et
le mot de passe du compte d’administrateur de répertoire (par défaut, l’identifiant
d’utilisateur modifiable est 1000 et le nom d’utilisateur, “diradmin”) sont définis par
l’administrateur du serveur lors de la création du répertoire.
Pour modifier des comptes :
1 Utilisez un ordinateur administrateur configuré (via la sous-fenêtre Services de Format
de répertoire) pour accéder au serveur hébergeant le maître Open Directory.
2 Ouvrez le Gestionnaire de groupe de travail sur l’ordinateur administrateur.
3 Une fois la fenêtre d’ouverture de session affichée, choisissez Serveur > Afficher les
répertoires.
4 Cliquez sur l’icône en forme de petit globe située au-dessus de la liste des comptes
et choisissez Autre dans le menu local.
5 Ouvrez le domaine de répertoire à administrer et cliquez sur le cadenas pour être
authentifié en tant qu’administrateur du domaine.
Ces instructions sont valables pour un seul et unique administrateur de domaine. Si
plusieurs comptes d’administrateur de domaine ont été créés dans le domaine de
répertoire, vous pouvez utiliser indifféremment l’un de ces comptes pour déverrouiller
le répertoire.
Utilisation de comptes d’utilisateur en lecture seule
Vous pouvez utiliser le Gestionnaire de groupe de travail pour consulter des informations
sur les comptes d’utilisateur stockés dans des domaines de répertoire en lecture seule.
Les domaines de répertoires en lecture seule incluent les domaines LDAPv2, les domaines
LDAPv3 non configurés pour l’accès en écriture et les fichiers de configuration BSD
Pour travailler avec un compte d’utilisateur de type “lecture seule” :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire de Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire dans lequel réside le compte.
Pour plus d’informations sur l’utilisation de Format de répertoire pour configurer des
connexions serveur, reportez-vous au guide d’administration Open Directory. Pour
en savoir plus sur les éléments du compte d’utilisateur qui nécessitent un mappage,
consultez l’Annexe A, “Importation et exportation d’informations de compte”.
3 Cliquez sur le petit globe situé au-dessus de la liste des comptes, puis choisissez le
domaine de répertoire dans lequel réside le compte d’utilisateur.
4 Utilisez les onglets fournis pour passer en revue les réglages du compte de l’utilisateur.
F0170.book Page 70 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 71
Pour plus de détails, lisez la section “Travail avec des réglages élémentaires pour
utilisateurs” à la page 74 jusqu’à “Travail avec des réglages d’impression pour
utilisateurs” à la page 93.
Définition d’un utilisateur invité
Vous pouvez configurer certains services en vue de gérer les utilisateurs “anonymes”. Il
s’agit des utilisateurs qui ne peuvent être authentifiés car ils ne disposent pas d’un nom
d’utilisateur ou d’un mot de passe valides. Les services suivants peuvent être configurés
pour gérer les utilisateurs anonymes :
• Services Windows (voir le guide des services Windows pour toute information sur la
configuration de l’accès en invité)
• Service de fichiers Apple (voir le guide d’administration des services de fichiers pour
toute information sur la configuration de l’accès en invité)
• Service FTP (voir le guide d’administration des services de fichiers pour toute
information sur la configuration de l’accès en invité)
• Service Web (voir le guide d’administration des technologies Web pour toute
information sur la configuration de l’accès en invité)
L’accès des utilisateurs qui se connectent de manière anonyme à un serveur est limité
aux fichiers, dossiers et sites Web dont les autorisations sont réglées sur Tous.
Il existe un autre type d’utilisateurs invités : les utilisateurs gérés que vous pouvez
définir pour permettre une configuration simplifiée d’ordinateurs publics (ou kiosques
informatiques). Pour plus d’informations sur ce type d’utilisateurs, consultez le
chapitre 9, “Gestion des préférences”, à la page 157.
Suppression d’un compte d’utilisateur
Le Gestionnaire de groupe de travail permet de supprimer un compte d’utilisateur
stocké dans le répertoire LDAP d’un maître Open Directory ou d’un domaine NetInfo.
Pour supprimer un compte d’utilisateur à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte d’utilisateur à supprimer.
Pour trouver le compte, cliquez sur le petit globe situé au-dessus de la liste des comptes,
choisissez le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur.
3 Pour être authentifié, cliquez sur le cadenas.
4 Choisissez Serveur > Effacer l’utilisateur sélectionné ou cliquez sur l’icône Supprimer
de la barre d’outils.
Avertissement : cette action est irréversible.
F0170.book Page 71 Monday, May 2, 2005 12:37 PM72 Chapitre 4 Configuration des comptes d’utilisateur
Désactivation d’un compte d’utilisateur
Pour désactiver un compte d’utilisateur, vous pouvez :
• Décocher l’option “L’utilisateur peut se connecter” dans la sous-fenêtre Élémentaire
du Gestionnaire de groupe de travail.
• Supprimer le compte.
• Remplacer le mot de passe d’utilisateur par une valeur inconnue.
• Définir une stratégie de mot de passe qui désactive l’ouverture de session (pour
un compte d’utilisateur disposant d’un mot de passe de type Open Directory).
Utilisation de préréglages pour les comptes d’utilisateur
Les préréglages fonctionnent comme des modèles vous permettant de définir les
attributs automatiquement appliqués aux nouveaux comptes d’utilisateur et de groupe.
Création d’un préréglage pour des comptes d’utilisateur
Vous pouvez créer un ou plusieurs préréglages à choisir lors de la création de nouveaux
comptes d’utilisateur dans un domaine de répertoire particulier.
Pour créer un préréglage pour des comptes d’utilisateurs :
1 Ouvrez le Gestionnaire de groupe de travail sur le serveur à partir duquel vous créez
les comptes d’utilisateur.
Assurez-vous que le serveur a été configuré pour accéder au domaine de répertoire
Mac OS X ou LDAPv3 non Apple sur lequel le préréglage sera utilisé pour créer de
nouveaux comptes. Pour passer d’un domaine à un autre, cliquez sur le petit globe
situé au-dessus de la liste des comptes.
2 Cliquez sur Comptes.
3 Pour créer un préréglage à l’aide de données stockées dans un compte d’utilisateur
existant, ouvrez le compte. Pour créer un préréglage à l’aide d’un compte d’utilisateur
vide, créez un compte d’utilisateur.
4 Remplissez les champs avec les valeurs que vous souhaitez voir héritées par les
nouveaux comptes d’utilisateur. Supprimez les valeurs que vous ne souhaitez pas
inclure dans les préréglages si vous prenez comme point de départ un compte existant.
Les attributs suivants peuvent être définis dans un préréglage de compte
d’utilisateur :réglages de mot de passe, autorisations d’administrateur, réglages de
répertoire de départ, quotas, shell par défaut, identifiant de groupe principal, liste
des membres du groupe, commentaire, réglages d’ouverture de session, réglages
d’impression et réglages de courrier.
5 Cliquez sur Préférences, configurez les réglages que vous souhaitez inclure dans le
préréglage, puis puis cliquez sur Comptes.
Après avoir configuré les préférences d’un préréglage, vous devez retourner aux
réglages de Comptes pour enregistrer le préréglage.
F0170.book Page 72 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 73
6 Choisissez Enregistrer le préréglage dans le menu local Préréglages, tapez un nom pour
le préréglage, puis cliquez sur OK.
Le préréglage est enregistré dans le domaine de répertoire actuel.
Utilisation de préréglages pour créer des comptes
Les préréglages constituent un moyen rapide pour appliquer des réglages à un
nouveau compte. Après avoir appliqué le préréglage, vous pouvez si nécessaire
continuer à modifier les réglages du nouveau compte.
Pour créer un compte à l’aide d’un préréglage :
1 Ouvrez le Gestionnaire de groupe de travail sur un serveur configuré pour accéder au
domaine de répertoire Mac OS X ou LDAPv3 non Apple dans lequel le préréglage sera
utilisé pour créer le nouveau compte.
2 Cliquez sur Comptes.
3 Cliquez sur le petit globe situé au-dessus de la liste des comptes, puis choisissez le
domaine de répertoire dans lequel vous souhaitez faire résider le nouveau compte.
4 Pour être authentifié, cliquez sur le cadenas.
5 Choisissez un élément dans le menu local Préréglages. Si vous comptez importer un
fichier, choisissez un préréglage dans la zone de dialogue des options d’importation.
6 Créez un compte de manière interactive ou à l’aide d’un fichier d’importation.
Si un réglage est spécifié à la fois dans le préréglage et dans le fichier d’importation,
la valeur dans le fichier est utilisée. Si un réglage est spécifié dans le préréglage mais
pas dans le fichier d’importation, la valeur du préréglage est utilisée.
7 Si nécessaire, ajoutez ou mettez à jour des valeurs d’attribut de manière interactive
ou à l’aide d’un fichier d’importation.
Renommer des préréglages
Attribuez un nom à vos préréglages pour vous aider à vous souvenir des réglages
modèles ou à identifier le type de compte d’utilisateur, de compte de groupe ou
de liste d’ordinateurs auquel ce préréglage convient le mieux. Il est possible de
renommer les préréglages si nécessaire.
Pour renommer un préréglage :
1 Ouvrez le Gestionnaire de groupe de travail sur le serveur où le préréglage a été défini.
2 Cliquez sur Comptes.
3 Choisissez Renommer le préréglage dans le menu local Préréglages.
4 Saisissez le nouveau nom et cliquez sur OK.
F0170.book Page 73 Monday, May 2, 2005 12:37 PM74 Chapitre 4 Configuration des comptes d’utilisateur
Modification de préréglages
Lorsque vous modifiez un préréglage, les comptes existants qu’il a contribué à créer
ne sont pas mis à jour pour refléter vos modifications.
Pour modifier un préréglage :
1 Ouvrez le Gestionnaire de groupe de travail sur le serveur où le préréglage a été défini.
2 Cliquez sur Comptes.
3 Choisissez un élément dans le menu local Préréglages.
4 Après avoir terminé vos modifications, choisissez Enregistrer le préréglage dans le
menu local Préréglages.
Vous pouvez également modifier un préréglage tout en l’utilisant pour créer un
compte : il vous suffit alors de changer tout champ défini par le préréglage, puis
de l’enregistrer.
Suppression de préréglages
Vous pouvez supprimer les préréglages dont vous n’avez plus besoin.
Pour supprimer un préréglage :
1 Ouvrez le Gestionnaire de groupe de travail sur le serveur où le préréglage a été défini.
2 Cliquez sur Comptes.
3 Choisissez Supprimer le préréglage dans le menu local Préréglages.
4 Sélectionnez le préréglage à supprimer, puis cliquez sur Supprimer.
Travail avec des réglages élémentaires pour utilisateurs
Les réglages élémentaires sont un ensemble d’attributs devant être définis pour
tous les utilisateurs.
Dans le Gestionnaire de groupe de travail, utilisez la sous-fenêtre Élémentaire de
la fenêtre du compte d’utilisateur pour utiliser des réglages élémentaires.
Définition de noms complets d’utilisateurs
Le nom d’utilisateur correspond au nom complet d’un utilisateur, comme par exemple
Jeanne Dubois ou Dr Pierre Martin (il est parfois appelé nom réel). Les utilisateurs
peuvent se connecter à l’aide du nom d’utilisateur ou du nom abrégé associés à
leur compte.
Les noms complets d’utilisateur sont sensibles à la casse dans la fenêtre d’ouverture de
session, de sorte que l’ouverture de session échoue si un utilisateur tape MARIE DUPONT
au lieu de Marie Dupont. Les noms d’utilisateur ne sont toutefois pas sensibles à la
casse lorsqu’ils sont utilisés pour authentifier un utilisateur afin de lui accorder l’accès
à un serveur de fichiers ou pour ouvrir une session à partir de clients Mac OS 9
Gestionnaire Macintosh.
F0170.book Page 74 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 75
Un nom complet d’utilisateur ne peut pas contenir plus de 255 octets. Comme les
noms complets d’utilisateur gèrent plusieurs jeux de caractères, le nombre maximal
de caractères peut varier de 255 caractères romains à 85 caractères (pour les jeux de
caractères qui occupent jusqu’à 3 octets).
Le Gestionnaire de groupe de travail permet de modifier le nom d’utilisateur d’un compte
stocké dans le répertoire LDAP d’un maître Open Directory, d’un domaine NetInfo ou
de tout autre domaine de répertoire en lecture/écriture. Vous pouvez également utiliser
le Gestionnaire de groupe de travail pour revoir les noms d’utilisateur de tout domaine
de répertoire accessible à partir du serveur que vous utilisez.
Pour travailler avec le nom d’utilisateur à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte à utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Dans le champ Nom de la sous-fenêtre Élémentaire, vérifiez le nom d’utilisateur et
modifiez-le si nécessaire.
La valeur initiale du nom d’utilisateur correspond à “Sans titre ”. Après la
modification du nom, le Gestionnaire de groupe de travail ne vérifie pas si celui-ci
est unique.
Évitez d’attribuer le même nom à plusieurs utilisateurs. Bien que le Gestionnaire de
groupe de travail ne vous permette pas d’attribuer le même nom à plusieurs utilisateurs
d’un domaine particulier ou de tout domaine qui se trouve dans le chemin de recherche
(politique de recherche) du serveur que vous utilisez, il n’a aucun moyen de détecter la
présence éventuelle de doublons dans les autres domaines.
Définition de noms abrégés d’utilisateurs
Un nom abrégé correspond à la version abrégée d’un utilisateur, comme par exemple
ebrown ou arnoldsmith. Les utilisateurs peuvent se connecter à l’aide du nom abrégé
ou du nom d’utilisateur associé à leur compte. Le nom abrégé est utilisé par Mac OS X
pour les répertoires de départ et les groupes :
• Lorsque Mac OS X crée automatiquement un répertoire de départ (local ou AFP
en réseau) pour un utilisateur, il lui donne le nom abrégé de l’utilisateur. Pour plus
d’informations sur les répertoires de départ, consultez le chapitre 7, “Configuration
des répertoires de départ”.
F0170.book Page 75 Monday, May 2, 2005 12:37 PM76 Chapitre 4 Configuration des comptes d’utilisateur
• Lorsque Mac OS X vérifie si un utilisateur appartient à un groupe autorisé à accéder
à un fichier particulier, il utilise des noms abrégés pour retrouver les identifiants
d’utilisateur des membres du groupe. Pour obtenir un exemple, reportez-vous à la
section “Mesures de prévention contre les doublons de noms abrégés” à la page 79.
Vous pouvez associer jusqu’à 16 noms abrégés à un compte d’utilisateur. Ces noms
abrégés peuvent par exemple servir d’alias pour les comptes de courrier. Le premier
nom abrégé étant le nom utilisé pour les répertoires de départ et les listes des
membres du groupe, ne l’attribuez pas à nouveau après avoir enregistré le
compte d’utilisateur.
Un nom abrégé d’utilisateur peut contenir jusqu’à 255 caractères romains. Toutefois,
pour les clients qui utilisent Mac OS X 10.1.5 et versions antérieures, le premier nom
abrégé d’utilisateur ne peut contenir plus de 8 caractères.
N’utilisez que les caractères ci-après pour le premier nom abrégé d’utilisateur (les
noms abrégés suivants peuvent contenir n’importe quel caractère romain) :
• de a à z
• de a à z
• de 0 à 9
• _ (trait de soulignement)
Les noms abrégés contiennent généralement huit caractères au maximum.
Le Gestionnaire de groupe de travail permet de modifier le nom abrégé d’un compte
stocké dans le répertoire LDAP d’un maître Open Directory, d’un domaine NetInfo ou de
tout autre domaine de répertoire en lecture/écriture. Vous pouvez également utiliser le
Gestionnaire de groupe de travail pour revoir les noms abrégés de tout domaine de
répertoire accessible à partir du serveur que vous utilisez.
Pour travailler avec un nom abrégé d’utilisateur à l’aide du Gestionnaire de
groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour sélectionner le compte, cliquez sur le petit globe situé au-dessus de la liste des
comptes, choisissez le domaine de répertoire où réside le compte, puis sélectionnez
le compte d’utilisateur.
3 Pour être authentifié, cliquez sur le cadenas.
4 Dans le champ Noms abrégés de la sous-fenêtre Élémentaire, vérifiez les noms abrégés
ou modifiez-les si nécessaire.
La valeur initiale du nom abrégé correspond à “Sans titre”. Si vous spécifiez
plusieurs noms abrégés, ils doivent être sur des lignes différentes.
F0170.book Page 76 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 77
Évitez d’attribuer le même nom abrégé à plusieurs utilisateurs. Bien que le Gestionnaire
de groupe de travail ne vous permette pas d’attribuer le même nom abrégé à plusieurs
utilisateurs d’un domaine particulier ou de tout domaine qui se trouve dans le chemin
de recherche (politique de recherche) du serveur que vous utilisez, il n’a aucun moyen
de détecter la présence éventuelle de doublons dans les autres domaines.
Une fois le compte d’utilisateur enregistré, vous ne pouvez plus modifier le premier
nom abrégé, mais vous pouvez en revanche modifier les autres dans une liste de
noms abrégés.
Choix de noms abrégés permanents
Lorsque vous créez des groupes, Mac OS X identifie les utilisateurs qui en font partie
par leur premier nom abrégé, qui ne peut être modifié.
Si vous devez absolument modifier un nom abrégé, vous pouvez créer pour l’utilisateur
un compte (dans le même domaine de répertoire) qui contient le nouveau nom abrégé
mais conserve toutes les autres informations (identifiant d’utilisateur, groupe principal,
répertoire de départ, etc.). Vous pouvez ensuite désactiver l’ouverture de session pour
l’ancien compte d’utilisateur. Désormais, l’utilisateur peut se connecter à l’aide du nom
modifié, tout en continuant à disposer du même accès aux fichiers et autres ressources
de réseaux qu’auparavant. (Pour plus d’informations sur la désactivation d’un compte
de connexion, consultez la section “Désactivation d’un compte d’utilisateur” à la
page 72.)
Eviter les doublons de noms
Si des comptes d’utilisateur différents portent le même nom (nom d’utilisateur ou nom
abrégé) sur un ordinateur Mac OS X, la fenêtre d’ouverture de session affichera la liste
des utilisateurs afin que vous puissiez choisir. Il s’agit d’une nouvelle fonctionnalité de
Mac OS X 10.4 qui n’est pas prise en charge par les versions antérieures.
F0170.book Page 77 Monday, May 2, 2005 12:37 PM78 Chapitre 4 Configuration des comptes d’utilisateur
Prenons l’exemple de trois domaines de répertoire partagés après la création de leurs
utilisateurs. Tony Smith a un compte dans le domaine Étudiants et Tom Smith un
compte dans le domaine racine. Aux deux comptes sont associés le nom abrégé
“tsmith” et le mot de passe “smitty”.
Lorsque Tony ouvre une session sur son ordinateur avec le nom d’utilisateur “tsmith” et
le mot de passe “smitty”, la fenêtre d’ouverture de session affiche les deux utilisateurs
dont les comptes disposent des mêmes nom abrégé et mot de passe (Tony Smith et
Tom Smith). Si Tony sélectionne le nom de Tom, il peut se connecter en tant que Tom
et accéder aux fichiers de Tom, ce qui n’est pas l’effet recherché.
À présent, admettons que Tony et Tom ont le même nom abrégé mais des mots de
passe différents.
/
Étudiants Faculté
Ordinateur de Tony
Tony Smith
(tsmith,smitty)
Tom Smith
(tsmith,smitty)
Ordinateur de Tom
/
Étudiants Faculté
Ordinateur de Tony
Tony Smith
(tsmith, tony)
Tom Smith
(tsmith,smitty)
Ordinateur de Tom
F0170.book Page 78 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 79
Si Tom tente d’ouvrir une session sur l’ordinateur de Tony à l’aide du nom abrégé
“tsmith” et de son propre mot de passe (smitty), Mac OS X trouve “tsmith” dans les
deux domaines et propose à Tom de choisir le nom d’utilisateur sous lequel il souhaite
être authentifié. Sa seule option est de s’authentifier auprès de son enregistrement
d’utilisateur dans le domaine root, avec son propre mot de passe.
Si Tony dispose, dans son domaine de répertoire local, d’un enregistrement d’utilisateur
comprenant les mêmes nom et mot de passe que son enregistrement dans le domaine
Étudiants, il peut toujours choisir l’identifiant d’utilisateur sous lequel il souhaite se
connecter. Le domaine local de Tony devrait offrir une combinaison nom/mot de passe
le distinguant de l’enregistrement du domaine Étudiants. Si le domaine Étudiants n’est
pas accessible (lorsque Tony travaille chez lui, par exemple), il ne peut s’y connecter
que si son compte est configuré comme un compte mobile. Dans ce cas, il peut utiliser
les fichiers de son ordinateur créés sous l’utilisateur mobile. Tony pourra toujours
choisir dans la fenêtre d’ouverture de session le nom d’utilisateur sous lequel il
souhaite s’authentifier si son identifiant d’utilisateur est le même dans le domaine
local et dans le domaine Étudiants.
Les doublons de noms abrégés peuvent avoir des effets indésirables dans les
enregistrements de groupe (voir section suivante).
Mesures de prévention contre les doublons de noms abrégés
Les noms abrégés étant utilisés pour trouver les identifiants d’utilisateur des membres
de groupe, si des noms abrégés sont dupliqués, l’accès aux fichiers peut être accordé à
des groupes auxquels vous ne souhaitiez pas autoriser l’accès.
F0170.book Page 79 Monday, May 2, 2005 12:37 PM80 Chapitre 4 Configuration des comptes d’utilisateur
Reportez-vous à l’exemple de Tony et Tom Smith, qui sont tous deux dotés du même
nom abrégé. Supposons que l’administrateur ait créé un groupe dans le domaine
racine auquel tous les étudiants appartiennent. Le groupe - Touslesétudiants - a un
identifiant de groupe de 2017.
Maintenant, supposons qu’un fichier, MonDoc, soit situé sur un ordinateur accessible
à Tony et Tom. Le fichier a pour propriétaire un utilisateur dont l’identifiant est 127. Il
dispose d’autorisations d’accès en lecture seule pour Touslesétudiants. Tony, et non
Tom, a été ajouté au groupe Touslesétudiants, mais comme la liste des membres d’un
groupe est constituée de noms abrégés plutôt que d’identifiants d’utilisateur et que le
nom abrégé tsmith est répertorié comme membre de Touslesétudiants, Tony et Tom
seront tous deux membres effectifs de Touslesétudiants.
Si Tom tente d’accéder à MonDoc, Mac OS X détermine que les autorisations de
possesseur ne s’appliquent pas à Tom et poursuit pour vérifier si les autorisations
de groupe peuvent être appliquées à Tom. Mac OS X recherche dans la hiérarchie
d’ouverture de session les enregistrements d’utilisateur dont les noms abrégés
correspondent à ceux associés à Touslesétudiants. L’enregistrement d’utilisateur
de Tom est trouvé (nom abrégé tsmith), car il est situé dans la hiérarchie d’ouverture
de session, et l’identifiant d’utilisateur de l’enregistrement est comparé à l’identifiant
d’ouverture de session de Tom. Etant donné qu’ils se correspondent, Tom est autorisé
à lire MonDoc, même s’il n’est pas membre de Touslesétudiants.
/
Étudiants Faculté
Ordinateur de Tony
Tony Smith
(tsmith,smitty,
UID 3000)
Tom Smith (tsmith,smitty, UID 2000)
Touslesétudiants (tsmith, GID 2017)
Ordinateur de Tom
MonDoc
Possesseur 127 : lecture et écriture
Groupe 2017 : lecture seulement
Autres : aucun
F0170.book Page 80 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 81
Définition d’identifiants d’utilisateur
Un identifiant d’utilisateur est un chiffre qui permet d’identifier un utilisateur de manière
unique. Les ordinateurs Mac OS X utilisent l’identifiant d’utilisateur pour assurer le suivi
des répertoires et fichiers que possède un utilisateur. Lorsqu’un utilisateur crée un
répertoire ou un fichier, l’identifiant d’utilisateur est stocké en tant qu’identifiant du
créateur. Un utilisateur doté de cet identifiant dispose par défaut d’autorisations en
lecture et écriture pour le répertoire ou le fichier créé.
L’identifiant doit consister en une chaîne unique de chiffres compris entre 500 et 2 147
483 648. L’affectation du même identifiant à différents utilisateurs est risquée car deux
utilisateurs dotés du même identifiant disposent des mêmes autorisations d’accès aux
répertoires et aux fichiers.
L’identifiant d’utilisateur 0 est réservé à l’utilisateur root. Les identifiants inférieurs
à 100 sont réservés au système ; les utilisateurs portant ces identifiants ne peuvent
être supprimés ou modifiés, sauf pour changer le mot de passe de l’utilisateur root.
En règle générale, vous ne devez plus modifier les identifiants d’utilisateur une fois
qu’ils ont été attribués et que les utilisateurs ont commencé à créer des fichiers et des
répertoires sur un réseau. Vous pourriez cependant être amené à transgresser cette
règle si vous fusionnez des utilisateurs créés sur des serveurs différents en un seul
serveur ou groupe de serveurs. Il se peut alors qu’un même identifiant d’utilisateur
ait été associé à un autre utilisateur sur le serveur précédent.
Lorsque vous créez un compte d’utilisateur dans un domaine de répertoire partagé
quelconque, le Gestionnaire de groupe de travail affecte automatiquement un
identifiant d’utilisateur. La valeur attribuée correspond à un identifiant inutilisé
(1 025 ou plus) dans le chemin de recherche du serveur. (Les nouveaux utilisateurs
créés à l’aide de la sous-fenêtre des préférences de comptes des ordinateurs Mac OS X
reçoivent des identifiants qui commencent à 501.)
Le Gestionnaire de groupe de travail permet de modifier l’identifiant d’un compte
stocké dans le répertoire LDAP d’un maître Open Directory ou d’un domaine NetInfo.
Vous pouvez également utiliser le Gestionnaire de groupe de travail pour examiner
l’identifiant d’utilisateur dans tout domaine de répertoire accessible à partir du serveur
que vous utilisez.
Pour changer un identifiant d’utilisateur dans le Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour sélectionner un compte, cliquez sur le petit globe situé au-dessus de la liste des
comptes, choisissez le domaine de répertoire où réside le compte d’utilisateur, puis
sélectionnez l’utilisateur.
F0170.book Page 81 Monday, May 2, 2005 12:37 PM82 Chapitre 4 Configuration des comptes d’utilisateur
3 Pour être authentifié, cliquez sur le cadenas.
4 Dans la sous-fenêtre Élémentaire, spécifiez une valeur dans le champ “Id. d’utilisateur”.
Cette valeur doit être unique dans la politique de recherche (chemin de recherche)
des ordinateurs auxquels l’utilisateur se connectera.
Définition de mots de passe
Pour plus d’informations sur la définition des mots de passe, consultez le guide
d’administration Open Directory.
Réglage des options de mot de passe pour les utilisateurs
importés
Lorsque vous exportez des utilisateurs à l’aide de Gestionnaire de groupe de travail, les
informations des mots de passe ne sont pas exportées. Pour définir des mots de passe,
vous pouvez soit modifier le fichier d’exportation avant de l’importer, soit définir des
mots de passe après l’importation. Il est également possible de créer manuellement
un fichier d’importation délimité par du texte et d’y insérer des mots de passe. Pour
apprendre comment utiliser des fichiers d’importation, reportez-vous à l’annexe A.
Pour définir des options de mot de passe après l’importation :
1 Importez les utilisateurs à l’aide du Gestionnaire de groupe de travail ou de l’outil de
ligne de commande dsimport.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
3 Ouvrez le répertoire contenant les utilisateurs importés.
4 Sélectionnez les utilisateurs dont vous souhaitez définir les options de mot de passe.
5 Cliquez sur Avancé.
6 Assurez-vous que le Type du mot de passe est réglé sur Open Directory, cliquez sur
Options, définissez les options de mot de passe et cliquez sur OK.
7 Cliquez sur Enregistrer.
Pour en savoir plus sur l’importation des utilisateurs, consultez l’annexe A. Pour plus
d’informations sur les mots de passe Open Directory, reportez-vous au guide
d’administration Open Directory.
Attribution de droits d’administrateur pour un serveur
Un utilisateur disposant d’autorisations d’administration de serveur peut contrôler la
plupart des réglages de configuration du serveur et utiliser des applications, telles
qu’Admin Serveur, qui requièrent que l’utilisateur soit membre du groupe
d’administration du serveur.
F0170.book Page 82 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 83
Le Gestionnaire de groupe de travail permet d’attribuer des autorisations
d’administrateur de serveur au répertoire LDAP d’un maître Open Directory ou d’un
domaine NetInfo. Vous pouvez également utiliser le Gestionnaire de groupe de travail
pour revoir les autorisations d’administrateur de serveur de tout domaine de répertoire
accessible à partir du serveur que vous utilisez.
Pour définir des autorisations d’administrateur de serveur dans le Gestionnaire
de groupe de travail :
1 Connectez-vous au Gestionnaire de groupe de travail en spécifiant le nom ou l’adresse
IP du serveur pour lequel vous souhaitez attribuer des autorisations d’administration.
2 Cliquez sur Comptes.
3 Cliquez sur le petit globe situé au-dessus de la liste des comptes, puis choisissez le
domaine de répertoire dans lequel réside le compte d’utilisateur.
4 Pour être authentifié, cliquez sur le cadenas.
5 Dans la sous-fenêtre Élémentaire, sélectionnez l’option “L’utilisateur peut administrer
le serveur” afin d’accorder des autorisations d’administration de serveur.
Attributions de droits d’administrateur pour un domaine de
répertoire
Un utilisateur disposant d’autorisations d’administration pour un domaine de
répertoire Apple peut, à l’aide du Gestionnaire de groupe de travail, modifier les
comptes d’utilisateur, les comptes de groupe et les listes d’ordinateurs stockés
dans ce domaine. Les modifications que peut apporter l’utilisateur sont limitées
à celles que vous spécifiez.
Le Gestionnaire de groupe de travail permet d’attribuer des autorisations
d’administration de domaine de répertoire à un compte stocké dans le répertoire
LDAP d’un maître Open Directory ou d’un domaine NetInfo. Vous pouvez également
utiliser le Gestionnaire de groupe de travail pour revoir ces autorisations dans tout
domaine de répertoire accessible à partir du serveur que vous utilisez.
Pour définir des autorisations d’administration de domaine de répertoire dans
le Gestionnaire de groupe de travail :
1 Assurez-vous que l’utilisateur possède un compte dans le répertoire de domaine.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
3 Sélectionnez le compte d’utilisateur.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez le
domaine de répertoire où réside le compte d’utilisateur, puis sélectionnez le compte.
4 Pour être authentifié, cliquez sur le cadenas.
5 Dans la sous-fenêtre Élémentaire, sélectionnez l’option L’utilisateur peut administrer ce
domaine de répertoire.
F0170.book Page 83 Monday, May 2, 2005 12:37 PM84 Chapitre 4 Configuration des comptes d’utilisateur
6 Pour spécifier ce que l’utilisateur pourra administrer dans le domaine, cliquez sur
Autorisations.
Par défaut, l’utilisateur ne dispose pas d’autorisations de domaine de répertoire.
7 Cliquez sur le bouton Utilisateurs, Groupes ou Listes d’ordinateurs et effectuez vos
réglages.
Si vous ne cochez aucune case (telle que L’administrateur peut modifier les préférences
d’utilisateur), l’utilisateur pourra voir les informations de compte ou les préférences
dans le Gestionnaire de groupe de travail, mais il ne pourra pas les modifier.
Pour ajouter un élément à la zone des éléments “ci-dessous” (située à droite), faites-le
glisser à partir de la liste Disponible (située à gauche). Pour supprimer un élément,
sélectionnez-le, puis appuyez sur la touche de suppression du clavier.
GUID
Disponible depuis Mac OS X 10.4, l’identifiant universel appelé identifiant unique global
(GUID) fournit à l’utilisateur et au groupe une identité pour les autorisations ACL. Le GUID
associe également un utilisateur à des abonnements de groupe et de groupe imbriqué.
Vous trouverez des informations sur les GUID et leurs implications à l’Annexe B.
Travail avec des réglages avancés pour utilisateurs
Les réglages avancés comprennent les réglages d’ouverture de session, les mots de
passe, la politique de validation de mot de passe et un champ de commentaire.
Dans le Gestionnaire de groupe de travail, utilisez la sous-fenêtre Avancé située dans
la fenêtre du compte d’utilisateur pour utiliser des réglages avancés.
Définition de réglages d’ouverture de session
En spécifiant des réglages d’ouverture de session pour l’utilisateur, vous pouvez :
• Contrôler si l’utilisateur peut être authentifié à l’aide du compte.
• Autoriser ou empêcher un utilisateur géré de se connecter simultanément à
plusieurs ordinateurs gérés.
• Indiquer si l’utilisateur d’un ordinateur géré peut ou doit sélectionner un groupe
de travail lors de l’ouverture de session ou si vous souhaitez éviter d’afficher les
groupes de travail lorsque l’utilisateur ouvre sa session.
• Identifier le shell par défaut, tel que /bin/csh ou /bin/bash (valeur par défaut), employé
par l’utilisateur pour les interactions de ligne de commande avec Mac OS X. Ce shell
est utilisé par l’application Terminal de l’ordinateur sur lequel l’utilisateur s’est connecté,
mais la préférence de Terminal vous permet de l’écraser. Le shell par défaut est utilisé
par SSH (Secure Shell) ou Telnet lorsque l’utilisateur se connecte à un ordinateur
Mac OS X distant.
F0170.book Page 84 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 85
Le Gestionnaire de groupe de travail permet de définir les réglages de connexion d’un
compte stocké dans le répertoire LDAP d’un maître Open Directory, d’un domaine NetInfo
ou de tout autre domaine de répertoire en lecture/écriture. Vous pouvez également utiliser
le Gestionnaire de groupe de travail pour revoir les réglages de connexion de tout
domaine de répertoire accessible à partir du serveur que vous utilisez.
Pour utiliser des réglages de connexion à l’aide du Gestionnaire de groupe de
travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la liste
des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Avancé.
5 Sélectionnez Autoriser les ouvertures de session simultanées pour permettre à un
utilisateur de se connecter à plusieurs ordinateurs gérés à la fois.
Remarque : les ouvertures de session simultanées sont généralement déconseillées.
Il est préférable de les réserver à l’équipe technique, aux professeurs ou à d’autres
utilisateurs disposant d’autorisations d’administrateur. (Les utilisateurs qui disposent
d’un répertoire de départ réseau stockent leurs préférences d’applications et leurs
documents dans cet emplacement. Les ouvertures de session simultanées risquent
de modifier ces éléments ; de nombreuses applications ne permettent pas ce type de
modifications lorsqu’elles sont ouvertes.)
Vous ne pouvez pas désactiver les ouvertures de session simultanées pour les
utilisateurs disposant de répertoires de départ NFS.
6 Pour spécifier le shell par défaut de l’utilisateur lors de sa connexion sur un ordinateur
Mac OS X computer, choisissez un shell dans le menu local Shell d’accès.
Remarque : il existe dans Terminal une préférence qui permet à utilisateur de redéfinir
le shell par défaut.
Pour introduire un shell ne figurant pas dans la liste, cliquez sur Personnalisé. Pour
s’assurer qu’un utilisateur ne peut pas accéder au serveur à distance via une ligne
de commande, choisissez Aucun.
F0170.book Page 85 Monday, May 2, 2005 12:37 PM86 Chapitre 4 Configuration des comptes d’utilisateur
Définition d’un type de mot de passe
Pour plus d’informations sur la configuration et la gestion des mots de passe, consultez
le guide d’administration Open Directory.
Création d’une liste maîtresse de mots-clés
Vous pouvez définir des mots-clés qui permettent le tri et la recherche rapides
d’utilisateurs. L’utilisation de mots-clés peut simplifier des tâches telles que créer
des groupes ou modifier plusieurs utilisateurs.
Avant de commencer à ajouter des mots-clés aux enregistrements d’utilisateur, vous
devez créer une liste maîtresse de mots-clés. La liste de mots-clés affichées dans le
panneau Avancé d’un utilisateur sélectionné ne s’applique qu’à cet utilisateur.
Pour modifier la liste maîtresse de mots-clés :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez le
domaine de répertoire où réside le compte puis sélectionnez l’utilisateur dans la liste
des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Avancé.
5 Cliquez sur le bouton Modifier (crayon) pour afficher la liste maîtresse de mots-clés.
La liste maîtresse présente tous les termes utilisables comme mots-clés. Vous pouvez
y accéder et la modifier à partir de n’importe quel compte d’utilisateur sélectionné.
6 Pour ajouter un mot-clé à la liste, cliquez sur (+) et saisissez le mot-clé dans le champ.
7 Pour supprimer un mot-clé de la liste et de tous les enregistrements d’utilisateur où
il apparaît, sélectionnez-le, choisissez Supprimer les mots-clés effacés des utilisateurs,
puis cliquez sur (–).
Pour supprimer un mot-clé uniquement de la liste, assurez-vous que l’option
“Supprimer les mots-clés effacés des utilisateurs” n’est pas activée, sélectionnez le
mot-clé à supprimer, puis cliquez sur (–).
8 Une fois que vous avez terminé de modifier la liste maîtresse, cliquez sur OK.
F0170.book Page 86 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 87
Application de mots-clés aux comptes d’utilisateur
Il est impossible d’ajouter des mots-clés à plusieurs utilisateurs à la fois, mais vous
pouvez toutefois, si nécessaire, supprimer un mot-clé de tous les utilisateurs marqués
par ce mot-clé.
Pour manipuler les mots-clés d’un compte d’utilisateur individuel :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez le
domaine de répertoire où réside le compte puis sélectionnez l’utilisateur dans la liste
des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Avancé.
5 Pour ajouter un mot-clé au compte sélectionné, cliquez sur (+) pour afficher la liste des
mots-clés disponibles. Sélectionnez un ou plusieurs termes dans la liste, puis cliquez sur OK.
6 Pour supprimer le mot-clé d’un utilisateur spécifique, sélectionnez le terme à supprimer
et cliquez sur (–).
7 Une fois que vous avez terminé d’ajouter ou de supprimer des mots-clés pour
l’utilisateur sélectionné, cliquez sur Enregistrer.
Modification de commentaires
Vous pouvez sauvegarder un commentaire dans le compte d’un utilisateur afin de
fournir des informations susceptibles d’aider à l’administration de cet utilisateur. Les
commentaires peuvent comporter jusqu’à 32 676 caractères.
Le Gestionnaire de groupe de travail permet de définir le commentaire d’un compte
stocké dans le répertoire LDAP d’un maître Open Directory, d’un domaine NetInfo ou de
tout autre domaine de répertoire en lecture/écriture. Vous pouvez également utiliser le
Gestionnaire de groupe de travail pour revoir les commentaires dans tout domaine de
répertoire accessible à partir du serveur que vous utilisez.
Pour utiliser des commentaires à l’aide du Gestionnaire de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte puis sélectionnez l’utilisateur dans la liste
des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Avancé.
5 Modifiez ou passer en revue le contenu du champ Commentaire.
F0170.book Page 87 Monday, May 2, 2005 12:37 PM88 Chapitre 4 Configuration des comptes d’utilisateur
Travail avec les réglages de groupe pour utilisateurs
Les réglages de groupe identifient les groupes dont un utilisateur est membre.
Dans Gestionnaire de groupe de travail, utilisez la sous-fenêtre Groupes située dans
la fenêtre du compte d’utilisateur pour utiliser les réglages de groupe.
Pour obtenir des informations sur l’administration de groupes, consultez le chapitre 5,
“Configuration des comptes de groupe”.
Définition du groupe principal d’un utilisateur
Un utilisateur appartient par défaut à un groupe principal. Vous pouvez faire appartenir
le groupe principal à un autre groupe ou imbriquer des groupes dans le groupe principal.
Cependant, les préférences définies pour le groupe principal remplacent les préférences
définies pour ses groupes imbriqués ou parents.
L’identifiant du groupe principal est utilisé par le système de fichiers lorsque l’utilisateur
accède à un fichier dont il n’est pas le possesseur. Le système de fichiers vérifie les
autorisations de groupe du fichier et, si l’identifiant du groupe principal de l’utilisateur
correspond à l’identifiant du groupe associé au fichier, l’utilisateur hérite des autorisations
d’accès du groupe. Le groupe principal constitue la manière la plus rapide de
déterminer si un utilisateur dispose d’autorisations de groupe pour un fichier.
L’identifiant du groupe principal doit être une chaîne de chiffres unique. Sa valeur par
défaut est 20 (identifiant du groupe staff), mais vous pouvez la modifier. Sa valeur
maximale est 2.147.483.648.
Le Gestionnaire de groupe de travail permet de définir l’identifiant de groupe principal
d’un compte stocké dans le répertoire LDAP d’un maître Open Directory, d’un domaine
NetInfo ou de tout autre domaine de répertoire en lecture/écriture. Vous pouvez
également utiliser le Gestionnaire de groupe de travail pour revoir les informations
de groupe principal dans tout domaine de répertoire accessible à partir du serveur
que vous utilisez.
Pour travailler avec un identifiant de groupe principal à l’aide du Gestionnaire
de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte puis sélectionnez l’utilisateur dans la liste
des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes.
F0170.book Page 88 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 89
5 Modifiez ou passez en revue le contenu du champ Id. du groupe principal. Le
Gestionnaire de groupe de travail affiche les noms complet et abrégé du groupe
après la saisie d’un identifiant de groupe principal si le groupe existe et s’il est
accessible dans le chemin de recherche du serveur auquel vous êtes connecté.
Ajout d’un utilisateur à des groupes
Ajoutez des utilisateurs à des groupes si vous souhaitez que plusieurs utilisateurs
bénéficient des mêmes autorisations d’accès aux fichiers ou si vous souhaitez gérer
leurs préférences Mac OS X au moyen de groupes de travail ou de listes d’ordinateurs.
Cela pourrait servir, par exemple, à interdire l’accès d’une imprimante à un groupe
d’étudiants ou à donner à une équipe de contrôle de la qualité l’accès aux rapports
internes de différents groupes.
Le Gestionnaire de groupe de travail permet d’ajouter un utilisateur à un groupe si les
comptes de l’utilisateur et du groupe se trouvent dans le répertoire LDAP d’un maître
Open Directory ou d’un domaine NetInfo. Si le répertoire est implémenté via NFS, tenez
compte du fait que l’architecture NFS limite les groupes à 16.
Remarque : un utilisateur peut appartenir à un nombre de groupes illimité.
Pour ajouter un utilisateur à un groupe à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte d’utilisateur que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes.
5 Cliquez sur le bouton Ajouter (+) pour ouvrir un tiroir dans lequel sont affichés les
groupes définis dans le domaine de répertoire avec lequel vous travaillez. (Pour insérer
des groupes système dans la liste, choisissez Préférences dans le menu Gestionnaire de
groupe de travail, puis sélectionnez Afficher utilisateurs et groupes système.)
6 Sélectionnez le groupe, puis faites-le glisser dans la liste Autres groupes de la sousfenêtre Groupes.
Vous pouvez également ajouter des utilisateurs à un groupe via le panneau Membres
des comptes de groupe.
Remarque : si un utilisateur est membre direct de plusieurs groupes, l’obtention
des préférences gérées d’un groupe autre que le groupe principal ne pourra avoir
lieu qu’à l’ouverture de session.
F0170.book Page 89 Monday, May 2, 2005 12:37 PM90 Chapitre 4 Configuration des comptes d’utilisateur
Suppression d’un utilisateur dans un groupe
Le Gestionnaire de groupe de travail permet de supprimer un utilisateur d’un groupe
si les comptes de l’utilisateur et du groupe se trouvent dans le répertoire LDAP d’un
maître Open Directory ou d’un domaine NetInfo.
Pour supprimer un utilisateur dans un groupe à l’aide du Gestionnaire de
groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes.
5 Sélectionnez le ou les groupes dans lesquels vous souhaitez supprimer l’utilisateur,
puis cliquez sur le bouton Supprimer (–).
Vous pouvez également ajouter des utilisateurs à un groupe via le panneau Membres
des comptes de groupe.
Vérification des différentes appartenances de groupe d’un
utilisateur
Vous pouvez employer le Gestionnaire de groupe de travail pour revoir les groupes
auxquels un utilisateur appartient, si le compte de ce dernier réside dans un domaine
de répertoire accessible à partir du serveur que vous utilisez.
Pour revoir les appartenances de groupes à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes.
Le groupe principal auquel l’utilisateur appartient s’affiche et les autres groupes
d’appartenance sont répertoriés dans la liste Autres groupes.
F0170.book Page 90 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 91
Utilisation des réglages de répertoires de départ des
utilisateurs
Les réglages de répertoires de départ décrivent les attributs de répertoires de départ
d’un utilisateur. Pour obtenir des informations sur l’utilisation et la configuration de
répertoires de départ, lisez le chapitre 7, “Configuration des répertoires de départ”.
Utilisation des réglages de courrier des utilisateurs
Vous pouvez créer un compte de messagerie Mac OS X Server pour un utilisateur en
spécifiant des réglages de courrier dans le compte de cet utilisateur. Pour utiliser le
compte, l’utilisateur doit configurer un client de courrier pour l’identification du nom
d’utilisateur, du mot de passe, du service et du protocole de courrier que vous avez
spécifiés dans les réglages du courrier.
Dans le Gestionnaire de groupe de travail, utilisez la sous-fenêtre Courrier située dans
la fenêtre du compte d’utilisateur pour définir les réglages de courrier de l’utilisateur.
Pour obtenir des informations sur la configuration et la gestion du service de courrier
Mac OS X Server, lisez le guide d’administration du service de courrier.
Désactivation du service de courrier d’un utilisateur
Le Gestionnaire de groupe de travail permet de désactiver le service de courrier
des utilisateurs dont les comptes sont stockés dans le répertoire LDAP d’un maître
Open Directory, d’un domaine NetInfo ou de tout autre domaine de répertoire en
lecture/écriture.
Pour désactiver le service de courrier d’un utilisateur à l’aide du Gestionnaire
de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Courrier.
5 Sélectionnez Aucun.
F0170.book Page 91 Monday, May 2, 2005 12:37 PM92 Chapitre 4 Configuration des comptes d’utilisateur
Activation des options de compte de service de courrier
Le Gestionnaire de groupe de travail permet d’activer le service de courrier et de définir
des options de courrier pour un utilisateur dont le compte est stocké dans le répertoire
LDAP d’un maître Open Directory, d’un domaine NetInfo ou de tout autre domaine de
répertoire en lecture/écriture. Vous pouvez également utiliser le Gestionnaire de groupe
de travail pour revoir les réglages de courrier des comptes stockés dans tout domaine
de répertoire accessible à partir du serveur que vous utilisez.
Pour utiliser des options de compte de service de courrier d’un utilisateur
à l’aide du Gestionnaire de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Courrier.
5 Pour permettre à l’utilisateur d’utiliser le service de courrier, sélectionnez Activé.
6 Saisissez un nom ou une adresse de serveur de courrier valide dans les champs Serveur
de courrier pour le nom DNS ou l’adresse IP du serveur vers lequel les messages de
l’utilisateur seront dirigés. Le Gestionnaire de groupe de travail ne vérifie pas ces
informations.
7 Saisissez une valeur dans le champ Quota de courrier pour spécifier le nombre maximal
de méga-octets autorisés pour la boite à lettres de l’utilisateur.
La valeur 0 (zéro) ou un champ vide signifient qu’aucun quota n’est appliqué. Lorsque
l’espace réservé aux messages de l’utilisateur approche ou dépasse le quota de courrier
spécifié, le service de courrier affiche une invite afin que l’utilisateur supprime des
messages pour libérer de l’espace. Le message affiche les informations de quota en
kilo-octets (Ko) ou en méga-octets (Mo).
8 Sélectionnez un réglage d’Accès au courrier pour identifier le protocole utilisé pour le
compte de courrier de l’utilisateur. Post Office Protocol (POP) et/ou Internet Message
Access Protocol (IMAP).
9 Les fonctions suivantes ne sont gérées que pour les comptes de courrier résidant
sur un serveur qui utilise un logiciel Mac OS X Server antérieur à la version 10.3.
Sélectionnez un réglage Options pour déterminer les caractéristiques de boîte
de courrier entrant pour les comptes accédant au courrier via POP et IMAP.
Utiliser des boîtes POP et IMAP séparées crée des boîtes de réception distinctes pour
le courrier POP et pour le courrier IMAP. L’option Afficher la boîte POP dans la liste de
dossiers IMAP permet d’afficher un dossier IMAP appelé “boîte POP”.
F0170.book Page 92 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 93
Sélectionnez Activer NotifyMail pour notifier automatiquement à l’application de
courrier de l’utilisateur la réception de nouveaux messages. L’adresse IP à laquelle
est envoyée la notification peut être soit la dernière adresse IP de connexion de
l’utilisateur, soit une adresse que vous spécifiez.
Faire suivre le courrier d’un utilisateur
Le Gestionnaire de groupe de travail permet de configurer le transfert du courrier pour
des utilisateurs dont les comptes sont stockés dans le répertoire LDAP d’un maître
Open Directory ou d’un domaine NetInfo.
Pour faire suivre les messages d’un utilisateur à l’aide du Gestionnaire
de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Courrier.
5 Sélectionnez Faire suivre et saisissez l’adresse électronique de réacheminement dans
le champ Faire suivre à.
Veillez à saisir l’adresse correcte. Le Gestionnaire de groupe de travail ne vérifie pas
l’existence de l’adresse.
Travail avec des réglages d’impression pour utilisateurs
Les réglages d’impression associés au compte d’un utilisateur définissent la possibilité pour
cet utilisateur d’imprimer sur des files d’attente accessibles d’un Mac OS X Server, alors que
le service d’impression impose des quotas d’impression. Le guide d’administration du
service d’impression vous explique comment configurer des files d’attente d’impression
appliquant des quotas.
Dans le Gestionnaire de groupe de travail, utilisez la sous-fenêtre Quota d’impression
située dans la fenêtre du compte d’utilisateur pour définir les quotas d’impression
d’un utilisateur :
• Pour désactiver l’accès d’un utilisateur aux files d’attente imposant des quotas
d’impression, sélectionnez Aucun (option par défaut).
• Pour permettre à un utilisateur de lancer des impressions vers toutes les files
d’attente accessibles imposant des quotas, sélectionnez Toutes les files d’attente.
• Pour permettre à un utilisateur de lancer des impressions vers des files d’attente
spécifiques imposant des quotas, sélectionnez Par file d’attente.
F0170.book Page 93 Monday, May 2, 2005 12:37 PM94 Chapitre 4 Configuration des comptes d’utilisateur
Désactivation de l’accès d’un utilisateur aux files d’attente
imposant des quotas
Vous pouvez employer le Gestionnaire de groupe de travail pour empêcher un
utilisateur de lancer des impressions vers une file d’attente accessible d’un Mac OS X
imposant des quotas. Pour utiliser le Gestionnaire de groupe de travail, il faut que le
compte de l’utilisateur soit stocké dans le répertoire LDAP d’un maître Open Directory
ou d’un domaine NetInfo.
Pour désactiver l’accès d’un utilisateur aux files d’attente imposant des quotas :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Quota d’impression.
5 Sélectionnez Aucun.
Activation l’accès d’un utilisateur aux files d’attente imposant des
quotas
Vous pouvez utiliser le Gestionnaire de groupe de travail pour autoriser un utilisateur à
lancer des impressions vers tout ou partie des files d’attente accessibles d’un Mac OS X
imposant des quotas. Pour utiliser le Gestionnaire de groupe de travail, il faut que le
compte de l’utilisateur soit stocké dans le répertoire LDAP d’un maître Open Directory
ou d’un domaine NetInfo.
Pour définir le quota d’impression d’un utilisateur pour les files d’attente
imposant des quotas :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Quota d’impression.
Pour configurer un quota à appliquer à toutes les files d’attente, suivez l’étape 5. Pour
quelques files d’attente, suivez plutôt l’étape 6.
5 Cliquez sur Toutes les files d’attente, puis spécifiez le nombre maximal de pages
que l’utilisateur doit pouvoir imprimer pendant un nombre de jours donné via
une file d’attente quelconque imposant des quotas.
F0170.book Page 94 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 95
6 Cliquez sur Par file d’attente, puis déroulez le menu local Nom de la file afin de
sélectionner la file d’attente pour laquelle vous souhaitez définir un quota à
l’attention des utilisateurs. Si la file d’attente que vous souhaitez rechercher ne
figure pas dans le menu local “Nom de la file”, cliquez sur Ajouter pour entrer son
nom, puis spécifiez, dans le champ Serveur d’impression, l’adresse IP ou le nom
DNS du serveur sur lequel cette file d’attente est définie.
Pour donner à l’utilisateur des droits d’impression illimités sur la file, cliquez sur
“Impression illimitée”. Sinon, spécifiez le nombre maximal de pages qu’il peut
imprimer pendant un nombre de jours donné. Cliquez sur Enregistrer.
Suppression du quota d’impression d’un utilisateur pour une file
spécifique
Si vous ne voulez plus appliquer un quota d’impression à une file d’attente
particulière, vous pouvez le supprimer pour des utilisateurs spécifiques.
Pour supprimer le quota d’impression d’un utilisateur à l’aide du Gestionnaire
de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte d’utilisateur que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez le
domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la liste.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Quota d’impression.
5 Pour désactiver l’accès d’un utilisateur à une file d’attente, identifiez-la en utilisant le
menu local Nom de la file ainsi que le champ Serveur d’impression.
6 Cliquez sur Supprimer.
Réinitialisation du quota d’impression d’un utilisateur
Il arrive parfois qu’un utilisateur ayant déjà dépassé son quota d’impression ait besoin
d’imprimer des pages supplémentaires. Un administrateur peut, par exemple, avoir un
manuel de 200 pages à imprimer alors que son quota ne lui en autorise que 150. Ou
encore, un étudiant qui a dépassé son quota en imprimant un rapport peut devoir
imprimer une copie révisée du rapport. Le Gestionnaire de groupe de travail vous
permet de réinitialiser le quota d’impression d’un utilisateur et d’autoriser ce dernier
à effectuer d’autres impressions.
F0170.book Page 95 Monday, May 2, 2005 12:37 PM96 Chapitre 4 Configuration des comptes d’utilisateur
Pour redémarrer le quota d’impression d’un utilisateur à l’aide du Gestionnaire
de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte que vous souhaitez utiliser.
Pour cela, cliquez sur le petit globe situé au-dessus de la liste des comptes, choisissez
le domaine de répertoire où réside le compte, puis sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Pour être authentifié, cliquez sur le cadenas.
4 Cliquez sur Quota d’impression.
5 Si l’utilisateur est configuré pour utiliser toutes les files d’attente gérant les quotas,
cliquez sur Redémarrer Quota d’impression.
Si les quotas d’impression d’un utilisateur sont propres à certaines files d’attente,
déroulez le menu local Nom de la file et le champ Serveur d’impression afin d’identifier
une file d’attente, puis cliquez sur Redémarrer Quota d’impression.
Vous pouvez également augmenter le nombre de pages d’un utilisateur sans réinitialiser
la période de quota, en modifiant le nombre de pages allouées à cet utilisateur. Ainsi,
la période du quota demeure inchangée et n’est pas réinitialisée, mais le nombre de
pages que l’utilisateur peut imprimer au cours de cette période est réévalué à la fois
pour la période de quota en cours et pour les périodes futures. Pour augmenter ou
diminuer la limite de pages d’un utilisateur, tapez une nouvelle valeur dans le champ
“Limiter à ___ pages”, puis cliquez sur Enregistrer.
Utilisation des réglages d’informations pour les
utilisateurs
Si le compte d’un utilisateur réside dans un domaine de répertoire LDAPv3, il peut
contenir des informations qui peuvent être importées par le Carnet d’adresses. Les
attributs de cette sous-fenêtre comprennent actuellement le numéro de téléphone,
l’adresse de courrier électronique, ainsi que les adresses URL du journal Web et de la
page Web.
Remarque : il n’existe qu’un seul attribut de téléphone qui prend, par défaut, la valeur
du numéro de téléphone de travail figurant dans le Carnet d’adresses.
Pour utiliser les réglages d’informations :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire qui vous intéresse.
F0170.book Page 96 Monday, May 2, 2005 12:37 PMChapitre 4 Configuration des comptes d’utilisateur 97
3 Pour obtenir des instructions, reportez-vous au guide d’administration Open Directory.
Cliquez sur le petit globe situé au-dessus de la liste des comptes, puis choisissez le
domaine dans lequel réside le compte d’utilisateur.
4 Pour être authentifié, cliquez sur le cadenas.
5 Cliquez sur le bouton Utilisateurs et sélectionnez l’utilisateur.
6 Cliquez sur Informations, saisissez vos valeurs ou modifiez-les, puis cliquez sur
Enregistrer.
Choix de réglages pour les utilisateurs Windows
Les ordinateurs utilisant le système d’exploitation Windows peuvent être intégrés
à votre réseau Mac OS X Server. Vous pouvez utiliser la sous-fenêtre Windows du
Gestionnaire de groupe de travail pour configurer des comptes d’utilisateur et
sélectionner des réglages pour les individus qui doivent accéder à des ordinateurs
Windows.
Pour obtenir des informations détaillées sur l’utilisation des réglages destinés aux
utilisateurs ayant accès à des ordinateurs Windows, consultez le guide d’administration
des services Windows.
F0170.book Page 97 Monday, May 2, 2005 12:37 PMF0170.book Page 98 Monday, May 2, 2005 12:37 PM5
99
5 Configuration des comptes
de groupe
Un compte de groupe permet de gérer facilement
un ensemble d’utilisateurs aux besoins similaires.
Ce chapitre explique comment configurer et gérer
des comptes de groupe.
À propos des comptes de groupe
Les comptes de groupe stockent les identités des utilisateurs qui appartiennent à un
groupe ainsi que des informations vous permettant de personnaliser l’environnement
de travail des membres de ce groupe. Un groupe pour lequel sont définies des
préférences est un groupe de travail.
Un groupe principal correspond au groupe par défaut de l’utilisateur. Les groupes
principaux peuvent accélérer la vérification effectuée par le système de fichiers
Mac OS X lorsqu’un utilisateur accède à un fichier.
Administration de comptes de groupe
Cette section expose l’administration des comptes de groupe stockés dans divers
types de domaines de répertoires.
Emplacement de stockage des comptes de groupe
Les comptes de groupe, ainsi que les comptes d’utilisateur et les listes d’ordinateurs,
peuvent être stockés dans tout domaine Open Directory. Un domaine de répertoires
peut résider sur un ordinateur Mac OS X (par exemple, le répertoire LDAP d’un maître
Open Directory ou un domaine NetInfo) ou sur un serveur non Apple (par exemple,
un serveur LDAP ou Active Directory).
L’utilisation du Gestionnaire de groupe de travail vous permet de travailler avec des
comptes dans tous les types de domaines de répertoires. Pour obtenir des informations
complètes sur les différents types de domaines Open Directory, reportez-vous au guide
d’administration Open Directory.
F0170.book Page 99 Monday, May 2, 2005 12:37 PM100 Chapitre 5 Configuration des comptes de groupe
Comptes de groupe prédéfinis
Le tableau suivant fournit une description des comptes de groupe créés
automatiquement lorsque vous installez Mac OS X Server. Pour une liste complète,
ouvrez le Gestionnaire de groupe de travail et choisissez Présentation > Afficher les
utilisateurs et groupes du système.
Nom de
groupe
prédéfini Id. de groupe Utilisation
admin 80 Le groupe auquel appartiennent les utilisateurs dotés
d’autorisations d’administrateur.
bin 7 Un groupe possédant tous les fichiers binaires.
daemon 1 Groupe utilisé par les services système.
dialer 68 Groupe permettant de contrôler l’accès aux modems sur un serveur.
guest 31
kmem 2 Un groupe antérieur utilisé pour contrôler l’accès à la lecture
de la mémoire noyau.
mail 6 Le groupe utilisé par le passé pour accéder au courrier UNIX local.
mysql 74 Le groupe que le serveur de base de données MySQL utilise
pour ceux de ses processus qui traitent les requêtes.
network 69 Ce groupe ne revêt aucune signification particulière.
nobody -2 Groupe utilisé par les services système.
nogroup -1 Groupe utilisé par les services système.
operator 5 Ce groupe ne revêt aucune signification particulière.
smmsp 25 Le groupe utilisé par sendmail.
sshd 75 Le groupe utilisé pour les processus enfants sshd qui traitent
des données réseau.
staff 20 Le groupe par défaut dans lequel les utilisateurs UNIX sont
traditionnellement placés.
sys 3 Ce groupe ne revêt aucune signification particulière.
tty 4 Un groupe possédant des fichiers spéciaux, tels que le fichier
de périphérique associé à un utilisateur SSH ou Telnet.
unknown 99 Le groupe utilisé lorsque le système ne reconnaît pas le disque dur.
utmp 45 Le groupe contrôlant ce qui peut mettre à jour la liste du système
des utilisateurs connectés.
uucp 66 Le groupe utilisé pour contrôler l’accès aux fichiers d’attente UUCP.
wheel 0 Un autre groupe (s’ajoutant au groupe admin) auquel les utilisateurs
disposant d’autorisations d’administration appartiennent.
www 70 Le groupe sans autorisation qu’Apache utilise pour ceux de ses
processus qui traitent les requêtes.
F0170.book Page 100 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 101
Création de comptes de groupe Mac OS X Server
Pour créer un compte de groupe dans un domaine de répertoires, vous devez disposer
d’autorisations d’administration pour ce dernier.
Pour créer un compte de groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine qui vous intéresse.
Pour obtenir des instructions, reportez-vous au guide de l’administrateur Open Directory.
3 Cliquez sur le globe au-dessus de la barre d’outils et ouvrez le domaine dans lequel
vous souhaitez faire résider le compte de groupe.
4 Cliquez sur le verrou pour être authentifié comme administrateur de domaine
de répertoires.
5 Cliquez sur la sous-fenêtre Groupes.
6 Cliquez sur Nouveau groupe, puis spécifiez les réglages du groupe dans les onglets
affichés.
Vous pouvez également utiliser un préréglage ou un fichier d’importation pour créer
un nouveau groupe. Pour plus de détails, consultez la section “Création d’un préréglage
pour des comptes de groupe” et l’Annexe A, “Importation et exportation d’informations
de compte”.
Création de comptes de groupe LDAPv3 en lecture/écriture
Vous pouvez créer un compte de groupe sur un serveur LDAPv3 non Apple s’il a été
configuré pour un accès en écriture.
Pour créer un compte de groupe LDAPv3 :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoires de Mac OS X Server que vous utilisez
ont été configurés de manière à utiliser le serveur LDAP des comptes de groupe.
Pour obtenir des informations sur l’utilisation de Format de répertoire pour configurer
une connexion LDAP, consultez le guide d’administration d’Open Directory. Pour obtenir
des informations sur les éléments de compte de groupe qu’il faudra éventuellement
mapper, consultez l’Annexe A, “Importation et exportation d’informations de compte”.
3 Cliquez sur le globe au-dessus de la barre d’outils et ouvrez le domaine LDAPv3 dans
lequel vous souhaitez faire résider le compte de groupe.
4 Pour vous authentifier, cliquez sur le cadenas.
5 Choisissez Serveur > Nouveau groupe.
6 Spécifiez des réglages pour le groupe dans les onglets affichés.
F0170.book Page 101 Monday, May 2, 2005 12:37 PM102 Chapitre 5 Configuration des comptes de groupe
Pour plus de détails, consultez les sections “Travail avec des réglages de membres pour
groupes” à la page 105 et “Travail avec les réglages du dossier de groupe” à la page 108.
Vous pouvez également utiliser un préréglage ou un fichier d’importation pour créer
un nouveau groupe. Pour plus de détails, consultez la section “Création d’un préréglage
pour des comptes de groupe” ci-dessous et l’Annexe A, “Importation et exportation
d’informations de compte”.
Création d’un préréglage pour des comptes de groupe
Les préréglages des comptes de groupe peuvent être utilisés pour appliquer des
réglages prédéterminés à un nouveau compte de groupe.
Pour créer un préréglage pour des comptes de groupe :
1 Ouvrez le Gestionnaire de groupe de travail sur le serveur à partir duquel vous créez
les comptes de groupe.
2 Cliquer sur Comptes.
3 Assurez-vous que le serveur a été configuré pour accéder au domaine de répertoire
Mac OS X ou LDAPv3 non Apple sur lequel le préréglage sera utilisé pour créer de
nouveaux comptes.
4 Pour créer un préréglage à l’aide de données stockées dans un compte de groupe
existant, ouvrez le compte. Pour créer un préréglage à l’aide d’un compte de groupe
vide, créez un compte de groupe.
5 Remplissez les champs avec les valeurs que vous souhaitez voir héritées par les
nouveaux groupes d’utilisateurs. Supprimez les valeurs que vous ne souhaitez pas
inclure dans les préréglages si vous prenez comme point de départ un compte existant.
6 Cliquez sur Préférences, configurez les réglages que vous souhaitez inclure dans le
préréglage, puis cliquez sur Comptes.
Après avoir configuré les préférences d’un préréglage, vous devez retourner aux
réglages de Comptes pour enregistrer le préréglage.
7 Choisissez Enregistrer le préréglage dans le menu local Préréglages, tapez un nom
pour le préréglage, puis cliquez sur OK.
Modification des informations d’un compte de groupe
Vous pouvez utiliser le Gestionnaire de groupe de travail pour modifier un compte
de groupe se trouvant dans le répertoire LDAP d’un maître Open Directory, dans un
domaine NetInfo ou dans tout autre domaine de répertoires en lecture/écriture.
Pour modifier un compte de groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire qui vous intéresse.
Pour obtenir des instructions, reportez-vous au guide de l’administrateur Open Directory.
F0170.book Page 102 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 103
3 Cliquez sur le globe au-dessus de la liste des comptes, puis ouvrez le domaine dans
lequel le compte de groupe réside.
4 Pour vous authentifier, cliquez sur le cadenas.
5 Cliquez sur la sous-fenêtre Groupes, puis sélectionnez le groupe avec lequel vous
souhaitez travailler.
6 Modifiez les réglages du groupe dans les onglets affichés.
Pour plus de détails, consultez les sections “Travail avec des réglages de membres pour
groupes” à la page 105 et “Travail avec les réglages du dossier de groupe” à la page 108.
Création de groupes imbriqués
Un groupe imbriqué est un groupe qui est membre d’un autre groupe.
Chaque groupe peut avoir ses propres préférences gérées qui sont héritées par tous les
utilisateurs membres de ce groupe. Si vous définissez des préférences pour un groupe
ou pour un de ses groupes imbriqués, les préférences appliquées lorsqu’un membre
du groupe se connecte sont celles qui sont définies pour le groupe de travail que
l’utilisateur choisit après la connexion.
Pour créer un compte de groupe imbriqué :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire qui vous intéresse.
Pour obtenir des instructions, reportez-vous au guide de l’administrateur Open Directory.
3 Cliquez sur le globe au-dessus de la liste des comptes, puis ouvrez le domaine dans
lequel vous souhaitez faire résider le compte de groupe.
4 Pour vous authentifier, cliquez sur le cadenas.
5 Cliquez sur le bouton Groupes, puis créez un nouveau groupe.
6 Cliquez sur le bouton Ajouter (+) pour imbriquer le groupe dans le groupe sélectionné.
Faites glisser le groupe depuis le tiroir vers la liste Membres.
Tous les membres de ce groupe deviennent eux aussi des membres enfants du groupe
parent.
7 Cliquer sur Enregistrer.
Les groupes créés à l’aide des versions de serveur antérieures à la version 10.4 ne
peuvent pas contenir de groupes imbriqués, à moins que vous ne les convertissiez
conformément aux instructions de la section “Mise à niveau de groupes hérités”. Si vous
faites une mise à niveau avec la version 10.4 à partir de la version 10.3 ou d’une version
antérieure, les groupes restent des groupes hérités et continuent à fonctionner comme
par le passé. Par contre, les groupes créés dans Mac OS X 10.4 sont considérés comme
des groupes mis à niveau et peuvent contenir des groupes et d’autres objets imbriqués
comme membres, ainsi que des enregistrements d’utilisateur.
F0170.book Page 103 Monday, May 2, 2005 12:37 PM104 Chapitre 5 Configuration des comptes de groupe
Mise à niveau de groupes hérités
Lorsque vous procédez à une mise à niveau du serveur avec la version 10.4 ou que vous
importez des groupes créés avant la version 10.4, les groupes existants ne peuvent pas
contenir de groupes imbriqués, à moins que vous ne les convertissiez d’abord.
Pour mettre à niveau un compte de groupe hérité :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire du Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire qui vous intéresse.
Pour obtenir des instructions, reportez-vous au guide de l’administrateur Open Directory.
3 Cliquez sur le globe au-dessus de la liste des comptes, puis ouvrez le domaine dans
lequel le compte de groupe réside.
4 Pour vous authentifier, cliquez sur le cadenas.
5 Cliquez sur le bouton Groupes, puis sélectionnez le groupe hérité que vous souhaitez
mettre à niveau.
6 Cliquez sur le bouton Mettre à niveau le groupe hérité.
7 Cliquer sur Enregistrer.
Utilisation de comptes de groupe en lecture seule
Le Gestionnaire de groupe de travail vous permet de consulter des informations sur
les comptes de groupe stockés dans des domaines de répertoires en lecture seule. Les
domaines de répertoires en lecture seule incluent les domaines LDAPv2, les domaines
LDAPv3 non configurés pour l’accès en écriture et les fichiers de configuration BSD.
Pour travailler avec un compte de groupe en lecture seule :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que les services de répertoire de Mac OS X Server que vous utilisez ont
été configurés pour accéder au domaine de répertoire dans lequel réside le compte.
Pour obtenir des informations sur l’utilisation de Format de répertoire pour configurer
des connexions serveur, consultez le guide d’administration d’Open Directory. Pour
obtenir des informations sur les éléments de compte de groupe qu’il faudra mapper,
consultez l’Annexe A, “Importation et exportation d’informations de compte”.
3 Cliquez sur le globe au-dessus de la liste des comptes, puis ouvrez le domaine de
répertoires dans lequel le compte de groupe réside.
4 Servez-vous des onglets affichés pour observer les réglages de compte de groupe.
Pour obtenir des détails, consultez la section “Travail avec des réglages de membres
pour groupes” ci-dessous et “Travail avec les réglages du dossier de groupe” à la
page 108.
F0170.book Page 104 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 105
Travail avec des réglages de membres pour groupes
Les réglages de membres incluent les noms d’un groupe, son identifiant et une liste
des utilisateurs qui en sont membres.
Dans le Gestionnaire de groupe de travail, la sous-fenêtre Membres située dans la
fenêtre du compte de groupe vous permet d’utiliser les réglages de membres.
Lorsque le nom d’un utilisateur apparaît en italique dans la liste Membres, le groupe
correspond au groupe principal de l’utilisateur.
Ajout d’utilisateurs à un groupe
Ajoutez des utilisateurs à un groupe si vous souhaitez que plusieurs utilisateurs disposent
des mêmes autorisations d’accès aux fichiers ou pour en faire des utilisateurs gérés.
Lorsque vous créez un compte d’utilisateur et attribuez un groupe principal au nouvel
utilisateur, ce dernier est automatiquement ajouté au groupe spécifié. Sinon, ajoutez
vous-même des utilisateurs au groupe.
Vous pouvez utiliser le Gestionnaire de groupe de travail pour ajouter des utilisateurs
à un groupe si les comptes d’utilisateur et de groupe se trouvent dans le répertoire
LDAP d’un maître Open Directory ou dans un domaine NetInfo.
Pour ajouter des utilisateurs à un groupe à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquer sur Membres.
5 Cliquez sur le bouton Ajouter (+) pour ouvrir un tiroir répertoriant les utilisateurs
définis dans le domaine de répertoires avec lequel vous travaillez.
6 Pour inclure les utilisateurs système dans la liste, choisissez Gestionnaire de groupe
de travail > Préférences, puis sélectionnez l’option “Afficher utilisateurs et groupes
système”.
Assurez-vous que le compte de groupe réside bien dans un domaine de répertoires
spécifié dans la politique de recherche (chemin de recherche) des ordinateurs auxquels
l’utilisateur va se connecter.
7 Sélectionnez l’utilisateur, puis glissez-le dans la liste Membres de la sous-fenêtre Membres.
F0170.book Page 105 Monday, May 2, 2005 12:37 PM106 Chapitre 5 Configuration des comptes de groupe
Suppression d’utilisateurs d’un groupe
Vous pouvez utiliser le Gestionnaire de groupe de travail pour supprimer un utilisateur
d’un groupe ne correspondant pas au groupe principal de l’utilisateur si ce dernier et
les comptes de groupe résident dans le répertoire LDAP d’un maître Open Directory
ou dans un domaine NetInfo.
Pour supprimer un utilisateur dans un groupe à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquer sur Membres.
5 Sélectionnez le ou les utilisateurs à supprimer du groupe, puis cliquez sur le bouton
Supprimer (–).
Attribution d’un nom à un groupe
Un groupe possède deux noms : un nom complet et un nom abrégé.
• Le nom de groupe complet (par exemple, Étudiants de la Faculté d’anglais) ne sert
qu’à des fins d’affichage et ne doit pas dépasser 255 octets. Étant donné que les
noms de groupe complets prennent en charge plusieurs jeux de caractères, ils
peuvent contenir un maximum de 255 caractères romains (85 seulement pour
les jeux dont les caractères occupent jusqu’à 3 octets).
• Un nom de groupe abrégé peut contenir jusqu’à 255 caractères romains. Néanmoins,
pour les clients qui utilisent Mac OS X version 10.1.5 et antérieure, le nom de groupe
abrégé ne peut contenir au plus que 8 caractères. Dans un nom de groupe abrégé,
n’utilisez que les caractères suivants :
• de a à z
• de a à z
• de 0 à 9
• _ (trait de soulignement)
Le nom abrégé, généralement constitué de huit caractères maximum, peut être
utilisé par Mac OS X pour rechercher les identifiants d’utilisateurs membres d’un
groupe afin de savoir si un utilisateur peut accéder à un fichier en tant que membre
du groupe. Pour plus de détails, consultez l’Annexe B.
F0170.book Page 106 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 107
Vous pouvez utiliser le Gestionnaire de groupe de travail pour modifier le nom d’un
compte de groupe stocké dans le répertoire LDAP d’un maître Open Directory, dans
un domaine NetInfo ou dans tout autre domaine de répertoires en lecture/écriture.
Vous pouvez aussi utiliser le Gestionnaire de groupe de travail pour consulter les noms
stockés dans tout domaine de répertoires accessible depuis le serveur que vous utilisez.
Pour travailler avec des noms de groupes à l’aide du Gestionnaire de groupe
de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Dans le champ Nom ou Nom abrégé (dans la sous-fenêtre Membres), vérifiez ou
modifiez les noms.
Avant d’enregistrer un nouveau nom, le Gestionnaire de groupe de travail vérifie qu’il
est unique.
Définition d’un identifiant de groupe
L’identifiant d’un groupe consiste en une chaîne de chiffres ASCII identifiant un groupe
de façon unique. Sa valeur maximale est 2.147.483.648.
Vous pouvez utiliser le Gestionnaire de groupe de travail pour modifier l’identifiant
d’un compte de groupe stocké dans le répertoire LDAP d’un maître Open Directory ou
dans un domaine NetInfo ou pour revoir l’identifiant de groupe dans tout domaine de
répertoires accessible du serveur que vous utilisez. L’identifiant de groupe est associé à
des autorisations de groupe.
Pour travailler avec un identifiant de groupe à l’aide du Gestionnaire de
groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Dans le champ ID du groupe (dans la sous-fenêtre Membres), vérifiez ou modifiez
l’identifiant.
Avant d’enregistrer un nouvel identifiant de groupe, le Gestionnaire de groupe de
travail vérifie qu’il est unique dans le domaine de répertoires que vous utilisez.
F0170.book Page 107 Monday, May 2, 2005 12:37 PM108 Chapitre 5 Configuration des comptes de groupe
Travail avec les réglages du dossier de groupe
Les dossiers de groupe permettent d’organiser les documents et applications qui
présentent un intérêt particulier pour les membres d’un groupe et peuvent être
utilisés par ces derniers pour échanger des informations entre eux. Les dossiers de
groupe ne sont pas liés directement à la gestion de groupe de travail, mais il est
possible d’améliorer la gestion des accès et des flux de travaux en utilisant des
dossiers de groupe pour les clients dotés réglages de groupe de travail.
Pour configurer un dossier de groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes, puis sélectionnez un groupe.
5 Cliquez sur Dossier de groupe.
6 Pour configurer un dossier de groupe situé dans un sous-dossier de point de partage,
cliquez sur le bouton Ajouter (+) ou Dupliquer (icône de copie).
Pour obtenir des instructions, consultez la section “Création d’un dossier de groupe
dans un sous-dossier d’un point de partage existant” à la page 112.
Option Pas de dossier de groupe
Vous pouvez utiliser le Gestionnaire de groupe de travail pour qu’un compte de groupe
possédant un dossier de groupe n’en ait plus. Par défaut, un nouveau groupe ne dispose
d’aucun répertoire de départ.
Pour ne définir aucun dossier de groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur la sous-fenêtre Groupes, puis sélectionnez un groupe.
5 Cliquez sur Dossier de groupe.
6 Sélectionnez (Aucun) dans la liste.
F0170.book Page 108 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 109
Création d’un dossier de groupe dans un point de partage
existant
Vous pouvez créer un dossier de groupe soit pour un groupe à n’importe quel point
de partage existant, soit dans le dossier /Groups (point de partage prédéfini).
Pour configurer un dossier de groupe dans le dossier /Groups ou tout autre
point de partage existant :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte de groupe, connectez-vous au serveur sur lequel il
réside. Cliquez sur le globe au-dessus de la liste des comptes, ouvrez le domaine
de répertoires dans lequel le compte réside, cliquez sur la sous-fenêtre Groupes,
puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur Dossier de groupe.
5 Pour ajouter un point de partage existant à la liste, cliquez sur Ajouter (+), puis
saisissez les informations requises.
Dans le champ URL, entrez l’URL complète du point de partage dans lequel doit résider
le dossier de groupe. Par exemple, tapez AFP://monserveur.exemple.com/SchoolGroups
pour identifier un point de partage AFP nommé SchoolGroups sur un serveur dont
le nom DNS est “monserveur.exemple.com”. Si vous n’utilisez pas de DNS, remplacez
le nom DNS du serveur hébergeant le dossier de groupe pas son adresse IP :
“AFP://192.168.2.1/SchoolGroups”.
Dans le champ Chemin, entrez le chemin du point de partage au dossier de groupe,
en incluant ce dernier mais en excluant le point de partage. Ne placez pas de barre
oblique (/) au début ni à la fin du chemin. Par exemple, si le point de partage est
SchoolGroups et que le chemin complet menant au dossier de groupe est
SchoolGroups/StudentGroups/SecondGrade, tapez StudentGroups/SecondGrade
dans le champ Chemin.
Remarque : configurer un point de partage de dossier de groupe pour disposer d’un
enregistrement de montage réseau ne permet pas de monter automatiquement le
dossier de groupe lorsqu’un membre du groupe se connecte. Vous pouvez fournir un
accès aisé à un dossier de groupe en gérant les préférences de Dock ou d’ouverture de
session pour le groupe.
6 Dans le champ Possesseur, entrez le nom de l’utilisateur auquel le dossier de groupe doit
appartenir afin qu’il puisse intervenir en tant qu’administrateur du dossier de ce groupe.
Cliquez sur le bouton Parcourir (…) pour choisir un propriétaire dans la liste des
utilisateurs du domaine de répertoires activé.
Le possesseur du dossier de groupe pourra y accéder en lecture/écriture.
F0170.book Page 109 Monday, May 2, 2005 12:37 PM110 Chapitre 5 Configuration des comptes de groupe
7 Cliquer sur Enregistrer.
8 Pour créer le dossier, utilisez la commande CreateGroupFolder dans Terminal.
Vous devez être connecté en tant qu’utilisateur root pour pouvoir utiliser cette commande.
Pour en savoir plus, tapez “man CreateGroupFolder” dans Terminal pour afficher la page
man de cette commande. Le dossier de groupe prend le nom abrégé du groupe auquel
il est associé.
Vous pouvez automatiser l’accès au dossier d’un membre du groupe quand celui-ci
a ouvert une session :
• Vous pouvez configurer les préférences du Dock pour rendre le dossier de groupe
visible dans le Dock. Pour obtenir des instructions, consultez la section “Accès aisé
aux dossiers de groupes” à la page 174.
• Vous pouvez aussi configurer des préférences d’ouverture de session de sorte que les
utilisateurs puissent cliquer sur Ordinateur dans le Finder et voir le point de partage
du dossier de groupe et les dossiers de groupe qui s’y trouvent. Pour obtenir des
instructions, consultez la section “Fourniture d’un accès aisé au point de partage de
groupe” à la page 194.
Lorsque vous utilisez ces préférences, assurez-vous que le groupe est défini dans un
domaine partagé dans la politique de recherche de l’ordinateur du membre du groupe.
Consultez le guide d’administration Open Directory pour obtenir des instructions sur la
configuration de la politique de recherche d’un ordinateur.
Si vous n’automatisez pas l’accès aux dossiers de groupe, les membres des groupes
peuvent utiliser la commande Se connecter au serveur dans le menu Aller du Finder
pour localiser le serveur où réside le dossier de groupe et y accéder.
Création d’un dossier de groupe dans un nouveau point de partage
Vous pouvez utiliser le Gestionnaire de groupe de travail pour créer un dossier
de groupe dans un nouveau point de partage.
Pour créer un dossier de groupe dans un nouveau point de partage :
1 Sur le serveur où vous souhaitez que réside le dossier de groupe, créez un dossier
qui servira de point de partage à ce dossier de groupe.
2 Dans le Gestionnaire de groupe de travail, connectez-vous au serveur de l’étape 1,
puis cliquez sur Partage.
3 Cliquez sur Tout (au-dessus de la liste à gauche) et sélectionnez le dossier créé pour
le point de partage.
4 Dans la fenêtre générale, sélectionnez Partager cet élément et son contenu.
F0170.book Page 110 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 111
5 Réglez les autorisations de Groupe sur Lecture et écriture et celles de Tous sur Lecture
seule, puis renommez le groupe en tapant admin dans le champ Groupe.
Ignorez les autorisations du propriétaire pour le moment.
6 Cliquer sur Enregistrer.
7 Cliquez sur Comptes, puis sélectionnez le compte de groupe avec lequel vous
souhaitez travailler.
Pour sélectionner un compte de groupe, connectez-vous au serveur sur lequel il réside.
Cliquer sur Comptes. Cliquez sur le globe au-dessus de la liste des comptes, puis ouvrez
le domaine de répertoires dans lequel le compte de groupe réside. Cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
8 Pour vous authentifier, cliquez sur le cadenas.
9 Dans le champ Possesseur, entrez le nom de l’utilisateur auquel le dossier de groupe
doit appartenir afin qu’il puisse intervenir en tant qu’administrateur du dossier de ce
groupe.
Cliquez sur le bouton Parcourir (…) pour choisir un propriétaire dans la liste des
utilisateurs du domaine de répertoires activé.
Le possesseur du dossier de groupe pourra y accéder en lecture/écriture.
10 Pour créer le dossier, utilisez la commande CreateGroupFolder dans Terminal.
Vous devez être connecté en tant qu’utilisateur root pour pouvoir utiliser cette
commande. Pour en savoir plus, tapez “man CreateGroupFolder” dans Terminal pour
afficher la page man. Le dossier de groupe prend le nom abrégé du groupe auquel
il est associé.
Le dossier de groupe prend le nom abrégé du groupe auquel il est associé.
Vous pouvez automatiser l’accès au dossier d’un membre du groupe quand celui-ci
a ouvert une session :
• Vous pouvez configurer les préférences du Dock pour rendre le dossier de groupe
visible dans le Dock. Pour obtenir des instructions, consultez la section “Accès aisé
aux dossiers de groupes” à la page 174.
• Vous pouvez aussi configurer des préférences d’ouverture de session de sorte que les
utilisateurs puissent cliquer sur Ordinateur dans le Finder et voir le point de partage
du dossier de groupe et les dossiers de groupe qui s’y trouvent. Pour obtenir des
instructions, consultez la section “Fourniture d’un accès aisé au point de partage de
groupe” à la page 194.
Lorsque vous utilisez ces préférences, assurez-vous que le groupe est défini dans un
domaine partagé dans la politique de recherche de l’ordinateur du membre du groupe.
Consultez le guide d’administration Open Directory pour obtenir des instructions sur la
configuration de la politique de recherche d’un ordinateur.
F0170.book Page 111 Monday, May 2, 2005 12:37 PM112 Chapitre 5 Configuration des comptes de groupe
Si vous n’automatisez pas l’accès aux dossiers de groupe, les membres des groupes
peuvent utiliser la commande Se connecter au serveur dans le menu Aller du Finder
pour localiser le serveur où réside le dossier de groupe et y accéder.
Création d’un dossier de groupe dans un sous-dossier d’un point
de partage existant
Dans le Gestionnaire de groupe de travail, vous pouvez créer des dossiers de groupe ne
se trouvant pas immédiatement sous un point de partage. Par exemple, vous pouvez
organiser des dossiers de groupe en plusieurs sous-dossiers au sein d’un point de
partage que vous avez défini. Si Groups est le point de partage, vous pouvez placer les
dossiers du groupe des étudiants dans /Groups/StudentGroups et ceux du groupe des
professeurs dans /Groups/TeacherGroups. Le chemin complet d’un dossier de groupe
pour des étudiants du second degré pourrait être /Groups/StudentGroups/SecondGrade.
La procédure détaillée ici implique l’existence du point de partage. Si le point de
partage n’existe pas, suivez les instructions décrites dans la section “Création d’un
dossier de groupe dans un nouveau point de partage” à la page 110 sans créer le
dossier à la dernière étape. Suivez ensuite les étapes ci-après.
Pour configurer un dossier de groupe dans un sous-dossier d’un point
de partage existant :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte de groupe avec lequel vous souhaitez travailler.
Pour sélectionner un compte de groupe, connectez-vous au serveur sur lequel il
réside. Cliquez sur le globe au-dessus de la liste des comptes, ouvrez le domaine de
répertoires dans lequel le compte réside, cliquez sur la sous-fenêtre Groupes, puis
sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur Dossier de groupe.
5 Cliquez sur le bouton Ajouter (+) pour ajouter un emplacement de dossier de groupe
personnalisé ou sur Dupliquer (icône de copie) pour copier un emplacement existant.
Pour supprimer un emplacement de dossier de groupe, sélectionnez-le, puis cliquez sur
le bouton Supprimer (–). Vous ne pouvez supprimer que les emplacements ajoutés à
l’aide du bouton Ajouter ou Dupliquer.
6 Dans le champ URL, entrez l’URL complète du point de partage dans lequel doit résider
le dossier de groupe.
Par exemple, entrez AFP://monserveur.exemple.com/SchoolGroups pour identifier
un point de partage AFP nommé SchoolGroups sur un serveur dont le nom DNS est
monserveur.exemple.com. Si vous n’utilisez pas de DNS, remplacez le nom DNS du
serveur hébergeant le dossier de groupe pas son adresse IP :AFP://192.168.2.1/SchoolGroups.
F0170.book Page 112 Monday, May 2, 2005 12:37 PMChapitre 5 Configuration des comptes de groupe 113
7 Dans le champ Chemin, entrez le chemin du point de partage au dossier de groupe,
en incluant ce dernier mais en excluant le point de partage.
Par exemple, si le point de partage est SchoolGroups et que le chemin complet
menant au dossier de groupe est SchoolGroups/StudentGroups/SecondGrade,
tapez StudentGroups/SecondGrade dans le champ Chemin.
Ne placez pas de barre oblique (/) au début ni à la fin du chemin.
8 Cliquez sur OK.
9 Dans le champ Possesseur, entrez le nom de l’utilisateur auquel le dossier de groupe
doit appartenir afin qu’il puisse intervenir en tant qu’administrateur du dossier de ce
groupe.
Cliquez sur le bouton Parcourir (…) pour choisir un propriétaire dans la liste des
utilisateurs du domaine de répertoires activé.
Le possesseur du dossier de groupe pourra y accéder en lecture/écriture.
10 Pour créer le dossier, utilisez la commande CreateGroupFolder dans Terminal.
Vous devez être connecté en tant qu’utilisateur root pour pouvoir utiliser cette
commande. Pour en savoir plus, tapez “man CreateGroupFolder” dans Terminal pour
afficher la page man. Le dossier de groupe prend le nom abrégé du groupe auquel
il est associé.
11 Configurez l’accès au dossier de groupe pour les utilisateurs qui ouvrent une session
en tant que membres du groupe.
• Vous pouvez automatiser l’accès au dossier d’un membre du groupe quand
l’utilisateur se connecte.
• Vous pouvez configurer les préférences du Dock pour rendre le dossier de groupe
visible dans le Dock. Pour obtenir des instructions, consultez la section “Accès aisé
aux dossiers de groupes” à la page 174.
• Vous pouvez également configurer des préférences d’ouverture de session de sorte
que les utilisateurs puissent cliquer sur Ordinateur dans le Finder pour voir le point
de partage du dossier de groupe et les dossiers de groupe qui s’y trouvent. Pour
obtenir des instructions, consultez la section “Fourniture d’un accès aisé au point de
partage de groupe” à la page 194.
Lorsque vous utilisez ces préférences, assurez-vous que le groupe est défini dans un
domaine partagé dans la politique de recherche de l’ordinateur du membre du groupe.
Consultez le guide d’administration Open Directory pour obtenir des instructions sur la
configuration de la politique de recherche d’un ordinateur.
Si vous n’automatisez pas l’accès aux dossiers de groupe, les membres des groupes
peuvent utiliser la commande Se connecter au serveur dans le menu Aller du Finder
pour localiser le serveur où réside le dossier de groupe et y accéder.
F0170.book Page 113 Monday, May 2, 2005 12:37 PM114 Chapitre 5 Configuration des comptes de groupe
Désignation d’un dossier de groupe destiné à plusieurs groupes
Pour rendre un dossier de groupe accessible à plusieurs groupes, identifiez le dossier
pour chaque groupe séparément.
Pour configurer plusieurs groupes afin qu’ils utilisent le même dossier
de groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le premier compte de groupe devant utiliser le dossier.
Pour sélectionner un compte de groupe, connectez-vous au serveur sur lequel il
réside. Cliquez sur le globe au-dessus de la liste des comptes, ouvrez le domaine
de répertoires dans lequel le compte réside, cliquez sur la sous-fenêtre Groupes,
puis sélectionnez le groupe.
3 Cliquez sur Dossier de groupe, sélectionnez le dossier que le groupe doit utiliser, puis
cliquez sur Enregistrer.
4 Répétez l’opération pour chaque groupe devant utiliser le même dossier de groupe.
Suppression de comptes de groupe
Vous pouvez utiliser le Gestionnaire de groupe de travail pour supprimer un compte de
groupe stocké dans le répertoire LDAP d’un maître Open Directory, dans un domaine
NetInfo ou dans tout autre domaine de répertoires en lecture/écriture.
Pour supprimer un compte de groupe à l’aide du Gestionnaire de groupe de
travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionner le compte de groupe que vous souhaitez supprimer.
Pour sélectionner le compte, cliquez sur le globe au-dessus de la liste des comptes,
ouvrez le domaine de répertoires dans lequel le compte réside, cliquez sur la sousfenêtre Groupes, puis sélectionnez le groupe.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Choisissez Serveur > Effacer le groupe sélectionné ou cliquez sur l’icône Supprimer
dans la barre d’outils.
Avertissement : cette action est irréversible.
F0170.book Page 114 Monday, May 2, 2005 12:37 PM6
115
6 Configuration de listes
d’ordinateurs
Ce chapitre explique comment configurer et gérer
des groupes d’ordinateurs.
À propos des listes d’ordinateurs
Une liste d’ordinateurs comprend un ou plusieurs ordinateurs possédant les mêmes
réglages de préférences et disponibles pour des utilisateurs et des groupes particuliers.
La création et la modification des listes d’ordinateurs s’effectue dans le Gestionnaire de
groupe de travail.
Il existe deux listes d’ordinateurs préconfigurées : Ordinateurs hôtes et Ordinateurs
Windows. Ces deux listes, ainsi que les listes d’ordinateurs que vous configurez,
apparaissent dans la partie gauche de la fenêtre du Gestionnaire de groupe de
travail. Les réglages apparaissent dans les volets Liste, Accès et Cache situés dans
la partie droite de la fenêtre.
Avant de configurer une liste d’ordinateurs, déterminez les noms et les adresses des
ordinateurs qui y figureront. On utilise généralement le nom d’ordinateur spécifié dans
les préférences de partage des ordinateurs. Vous pouvez, si vous préférez, utiliser un
nom descriptif que vous jugez plus approprié.
L’adresse de l’ordinateur doit correspondre à l’adresse Ethernet intégrée, propre à chaque
ordinateur. (L’adresse Ethernet, ou identifiant Ethernet, d’un ordinateur est aussi appelé
adresse MAC). Vous pouvez naviguer à la recherche d’un ordinateur et le Gestionnaire
de groupe de travail saisira l’adresse Ethernet et le nom de l’ordinateur à votre place.
Un ordinateur client utilise ces données pour rechercher les informations de préférences
lorsqu’un utilisateur se connecte.
Remarque : pour les listes d’ordinateurs Windows, vous devez connaître le nom
NetBIOS de chaque ordinateur client Windows. Tapez ce nom dans le champ
Nom de l’ordinateur Windows. Vous ne devez pas connaître l’adresse Ethernet
des ordinateurs clients Windows.
F0170.book Page 115 Monday, May 2, 2005 12:37 PM116 Chapitre 6 Configuration de listes d’ordinateurs
Lorsqu’un ordinateur client démarre, les services de répertoire vérifient s’il existe
une liste d’ordinateurs contenant l’adresse Ethernet de cet ordinateur et utilisent
les informations de préférences de cette liste d’ordinateurs. En l’absence d’un tel
enregistrement, l’ordinateur client utilise les informations de préférences de la liste
d’ordinateurs Ordinateurs hôtes.
Pour modifier des listes d’ordinateurs ou des préférences de liste d’ordinateurs, vous
devez disposer d’autorisations d’administration de domaine. Vous pouvez disposer
d’autorisations d’administration pour toutes les listes d’ordinateurs ou pour une partie
d’entre elles. Pour plus d’informations sur l’affectation d’autorisations d’administration,
consultez le chapitre 4, “Configuration des comptes d’utilisateur”.
Listes d’ordinateurs à usage spécial
Le Gestionnaire de groupe de travail utilise, par défaut, un ensemble de listes d’ordinateurs
préexistantes dédiées chacune à un usage spécial. Ces listes sont les suivantes :
• Ordinateurs hôtes : les ordinateurs qui ne figurent dans aucune liste sont ajoutés
automatiquement à la liste d’ordinateurs hôtes. Vous pouvez faire hériter des
préférences pour les ordinateurs hôtes ou les définir individuellement.
• Ordinateurs Windows : la liste Ordinateurs Windows est créée automatiquement
dans le répertoire local du serveur et dans le répertoire LDAP d’un maître ou d’une
réplique Open Directory. Les administrateurs ne peuvent ni créer ni supprimer une
liste Ordinateurs Windows. Pour obtenir des informations et des instructions sur la
gestion de la liste Ordinateurs Windows et sur la configuration de Mac OS X Server
en tant que contrôleur de domaine principal ou secondaire (PDC ou BDC).
• Tous les ordinateurs : cette liste contient tous les enregistrements d’ordinateur, qu’ils
figurent déjà dans une liste ou non. Les ordinateurs qui figurent déjà sur l’une ou
l’autre liste se trouvent également dans cette liste. Cette liste sert d’emplacement
de référence pratique.
Création d’une liste d’ordinateurs
Une liste d’ordinateurs est un groupe d’ordinateurs dotés des mêmes réglages de
préférences et accessibles pour les mêmes utilisateurs et groupes. Vous pouvez utiliser
une liste d’ordinateurs pour affecter les mêmes autorisations et préférences à plusieurs
ordinateurs. Vous pouvez ajouter jusqu’à 2 000 ordinateurs à une liste d’ordinateurs.
Un ordinateur ne peut pas figurer sur plus d’une liste et vous ne pouvez pas ajouter
des ordinateurs à la liste Ordinateurs hôtes.
F0170.book Page 116 Monday, May 2, 2005 12:37 PMChapitre 6 Configuration de listes d’ordinateurs 117
Pour configurer une liste d’ordinateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Cliquez sur le globe au-dessus de la liste des comptes et choisissez le domaine
de répertoires dans lequel vous souhaitez stocker la nouvelle liste d’ordinateurs.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur le bouton Listes d’ordinateurs (à gauche), puis sur Liste (à droite).
5 Choisissez Serveur > Nouvelle liste d’ordinateurs (ou cliquez sur Nouvelle liste
d’ordinateurs dans la barre d’outils), puis tapez le nom de la liste d’ordinateurs.
6 Pour utiliser un préréglage, choisissez-en un dans le menu local Préréglages.
7 Pour ajouter un ordinateur à la liste, cliquez sur le bouton Ajouter (+), puis tapez l’adresse
Ethernet et le nom de l’ordinateur. Ou bien, cliquez sur le bouton Parcourir (…), puis
choisissez un ordinateur. Le Gestionnaire de groupe de travail saisira alors l’adresse
Ethernet et le nom de l’ordinateur pour vous.
L’adresse de l’ordinateur doit correspondre à l’adresse Ethernet intégrée unique,
même si le client est connecté au réseau via AirPort. (L’adresse Ethernet, ou identifiant
Ethernet, d’un ordinateur est aussi appelé adresse MAC). Si vous ajoutez un ordinateur
manuellement, veillez à utiliser l’adresse Ethernet intégrée pour chaque client.
8 Ajoutez un commentaire (facultatif).
Les commentaires sont utiles car ils permettent d’ajouter des informations sur
l’emplacement d’un ordinateur, sa configuration (s’il s’agit par exemple d’un
ordinateur configuré pour une personne ayant des besoins particuliers) ou les
périphériques qui y sont connectés. Vous pouvez également utiliser les commentaires
pour ajouter des informations d’identification, telles que le modèle ou le numéro de série
de l’ordinateur.
9 Continuez à ajouter des ordinateurs jusqu’à ce que la liste soit complète.
10 Saisissez les informations requises dans les sous-fenêtres Accès et Cache.
11 Enregistrez la liste d’ordinateurs.
Une fois que vous avez configuré une liste d’ordinateurs, vous pouvez, si vous le
souhaitez, en gérer les préférences. Pour plus d’informations sur l’utilisation des
préférences gérées, consultez la section “Définition de préférences” à la page 145 et
le chapitre 9, “Gestion des préférences”.
F0170.book Page 117 Monday, May 2, 2005 12:37 PM118 Chapitre 6 Configuration de listes d’ordinateurs
Création d’un préréglage pour listes d’ordinateurs
Vous pouvez sélectionner des réglages pour une liste d’ordinateurs et les enregistrer
sous la forme d’un préréglage. Les préréglages fonctionnent comme des modèles ; ils
permettent d’appliquer des réglages et des informations présélectionnés à une nouvelle
liste d’ordinateurs. Grâce aux préréglages, vous pouvez configurer en toute simplicité
plusieurs ordinateurs de façon similaire. L’utilisation des préréglages est limitée à la
création de listes d’ordinateurs. Vous ne pouvez pas utiliser de préréglages pour
modifier des listes d’ordinateurs existantes.
Les réglages de la sous-fenêtre Liste sont spécifiques aux différentes listes d’ordinateurs
et ne s’appliquent pas aux préréglages.
Pour configurer un préréglage pour des listes d’ordinateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Cliquez sur le globe au-dessus de la liste des comptes et choisissez le domaine
de répertoires dans lequel vous souhaitez créer une liste d’ordinateurs à l’aide
de préréglages.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur le bouton Listes d’ordinateurs (à gauche), puis sur Liste (à droite).
5 Pour créer un tout nouveau préréglage, créez d’abord une liste d’ordinateurs en
cliquant sur Nouvelle liste d’ordinateurs. Pour créer un préréglage à l’aide de données
figurant dans une liste d’ordinateurs existante, sélectionnez cette dernière (à gauche).
6 Saisissez les informations requises dans les sous-fenêtres Accès et Cache.
7 Dans le menu local Préréglages, choisissez Enregistrer préréglage.
Une fois le préréglage créé, vous ne pouvez plus changer ses réglages, mais vous
pouvez le supprimer ou le renommer.
Pour modifier le nom d’un préréglage, sélectionnez le préréglage dans le menu local
Préréglages, puis cliquez sur Renommer préréglage.
Pour supprimer un préréglage, sélectionnez-le dans le menu local Préréglages,
puis cliquez sur Supprimer préréglage.
F0170.book Page 118 Monday, May 2, 2005 12:37 PMChapitre 6 Configuration de listes d’ordinateurs 119
Utilisation d’un préréglage de liste d’ordinateurs
Lorsque vous créez une nouvelle liste d’ordinateurs, vous pouvez sélectionner
n’importe quel préréglage dans le menu local Préréglages pour appliquer les réglages
initiaux. Il est possible de modifier ultérieurement les réglages de la liste d’ordinateurs
avant d’enregistrer la liste. Une fois la liste d’ordinateurs enregistrée, vous ne pouvez
plus utiliser le menu Préréglage pour cette liste (pour, par exemple, changer à nouveau
de préréglage).
Pour utiliser un préréglage pour des listes d’ordinateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Cliquez sur le globe au-dessus de la liste des comptes et choisissez le domaine
de répertoires dans lequel vous souhaitez stocker la nouvelle liste d’ordinateurs.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur le bouton Listes d’ordinateurs (à gauche), puis sur Liste (à droite).
5 Dans le menu local Préréglages, choisissez un préréglage.
6 Créez une nouvelle liste (cliquez sur Nouvelle liste d’ordinateurs).
7 Ajoutez ou mettez à jour les réglages nécessaires, puis enregistrez la liste.
Ajout d’ordinateurs à une liste d’ordinateurs existante
Il est facile ajouter plusieurs ordinateurs à une liste existante. Vous ne pouvez toutefois
pas ajouter d’ordinateurs à la liste Ordinateurs hôtes, car cette dernière est prédéfinie
pour contenir tous les ordinateurs qui ne figurent sur aucune autre liste d’ordinateurs.
Pour ajouter des ordinateurs à une liste :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste d’ordinateurs.
Pour sélectionner la liste, cliquez sur le globe au-dessus de la barre d’outils, choisissez
le domaine de répertoires qui contient la liste, cliquez sur le bouton Listes
d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur Liste.
5 Pour utiliser un préréglage, choisissez-en un dans le menu local Préréglages.
6 Cliquez sur le bouton Ajouter (+) et saisissez les informations requises.
Ou bien, cliquez sur le bouton Parcourir (…), puis sélectionnez l’ordinateur souhaité.
Le Gestionnaire de groupe de travail saisira alors l’adresse Ethernet et le nom de
l’ordinateur pour vous.
L’adresse de l’ordinateur doit correspondre à l’adresse Ethernet intégrée, propre à
chaque ordinateur. (L’adresse Ethernet, ou identifiant Ethernet, d’un ordinateur est
aussi appelé adresse MAC).
F0170.book Page 119 Monday, May 2, 2005 12:37 PM120 Chapitre 6 Configuration de listes d’ordinateurs
7 Ajoutez un commentaire (facultatif).
Les commentaires sont utiles car ils permettent d’ajouter des informations supplémentaires
concernant l’emplacement d’un ordinateur, sa configuration (s’il s’agit d’un ordinateur
configuré pour une personne ayant des besoins particuliers) ou les périphériques qui
y sont connectés. Vous pouvez également utiliser les commentaires pour ajouter des
informations d’identification, telles que le modèle ou le numéro de série de l’ordinateur.
8 Cliquer sur Enregistrer.
9 Ajoutez des ordinateurs et des informations jusqu’à ce que votre liste soit complète.
Modification d’informations sur un ordinateur
Une fois que vous avez ajouté un ordinateur à une liste d’ordinateurs, vous pouvez
modifier ses informations chaque fois que c’est nécessaire.
Pour modifier les informations d’ordinateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste sur laquelle figure l’ordinateur.
Pour sélectionner la liste, cliquez sur le globe au-dessus de barre d’outils, choisissez le
domaine de répertoires qui contient l’ordinateur à modifier, cliquez sur le bouton Listes
d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Dans la sous-fenêtre Liste, sélectionnez l’ordinateur dont vous souhaitez modifier les
informations, puis cliquez sur le bouton Modifier (crayon).
Ou bien, double-cliquez sur l’adresse, la description ou le commentaire d’un ordinateur
dans la liste pour modifier les informations directement dans la liste.
5 Modifiez les informations selon vos besoins, puis cliquez sur Enregistrer.
Déplacement d’un ordinateur vers une autre liste d’ordinateurs
Il peut s’avérer parfois nécessaire de regrouper les ordinateurs différemment. Il est
facile de déplacer des ordinateurs d’une liste à l’autre.
Remarque : un ordinateur ne peut figurer que sur une seule liste. Vous ne pouvez
pas ajouter d’ordinateurs à la liste Ordinateurs hôtes.
Pour transférer un ordinateur d’une liste à l’autre :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste sur laquelle l’ordinateur figure.
Pour sélectionner la liste, cliquez sur le globe au-dessus de barre d’outils, choisissez
le domaine de répertoires qui contient la liste d’ordinateurs à modifier, cliquez sur le
bouton Listes d’ordinateurs, puis sélectionnez la liste.
F0170.book Page 120 Monday, May 2, 2005 12:37 PMChapitre 6 Configuration de listes d’ordinateurs 121
3 Pour vous authentifier, cliquez sur le cadenas.
4 Dans la sous-fenêtre Liste, sélectionnez l’ordinateur à déplacer, puis cliquez sur le
bouton Modifier (crayon).
5 Sélectionnez une liste dans le menu local “Déplacer dans la liste”, puis cliquez sur OK.
6 Cliquer sur Enregistrer.
Suppression d’ordinateurs d’une liste d’ordinateurs
Une fois que vous avez supprimé un ordinateur d’une liste d’ordinateurs, ce dernier
est géré à l’aide de la liste Ordinateurs hôtes.
Pour supprimer un ordinateur d’une liste :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste sur laquelle l’ordinateur figure.
Pour sélectionner la liste, cliquez sur le globe au-dessus de barre d’outils, choisissez le
domaine de répertoires qui contient la liste d’ordinateurs à modifier, cliquez sur le
bouton Listes d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Dans la sous-fenêtre Liste, sélectionnez un ou plusieurs ordinateurs.
5 Cliquez sur le bouton Supprimer (-), puis sur Enregistrer.
Suppression d’une liste d’ordinateurs
Si vous n’avez plus besoin des ordinateurs qui figurent dans une liste d’ordinateurs,
vous pouvez supprimer la liste entière. Vous ne pouvez pas supprimer la liste
Ordinateurs hôtes ni la liste Ordinateurs Windows.
Pour supprimer une liste d’ordinateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste.
Pour sélectionner la liste, cliquez sur le globe au-dessus de barre d’outils, choisissez le
domaine de répertoires qui contient la liste d’ordinateurs à supprimer, cliquez sur le
bouton Listes d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Choisissez Serveur > Effacer la liste d’ordinateurs sélectionnée ou cliquez sur Supprimer
dans la barre d’outils.
Avertissement : cette action est irréversible.
F0170.book Page 121 Monday, May 2, 2005 12:37 PM122 Chapitre 6 Configuration de listes d’ordinateurs
Recherche de listes d’ordinateurs
Le Gestionnaire de groupe de travail est doté d’une fonction de recherche permettant
de localiser rapidement des listes d’ordinateurs spécifiques. Vous pouvez lancer la
recherche au sein d’un domaine sélectionné et filtrer les résultats.
Pour rechercher une liste d’ordinateurs :
1 Dans Gestionnaire de groupe de travail, cliquez sur Comptes, sur le bouton Listes
d’ordinateurs (à gauche), puis sur Liste (à droite).
2 Pour restreindre votre recherche, cliquez sur le globe au-dessus de la liste des comptes
et choisissez un domaine de répertoires :
Local : pour rechercher des listes d’ordinateurs dans le domaine de répertoires local.
Chemin de recherche : pour rechercher des listes d’ordinateurs dans tous les répertoires
qui figurent dans le chemin de recherche du serveur (par exemple,
monserveur.mondomaine.com).
Autre : pour naviguer et sélectionner le domaine de répertoires dans lequel rechercher
les listes d’ordinateurs.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Vous pouvez sélectionner un filtre supplémentaire dans le menu local situé en regard
du champ de recherche.
5 Tapez des termes de recherche dans le champ correspondant.
Gestion des ordinateurs invités
Tout ordinateur inconnu (c’est-à-dire ne figurant sur aucune liste d’ordinateurs) qui
se connecte à votre réseau et tente d’accéder à des services est traité comme un
ordinateur “hôte”. Les réglages définis pour la liste Ordinateurs hôtes s’appliquent
à ces ordinateurs inconnus ou “hôtes”.
Une liste Ordinateurs hôtes est créée automatiquement pour le domaine de répertoire
local d’un serveur. Si le serveur est un maître ou une réplique Open Directory, une liste
Ordinateurs hôtes est également créée pour son domaine de répertoire LDAP.
La liste Ordinateurs hôtes n’est pas recommandée pour gérer un grand nombre
d’ordinateurs ; la plupart des ordinateurs devraient figurer sur les listes d’ordinateurs
normales.
Remarque : vous ne pouvez pas ajouter des ordinateurs à la liste Ordinateurs hôtes,
déplacer des ordinateurs vers cette dernière ni modifier le nom de la liste.
F0170.book Page 122 Monday, May 2, 2005 12:37 PMChapitre 6 Configuration de listes d’ordinateurs 123
Pour configurer une liste d’ordinateurs hôtes :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Cliquez sur le globe au-dessus de la liste des comptes et choisissez le domaine
de répertoires qui contient la liste Ordinateurs hôtes à modifier.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur le bouton Listes d’ordinateurs (à gauche), puis sélectionnez Ordinateurs
hôtes dans la liste.
5 Cliquez sur Liste (à droite), puis sélectionnez un réglage pour les préférences.
Pour configurer des préférences gérées, sélectionnez “Définir ici les préférences de
l’ordinateur hôte”. Si vous sélectionnez cette option, cliquez sur Enregistrer et passez
à l’étape suivante.
Pour que des ordinateurs hôtes aient les mêmes réglages de préférences gérées que le
serveur parent (un serveur dont le répertoire LDAP ou le répertoire NetInfo partagé est
répertorié dans la politique de recherche du serveur que vous configurez), sélectionnez
“Hériter des préférences pour les ordinateurs hôtes”. Si vous sélectionnez cette option,
cliquez sur Enregistrer (l’étape suivante n’est pas nécessaire).
Remarque : vous devez soit créer des listes de comptes d’ordinateur uniques, soit
avoir configuré les ordinateurs hôtes pour définir les préférences dans le chemin de
recherche. Sinon, les réglages de gestion ne seront pas placés en mémoire cache sur
l’ordinateur local. Les systèmes clients pourraient alors ne plus être gérés une fois
déconnectés du réseau.
6 Si vous avez sélectionné Définir, cliquez sur Accès puis sélectionnez les réglages que
vous voulez utiliser. Cliquez sur Cache, définissez une fréquence d’effacement de la
mémoire cache des préférences, puis cliquez sur Enregistrer.
Une fois la liste d’ordinateurs Ordinateurs hôtes configurée, vous pouvez gérer les
préférences que vous souhaitez pour cette liste. Pour plus d’informations sur l’utilisation
des préférences gérées, consultez la section “Définition de préférences” à la page 145
et le chapitre 9, “Gestion des préférences”.
Si vous ne sélectionnez aucun réglage ni aucune préférence pour la liste d’ordinateurs
Ordinateurs hôtes, cette dernière n’est pas gérée. Toutefois, si l’utilisateur d’un ordinateur
dispose d’un compte d’utilisateur Mac OS X Server avec des préférences de groupe ou
d’utilisateur gérés, ces réglages s’appliquent lorsque la personne se connecte avec ce
compte d’utilisateur.
Si l’utilisateur possède un compte d’administrateur dans le répertoire local de l’ordinateur
client, l’utilisateur peut choisir de ne pas être géré à la connexion. Les utilisateurs non
gérés peuvent recourir à la commande Aller au dossier pour accéder à un répertoire de
départ situé sur le réseau.
F0170.book Page 123 Monday, May 2, 2005 12:37 PM124 Chapitre 6 Configuration de listes d’ordinateurs
Utilisation des réglages d’accès
Les réglages du volet Accès vous permettent de rendre les ordinateurs d’une liste
disponibles pour les utilisateurs de groupes. Vous pouvez soit n’autoriser que certains
groupes à accéder aux ordinateurs d’une liste, soit autoriser tous les groupes (donc
tous les utilisateurs) à accéder aux ordinateurs d’une liste. Vous pouvez également
contrôler certains aspects de l’accès des utilisateurs locaux.
Restriction de l’accès à des ordinateurs
Il est possible de réserver l’accès de certains ordinateurs à des utilisateurs spécifiques.
S’il existe par exemple deux ordinateurs équipés de matériel et de logiciels de montage
vidéo, vous pouvez les réserver aux utilisateurs qui font de la production vidéo. Créez
d’abord une liste d’ordinateurs avec ces ordinateurs, assurez-vous que les utilisateurs
disposent de comptes d’utilisateur, ajoutez les utilisateurs à un groupe nommé
“Production vidéo”, par exemple, et limlitez l’accès à la liste d’ordinateurs Production
vidéo à ce groupe.
Remarque : tout utilisateur disposant d’un compte d’administrateur dans le répertoire
local d’un ordinateur client pourra toujours se connecter.
Pour réserver un ensemble d’ordinateurs pour certains groupes :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste d’ordinateurs.
Pour sélectionner la liste, cliquez sur le globe au-dessus de barre d’outils, choisissez le
domaine de répertoires qui contient la liste d’ordinateurs, cliquez sur le bouton Listes
d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Dans la sous-fenêtre Liste, tapez des enregistrements d’ordinateur avec leurs
identifiants Ethernet.
Vous pouvez utiliser des listes pour restreindre la connexion à certains ordinateurs.
Vous pouvez également utiliser la fonction de présentations de réseau pour effectuer
cette tâche avec plus de souplesse. (Voir le chapitre 10.)
5 Cliquez sur Accès.
6 Sélectionnez l’option Limiter aux groupes ci-dessous.
7 Cliquez sur le bouton Ajouter (+), puis sélectionnez un ou plusieurs groupes dans le
tiroir et faites-les glisser vers la liste de la sous-fenêtre Accès.
Pour supprimer un groupe autorisé, sélectionnez-le, puis cliquez sur le bouton
Supprimer (–).
8 Cliquer sur Enregistrer.
Dans la fenêtre de connexion, seuls les utilisateurs du ou des groupes autorisés
apparaîtront ou seront capables de se connecter.
F0170.book Page 124 Monday, May 2, 2005 12:37 PMChapitre 6 Configuration de listes d’ordinateurs 125
Mise d’ordinateurs à la disposition de tous les utilisateurs
Vous pouvez mettre les ordinateurs d’une liste à la disposition de tout utilisateur
provenant de l’un quelconque des groupes que vous avez définis.
Pour mettre des ordinateurs à la disposition de tous les utilisateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez la liste d’ordinateurs.
Pour sélectionner la liste, cliquez sur le globe au-dessus de barre d’outils, choisissez le
domaine de répertoires qui contient la liste d’ordinateurs, cliquez sur le bouton Listes
d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur le bouton Listes d’ordinateurs, puis sélectionnez une ou plusieurs listes
d’ordinateurs.
5 Dans la sous-fenêtre Liste, cochez les enregistrements d’ordinateur souhaités ou
saisissez-en un s’il n’en existe pas encore.
6 Cliquez sur la sous-fenêtre Accès.
7 Sélectionnez “Tous les groupes peuvent utiliser l’ordinateur” et “Autoriser les
administrateurs d’ordinateur à désactiver la gestion”.
8 Cliquez sur la sous-fenêtre Cache et assurez-vous que le réglage de mise à jour de
la mémoire cache des préférences est réglé sur une durée appropriée.
Ne réglez pas l’actualisation de la mémoire cache sur 0, sinon la mémoire cache ne pourra
pas être créée. Les ordinateurs ne seraient plus gérés une fois déconnectés du réseau.
9 Cliquer sur Enregistrer.
Utilisation de comptes d’utilisateur locaux
Un compte d’utilisateur local est un compte d’utilisateur défini dans le domaine de
répertoire local d’un ordinateur client. Les comptes locaux servent aussi bien aux
ordinateurs fixes que portables, qu’ils soient utilisés par une ou plusieurs personne(s).
Toute personne dotée d’un compte d’administrateur local sur un ordinateur client peut
créer des comptes d’utilisateur local via le volet Comptes dans les préférences Système.
Les utilisateurs locaux sont authentifiés en local.
Si vous comptez fournir des ordinateurs portables (iBook, par exemple) à plusieurs
personnes, vous pouvez attribuer à chaque utilisateur la fonction d’administrateur
local de l’ordinateur en sa possession. Un administrateur local dispose d’autorisations
plus étendues qu’un utilisateur local ou réseau. Par exemple, un administrateur local
peut ajouter des imprimantes, changer des réglages de réseau ou choisir de ne pas
être géré.
F0170.book Page 125 Monday, May 2, 2005 12:37 PM126 Chapitre 6 Configuration de listes d’ordinateurs
La manière la plus simple de gérer les préférences des utilisateurs locaux d’un ordinateur
particulier consiste à gérer les préférences de la liste d’ordinateurs à laquelle appartient
l’ordinateur et de s’assurer que vous autorisez bien les utilisateurs qui ne disposent que
de comptes locaux à utiliser les ordinateurs de la liste d’ordinateurs.
Pour autoriser l’accès aux utilisateurs dotés de comptes locaux :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez une liste d’ordinateurs qui prend en charge les ordinateurs avec des
utilisateurs locaux.
Pour sélectionner une liste, cliquez sur le globe au-dessus de barre d’outils, choisissez
le domaine de répertoires qui contient la liste d’ordinateurs, cliquez sur le bouton
Listes d’ordinateurs, puis sélectionnez la liste.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur Accès.
5 Sélectionnez “Limiter aux groupes ci-dessous” pour déterminer les groupes de travail
qui sont affichés lorsqu’un utilisateur local se connecte.
Les comptes d’utilisateur locaux ne peuvent pas être réglés pour restreindre l’accès
à des groupes de travail spécifiques. Si vous avez créé des groupes de travail qui
doivent être limités à des comptes spécifiques, vous devez créer une liste de comptes
d’ordinateur qui ne contient que les groupes de travail disposant d’un accès commun.
Pour que la liste des groupes de travail disponibles s’affiche lors de la connexion de
l’utilisateur, sélectionnez “Tous les groupes peuvent utiliser l’ordinateur”.
Pour n’afficher que certains groupes de travail (dans le cas de comptes non locaux),
sélectionnez “Limiter aux groupes ci-dessous”, puis faites glisser des groupes du tiroir
vers la liste de la sous-fenêtre Accès.
6 Assurez-vous que l’option Autoriser les utilisateurs de comptes exclusivement locaux
est sélectionnée.
7 Cliquer sur Enregistrer.
F0170.book Page 126 Monday, May 2, 2005 12:37 PM7
127
7 Configuration des répertoires
de départ
Mac OS X utilise le répertoire de départ, un dossier réservé à
l’usage exclusif d’un utilisateur, pour stocker des préférences
système et des réglages gérés. Ce chapitre décrit les
principes généraux de configuration et de gestion des
répertoires de départ.
À propos des répertoires de départ
Vous pouvez configurer des répertoires de départ de manière à les rendre accessibles
à l’aide soit du protocole AFP (Apple Filing Protocol), soit du système NFS (Network
File System) :
• Il est préférable d’utiliser le protocole AFP, car il offre une sécurité d’accès par
authentification. L’utilisateur doit ouvrir une session avec un nom et un mot
de passe valides pour pouvoir accéder aux fichiers.
• L’accès aux fichiers NFS n’étant pas basé sur l’authentification des utilisateurs mais sur
les adresses IP client, c’est un protocole généralement moins sûr que AFP. N’utilisez
NFS que si vous avez besoin de fournir des répertoires de départ à de nombreux
utilisateurs travaillant avec des stations de travail UNIX.
Pour configurer le répertoire de départ d’un utilisateur dans le Gestionnaire de groupe
de travail, utilisez la sous-fenêtre Départ de la fenêtre Comptes.
Vous pouvez aussi importer des réglages de répertoire de départ d’utilisateur à partir
d’un fichier. Pour savoir comment travailler avec des fichiers d’importation, consultez
la section “Importation et exportation d’informations de compte”.
Il n’est pas nécessaire que le répertoire de départ d’un utilisateur soit stocké sur le
même serveur que le domaine de répertoires contenant son compte d’utilisateur.
D’ailleurs, répartir les domaines de répertoires et les répertoires de départ sur plusieurs
serveurs peut vous aider à équilibrer la charge de travail entre différents serveurs.
“Répartition de répertoires de départ sur plusieurs serveurs” à la page 129 décrit
plusieurs de ces scénarios.
F0170.book Page 127 Monday, May 2, 2005 12:37 PM128 Chapitre 7 Configuration des répertoires de départ
Le répertoire de départ que vous désignez dans la sous-fenêtre Départ peut être utilisé lors
de la connexion à partir d’une station de travail Windows ou d’un ordinateur Mac OS X.
Cela peut s’avérer pratique pour les utilisateurs dont le compte réside sur un serveur
qui fonctionne comme contrôleur de domaine principal Windows. Consultez le guide
d’administration des services Windows pour plus d’informations sur la configuration
des répertoires de départ pour les utilisateurs de stations de travail Windows.
La longueur maximale de chemin de 89 caractères pour les répertoires de départ et les
autres points de partage à montage automatique est réduite d’un nombre variable de
caractères en fonction de la version de Mac OS X utilisée sur les clients :
• 10.2 - 10.2.8 : (marge de 89-24) = 65 caractères max.
• 10.3 - 10.3.4 : (marge de 89-38) = 51 caractères max.
• 10.3.5 et les versions plus récentes de 10.3 : (marge de 89-24) = 65 caractères max.
• 10.4 Tiger : (marge de 89-16) = 73 caractères max.
Pour en savoir plus, consultez l’article du site Web d’assistance et de service Apple
intitulé “Avoid Spaces and Long Names in Network Home Directory Name, Path”,
à l’adresse docs.info.apple.com/article.html?artnum=107695.
Évitez les espaces et les noms très longs dans les chemins
d’accès aux répertoires de départ réseau
Si le chemin absolu du client au répertoire de départ réseau sur le serveur contient
des espaces ou plus de 89 caractères, certains types de clients ne peuvent pas se
connecter. Un client utilisant, par exemple, le montage automatique avec un
répertoire de départ AFP basé sur LDAP ne pourra probablement pas accéder
à son répertoire de départ.
Pour résoudre ou éviter le problème, assurez-vous que le chemin complet au
répertoire de départ réseau ne contient pas d’espaces et ne comporte pas plus
de 89 caractères. La barre oblique (/) compte comme caractère.
F0170.book Page 128 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 129
Répartition de répertoires de départ sur plusieurs
serveurs
L’illustration ci-dessous montre un serveur Mac OS X Server destiné au stockage de
comptes d’utilisateur et deux autres pour stocker des répertoires de départ AFP.
Lorsqu’un utilisateur se connecte, il est authentifié à l’aide d’un compte stocké dans le
domaine de répertoires partagé sur le serveur de comptes. L’emplacement du répertoire
de départ de l’utilisateur, stocké dans le compte, sert à monter le répertoire de départ
qui réside physiquement sur l’un des deux serveurs de répertoires de départ.
Les étapes ci-dessous permettent de configurer ce scénario pour les répertoires
de départ AFP :
Étape 1 : Créez un domaine partagé pour les comptes d’utilisateur sur le
serveur de comptes.
La création d’un domaine de répertoires LDAP partagé s’effectue en configurant
un maître Open Directory conformément aux instructions incluses dans le guide
d’administration d’Open Directory.
Étape 2 : Configurez un point de partage montable automatiquement pour
les répertoires de départ sur chaque serveur.
Pour obtenir des instructions sur la manière de configurer des points de partage montables
automatiquement, consultez la section “Configuration d’un point de partage AFP montable
automatiquement pour des répertoires de départ” à la page 137.
Répertoires de départ A à M
Serveurs Mac OS X Server
Répertoires de départ N à Z
Comptes d'utilisateurs
F0170.book Page 129 Monday, May 2, 2005 12:37 PM130 Chapitre 7 Configuration des répertoires de départ
Étape 3 : Créez les comptes d’utilisateur dans le domaine partagé sur le
serveur de comptes.
Ce chapitre décrit plus en avant la configuration des comptes de sorte que les
répertoires de départ soient stockés dans l’un ou l’autre des points de partage
montables automatiquement.
Reportez-vous aux instructions de la section “Création de comptes d’utilisateur
Mac OS X Server” à la page 67 pour savoir comment configurer les attributs des
comptes d’utilisateur, ainsi que celles des sections ultérieures de ce chapitre pour
obtenir des détails spécifiques sur la configuration des répertoires de départ.
Étape 4 : Configurez les services de répertoire des ordinateurs clients afin
que leur politique de recherche inclue le domaine de répertoire partagé sur
le serveur de comptes.
Consultez le guide d’administration Open Directory pour plus d’informations sur la
configuration des politiques de recherche.
Quand un utilisateur redémarre son ordinateur, puis ouvre une session en utilisant le
compte du domaine partagé, le répertoire de départ est automatiquement créé (si ce
n’est déjà fait) sur le serveur approprié et visible sur l’ordinateur de l’utilisateur.
Remarque : les répertoires de départ ne sont créés automatiquement, lors de la
connexion initiale d’un utilisateur, que sur les points de partage servis par un
serveur AFP. Les répertoires de départ NFS doivent être créés manuellement.
Spécification d’aucun répertoire de départ
Vous pouvez utiliser le Gestionnaire de groupe de travail pour qu’un compte
d’utilisateur doté d’un répertoire de départ n’en ait plus. Par défaut, les nouveaux
utilisateurs ne disposent d’aucun répertoire de départ.
Pour ne définir aucun répertoire de départ :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Ouvrez le domaine de répertoires dans lequel réside le compte d’utilisateur et
authentifiez-vous comme administrateur du domaine.
Pour ouvrir un domaine de répertoires, cliquez sur le globe au-dessus de la liste
des comptes, puis faites votre choix dans le menu local. Pour vous authentifier,
cliquez sur le cadenas.
3 Cliquez sur le bouton Utilisateurs, puis sélectionnez un ou plusieurs comptes
d’utilisateur.
4 Cliquez sur Départ, puis sélectionnez (Aucun) dans la liste.
5 Cliquer sur Enregistrer.
F0170.book Page 130 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 131
Création d’un répertoire de départ pour un utilisateur
local sur un serveur
Vous pouvez utiliser le Gestionnaire de groupe de travail pour définir des répertoires de
départ aux utilisateurs dont les comptes sont stockés dans un domaine de répertoires
local du serveur. Vous avez aussi la possibilité d’utiliser des comptes d’utilisateur locaux
sur des serveurs autonomes (non accessibles à partir d’un réseau) et des comptes
d’administrateur sur un serveur. Ces comptes sont destinés aux utilisateurs qui ouvrent
une session directement sur le serveur. Ils ne sont pas destinés aux utilisateurs réseau.
Les répertoires de départ des utilisateurs locaux doivent être stockés dans des points
de partage AFP, sur le serveur dans lequel résident leurs comptes. Il n’est pas nécessaire
que ces points de partage soient montables automatiquement (aucun enregistrement
de montage de réseau n’est requis).
Pour créer un répertoire de départ pour un compte d’utilisateur local :
1 Assurez-vous qu’un point de partage pour le répertoire de départ existe sur le serveur
où réside le compte d’utilisateur local.
Vous pouvez utiliser le point de partage prédéfini /Users ou tout autre point de partage
AFP préalablement défini sur le serveur. Une autre solution consiste à établir votre
propre point de partage. Pour utiliser un point de partage existant, passez à l’étape 4.
Pour définir un nouveau point de partage, continuez avec les étapes 2 et 3.
Étant donné le principe des quotas de disques de répertoires de départ, vous pouvez
configurer les points de partage de répertoire de départ sur une partition différente
des autres points de partage. Pour plus d’informations, consultez la section “Définition
de quotas de disque” à la page 140.
2 À l’aide du Finder, créez, le cas échéant, le dossier que vous souhaitez utiliser comme
point de partage.
3 Dans le Gestionnaire de groupe de travail, connectez-vous au serveur sur lequel réside
le compte d’utilisateur local, puis cliquez sur Partage pour configurer le dossier comme
point de partage AFP.
Cliquez sur Tous (à gauche au-dessus de la liste), puis sélectionnez le dossier.
Cliquez sur Général et sélectionnez Partager cet élément et son contenu.
Spécifiez les noms du possesseur du point de partage et du groupe en saisissant leur
nom dans les champs correspondants ou en y faisant glisser les noms depuis le Finder
qui s’ouvre après avoir cliqué sur Utilisateurs et groupes.
Réglez les autorisations du Propriétaire sur Lecture et écriture et les autorisations du
Groupe et de Tous sur Lecture seule.
Cliquer sur Enregistrer.
F0170.book Page 131 Monday, May 2, 2005 12:37 PM132 Chapitre 7 Configuration des répertoires de départ
4 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sélectionnez le
compte d’utilisateur avec lequel vous souhaitez travailler.
Pour sélectionner un compte d’utilisateur local, cliquez sur le globe au-dessus de la liste
des comptes, ouvrez le domaine de répertoires local, cliquez sur le bouton Utilisateurs,
puis sélectionnez l’utilisateur dans la liste.
5 Cliquez sur le cadenas et authentifiez-vous en tant qu’administrateur du domaine de
répertoires local.
6 Cliquez sur Départ pour configurer le répertoire de départ de l’utilisateur sélectionné.
7 Dans la liste des points de partage, sélectionnez celui que vous souhaitez utiliser.
La liste affiche tous les points de partage AFP du serveur auquel vous êtes connecté.
8 Saisissez un quota de disque et spécifiez s’il s’agit de méga-octets (Mo) ou de gigaoctets (Go) (facultatif).
9 Cliquez sur Créer Départ puis sur Enregistrer.
Si vous ne cliquez pas sur Créer Départ avant de cliquer sur Enregistrer, le répertoire
de départ sera créé la prochaine fois que l’utilisateur redémarrera l’ordinateur client
et se connectera à distance. Toutefois, seuls certains clients peuvent se connecter à
des serveurs qui hébergent des points de partage dans le domaine local. Pour obtenir
des instructions sur la configuration d’un point de partage pour des clients Mac OS X,
consultez la section “Création d’un répertoire de départ de réseau” à la page 133.
Le nom du répertoire du départ est identique au premier nom abrégé de l’utilisateur.
10 Assurez-vous que le service AFP est actif sur le serveur où réside le répertoire de départ
de l’utilisateur local.
Pour vérifier l’état du service AFP, ouvrez Admin Serveur et connectez-vous au serveur
sur lequel réside le compte d’utilisateur local. Sélectionnez AFP dans la liste Ordinateurs
et services, puis cliquez sur Vue d’ensemble. Si l’état indique que le service AFP est arrêté,
choisissez Serveur > Démarrer le service ou cliquez sur Démarrer le service dans la
barre d’outils.
F0170.book Page 132 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 133
Création d’un répertoire de départ de réseau
Dans le Gestionnaire de groupe de travail, vous pouvez configurer un répertoire de
départ réseau pour un compte d’utilisateur stocké dans un domaine de répertoires
partagé.
Le répertoire de départ d’un utilisateur peut résider dans tout point de partage AFP
ou NFS auquel peut accéder l’ordinateur de l’utilisateur. Le point de partage doit être
montable automatiquement. Un point de partage montable automatiquement garantit
que le répertoire de départ est automatiquement visible dans /Network/Servers quand
l’utilisateur se connecte à un ordinateur Mac OS X configuré pour pouvoir accéder au
domaine partagé. Il permet aussi à d’autres utilisateurs d’accéder au répertoire de
départ à l’aide du raccourci ~nom-répertoire-départ.
Vous pouvez utiliser le Gestionnaire de groupe de travail pour définir un répertoire de
départ réseau pour un utilisateur dont le compte est stocké dans le répertoire LDAP d’un
maître Open Directory ou dans un autre domaine de répertoires en lecture/écriture
accessible depuis le serveur que vous utilisez. Vous pouvez aussi utiliser le Gestionnaire
de groupe de travail pour consulter les informations relatives à un répertoire de départ
dans tout domaine de répertoires accessible en lecture seule.
Pour créer un répertoire de départ de réseau dans un point de partage AFP
ou NFS :
1 Assurez-vous que le point de partage existe sur le serveur où vous souhaitez que réside le
répertoire de départ et que celui-ci dispose d’un enregistrement de montage de réseau
configuré pour les répertoires de départ.
Pour obtenir des instructions, consultez la section “Configuration d’un point de partage
AFP montable automatiquement pour des répertoires de départ” à la page 137 ou
“Configuration d’un point de partage NFS ou SMB montable automatiquement pour
des répertoires de départ” à la page 138.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sélectionnez le
compte d’utilisateur avec lequel vous souhaitez travailler.
Pour sélectionner un compte, connectez-vous au serveur sur lequel il réside. Cliquez
sur le globe au-dessus de la liste des comptes, puis ouvrez le domaine de répertoires
dans lequel le compte d’utilisateur réside. Cliquez sur le bouton Utilisateurs, puis
sélectionnez l’utilisateur dans la liste des utilisateurs.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur Départ pour configurer le répertoire de départ de l’utilisateur sélectionné.
F0170.book Page 133 Monday, May 2, 2005 12:37 PM134 Chapitre 7 Configuration des répertoires de départ
5 Dans la liste des points de partage, sélectionnez celui que vous souhaitez utiliser.
La liste affiche l’ensemble des points de partage montables automatiquement et visibles
sur le réseau dans le chemin de recherche du serveur auquel vous êtes connecté. Si
le point de partage que vous voulez sélectionner ne figure pas dans la liste, cliquez
sur Actualiser. S’il n’apparaît toujours pas, c’est qu’il n’est peut-être pas montable
automatiquement. Dans ce cas, vous devez configurer un point de partage avec
un enregistrement de montage de réseau, configuré pour les répertoires de départ
comme décrit à l’étape 1.
6 Saisissez un quota de disque et spécifiez s’il s’agit de méga-octets (Mo) ou de gigaoctets (Go) (facultatif).
7 Cliquez sur Créer Départ puis sur Enregistrer.
Si vous ne cliquez pas sur Créer Départ avant de cliquer sur Enregistrer, le répertoire
de départ sera créé la prochaine fois que l’utilisateur redémarre l’ordinateur client et
qu’il se connecte à distance.
Le nom du répertoire du départ est identique au premier nom abrégé de l’utilisateur.
8 Assurez-vous que l’utilisateur redémarre son ordinateur client pour y rendre visible le
point de partage.
Notez que lorsqu’un utilisateur ouvre une session à l’aide de SSH pour obtenir un accès
au serveur par ligne de commande, son répertoire de départ n’est pas monté et il ne
peut y accéder qu’en qualité d’invité.
Si vous souhaitez déterminer l’emplacement de stockage du répertoire de départ de
l’utilisateur dans un point de partage précis et choisir la manière dont il est nommé,
cliquez sur le bouton Ajouter (+) ou Dupliquer (icône de copie) pour créer un répertoire
de départ personnalisé. Pour obtenir des instructions, consultez “Création d’un
répertoire de départ personnalisé”.
Création d’un répertoire de départ personnalisé
Dans le Gestionnaire de groupe de travail, vous pouvez personnaliser les réglages du
répertoire de départ d’un utilisateur. Cette personnalisation s’avère nécessaire lorsque :
• Vous souhaitez que le répertoire de départ de l’utilisateur réside dans des répertoires
qui ne sont pas situés immédiatement sous le point de partage du répertoire de
départ. Par exemple, vous pouvez organiser des répertoires de départ en plusieurs
sous-répertoires au sein d’un point de partage. Si Homes correspond au point de
partage du répertoire de départ, vous pouvez placer les répertoires de départ des
professeurs sous Homes/Teachers et ceux des étudiants sous Homes/Students.
F0170.book Page 134 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 135
• Spécifiez un nom de répertoire de départ différent du premier nom abrégé
de l’utilisateur.
Vous pouvez utiliser le Gestionnaire de groupe de travail pour définir un répertoire de
départ personnalisé pour un utilisateur dont le compte est stocké dans un domaine
de répertoires local du serveur ou dans un domaine de répertoires partagé accessible
depuis le serveur que vous utilisez. Le domaine de répertoires partagé peut être le
répertoire LDAP d’un maître Open Directory ou un autre domaine de répertoires en
lecture/écriture.
Vous pouvez aussi utiliser le Gestionnaire de groupe de travail pour consulter les
informations relatives à un répertoire de départ dans tout domaine de répertoires
accessible en lecture seule.
Pour créer un répertoire de départ personnalisé à l’aide du Gestionnaire
de groupe de travail :
1 Assurez-vous que le point de partage existe et qu’il est correctement configuré.
Le point de partage destiné au répertoire de départ d’un utilisateur local doit résider
dans un point de partage AFP sur le serveur où se trouve le compte de l’utilisateur. Il
n’est pas nécessaire que ce point de partage soit montable automatiquement (aucun
enregistrement de montage de réseau n’est requis).
Le point de partage destiné au répertoire de départ d’un compte d’utilisateur dans un
domaine de répertoires partagé peut résider dans un point de partage AFP ou NFS, à
condition que l’ordinateur de l’utilisateur puisse y accéder. Le point de partage doit
être montable automatiquement, c’est-à-dire qu’il doit y avoir un enregistrement de
montage de réseau dans le répertoire.
Pour obtenir des instructions, consultez la section “Configuration d’un point de partage
AFP montable automatiquement pour des répertoires de départ” à la page 137 ou
“Configuration d’un point de partage NFS ou SMB montable automatiquement pour
des répertoires de départ” à la page 138.
2 Si vous voulez que le répertoire de départ se trouve dans un dossier du point de partage,
utilisez le Finder pour créer tous les dossiers nécessaires dans le chemin entre le point
de partage et l’emplacement de stockage du répertoire de départ.
3 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sélectionnez le
compte d’utilisateur avec lequel vous souhaitez travailler.
Pour sélectionner un compte, connectez-vous au serveur sur lequel il réside. Cliquez
sur le globe au-dessus de la liste des comptes, puis ouvrez le domaine de répertoires
dans lequel le compte d’utilisateur réside. Cliquez sur le bouton Utilisateurs, puis
sélectionnez l’utilisateur.
F0170.book Page 135 Monday, May 2, 2005 12:37 PM136 Chapitre 7 Configuration des répertoires de départ
4 Pour vous authentifier, cliquez sur le cadenas.
5 Cliquez sur Départ pour configurer le répertoire de départ de l’utilisateur sélectionné.
6 Cliquez sur le bouton Ajouter (+) pour ajouter un répertoire de départ personnalisé ou
Dupliquer (icône de copie) pour copier un répertoire de départ personnalisé existant.
Vous pouvez supprimer un emplacement de répertoire de départ en le sélectionnant,
puis en cliquant sur le bouton Supprimer (–). Vous ne pouvez supprimer que les
emplacements ajoutés à l’aide du bouton Ajouter ou Dupliquer.
7 Dans le champ URL, vous pouvez soit saisir l’URL complète d’un point de partage
AFP existant montable automatiquement et dans lequel vous souhaitez stocker
le répertoire de départ, soit ne rien entrer pour un point de partage NFS.
Par exemple, si le point de partage AFP est Homes et que vous utilisez DNS,
vous pouvez saisir AFP://serveur.exemple.com/Homes. Si vous n’utilisez pas DNS,
remplacez le nom DNS du serveur hébergeant le répertoire de départ pas son
adresse IP : AFP://192.168.2.1/Homes.” Vous pouvez utiliser ou omettre la barre
oblique (/) à la fin de l’URL.
8 Dans le champ Chemin, vous pouvez soit saisir le chemin allant du point de partage
AFP au répertoire de départ, en incluant ce dernier mais en excluant le point de
partage, soit ne rien entrer pour un point de partage NFS.
Par exemple, vous pouvez saisir Teachers/SecondGrade/Smith.
Ne placez pas de barre oblique (/) au début ni à la fin du chemin.
9 Dans le champ Départ, entrez le chemin complet du répertoire de départ, en
terminant par ce dernier.
Insérez une barre oblique (/) au début, mais pas à la fin.
Exemple pour un compte d’utilisateur local :/Users/Teachers/SecondGrade/Smith
Exemple pour un compte d’utilisateur dans un domaine de répertoires partagé :
/Network/Servers/myServer/Homes/Teachers/SecondGrade/Smith
Le nom saisi après /Network/Servers/ doit être le nom d’hôte entré lors de la
configuration initiale du serveur. Si vous ne le connaissez pas, ouvrez l’application
Terminal, tapez nom de domaine et appuyez sur Entrée pour afficher le nom.
10 Cliquez sur OK.
11 Saisissez un quota de disque et spécifiez s’il s’agit de méga-octets (Mo) ou de gigaoctets (Go) (facultatif).
F0170.book Page 136 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 137
12 Cliquez sur Créer Départ puis sur Enregistrer.
Le nom du répertoire de départ est celui spécifié à l’étape 8.
Si vous ne cliquez pas sur Créer Départ avant de cliquer sur Enregistrer, le répertoire
de départ sera créé la prochaine fois que l’utilisateur redémarre l’ordinateur client et
qu’il se connecte à distance.
Remarque : les répertoires de départ ne sont créés automatiquement la première fois
qu’un utilisateur se connecte que sur les points de partage servis par un serveur AFP.
Les répertoires de départ NFS doivent être créés manuellement.
13 Pour un compte d’utilisateur dans un domaine de répertoires partagé, assurez-vous que
l’utilisateur redémarre son ordinateur client afin d’y rendre visible le point de partage.
Configuration d’un point de partage AFP montable
automatiquement pour des répertoires de départ
Vous pouvez utiliser le Gestionnaire de groupe de travail pour configurer des points
de partage AFP pour des répertoires de départ.
Les répertoires de départ de comptes d’utilisateur stockés dans des domaines de
répertoire partagés, comme le répertoire LDAP d’un maître Open Directory, peuvent
résider dans tout point de partage AFP accessible par l’ordinateur de l’utilisateur. Ce
point de partage doit être montable automatiquement, c’est-à-dire qu’il doit y avoir
un enregistrement de montage de réseau dans le domaine de répertoires où réside
le compte d’utilisateur.
Un point de partage montable automatiquement garantit que le répertoire de départ
est automatiquement visible dans /Network/Servers quand l’utilisateur se connecte à
un ordinateur Mac OS X configuré pour pouvoir accéder au domaine partagé. Il permet
aussi à d’autres utilisateurs d’accéder au répertoire de départ à l’aide du raccourci
~nom-répertoire-départ.
Pour configurer un point de partage AFP montable automatiquement pour des
répertoires de départ :
1 Sur le serveur où vous souhaitez que résident les répertoires de départ, créez un dossier
qui servira de point de partage à ces répertoires de départ.
Étant donné le principe des quotas de disques de répertoires de départ, vous pouvez
configurer les points de partage de répertoire de départ sur une partition différente
des autres points de partage. Pour plus de détails, consultez la rubrique “Définition de
quotas de disque” à la page 140.
2 Dans le Gestionnaire de groupe de travail, connectez-vous au serveur de l’étape 1,
puis cliquez sur Partage.
3 Cliquez sur Tout (au-dessus de la liste à gauche) et sélectionnez le dossier créé pour
le point de partage.
F0170.book Page 137 Monday, May 2, 2005 12:37 PM138 Chapitre 7 Configuration des répertoires de départ
4 Dans la fenêtre générale, sélectionnez Partager cet élément et son contenu.
5 Spécifiez les noms du possesseur du point de partage et du groupe en saisissant
leur nom dans les champs correspondants ou en y faisant glisser les noms depuis
le Finder qui s’ouvre après avoir cliqué sur Utilisateurs et groupes.
6 Réglez les permissions du possesseur sur Lecture et écriture, les autorisations du
groupe et de tous sur Lecture seule, puis cliquez sur Enregistrer.
7 Cliquez sur Montage de réseau, et authentifiez-vous comme administrateur du
domaine de répertoires dans lequel réside le compte d’utilisateur.
Utilisez le menu local Emplacement pour choisir le domaine de répertoires dans lequel
réside le compte d’utilisateur. Cliquez ensuite sur le verrou et authentifiez-vous comme
administrateur du domaine de répertoires.
8 Sélectionnez Créer un enregistrement de montage pour ce point de partage et Utiliser
pour les répertoires de départ des utilisateurs.
9 Assurez-vous que le menu local Protocole est réglé sur AFP, puis cliquez sur Enregistrer.
10 Configurez le point de partage pour pouvoir y accéder en invité, de sorte que les
utilisateurs dont les répertoires de départ sont situés sur des serveurs différents puissent
accéder au répertoire de départ à l’aide du raccourci ~nom-répertoire-depart/Public.
Cliquez sur Protocoles, choisissez Réglages de fichiers Apple dans le menu local, puis
veillez à bien sélectionner Partager cet élément via AFP et Autoriser l’accès comme
invité AFP. (Options sélectionnées par défaut.)
Dans Admin Serveur, assurez-vous que l’option Accès comme invité AFP est activée.
Connectez-vous au serveur du répertoire de départ et sélectionnez AFP dans la liste
Ordinateurs et services. Cliquez sur Réglages puis sur Accès, et assurez-vous que
l’option Autoriser l’accès en invité est sélectionnée. Vérifiez aussi que le service AFP
est bien actif.
Configuration d’un point de partage NFS ou SMB
montable automatiquement pour des répertoires
de départ
Bien qu’il soit préférable d’utiliser le protocole AFP pour accéder aux répertoires de
départ en raison du niveau de sécurité offert, vous pouvez employer le Gestionnaire de
groupe de travail pour configurer un point de partage NFS de réseau pour les répertoires
de départ. Les points de partage NFS ou SMB peuvent être utilisés pour des répertoires
de départ d’utilisateurs définis dans des domaines de répertoires partagés, comme le
répertoire LDAP d’un maître Open Directory ou d’un domaine Open Directory. Le point
de partage doit être montable automatiquement, c’est-à-dire qu’il doit y avoir un
enregistrement de montage de réseau dans le domaine de répertoires où réside le
compte d’utilisateur.
F0170.book Page 138 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 139
Un point de partage montable automatiquement garantit que le répertoire de départ
est automatiquement visible dans /Network/Servers quand l’utilisateur se connecte à
un ordinateur Mac OS X configuré pour pouvoir accéder au domaine partagé. Il permet
aussi à d’autres utilisateurs d’accéder au répertoire de départ à l’aide du raccourci
~nom-répertoire-départ.
Pour configurer un point de partage NFS ou SMB montable automatiquement
pour des répertoires de départ :
1 Sur le serveur où vous souhaitez que résident les répertoires de départ, créez un
dossier qui servira de point de partage à ces répertoires de départ.
Étant donné le principe des quotas de disques de répertoires de départ, vous pouvez
configurer les points de partage de répertoire de départ sur une partition différente
des autres points de partage. Pour plus de détails, consultez la rubrique “Définition de
quotas de disque” à la page 140.
2 Dans le Gestionnaire de groupe de travail, connectez-vous au serveur de l’étape 1,
puis cliquez sur Partage.
3 Cliquez sur Tout (au-dessus de la liste à gauche) et sélectionnez le dossier créé
pour le point de partage.
4 Cliquez sur Général et sélectionnez Partager cet élément et son contenu.
5 Spécifiez les noms du possesseur du point de partage et du groupe en saisissant leur
nom dans les champs correspondants ou en y faisant glisser les noms depuis le Finder
qui s’ouvre après avoir cliqué sur Utilisateurs et groupes.
6 Réglez les permissions du possesseur sur Lecture et écriture, les autorisations du
groupe et de tous sur Lecture seule, puis cliquez sur Enregistrer.
7 Cliquez sur Protocoles, puis sélectionnez Réglages d’exportation NFS ou SMB dans
le menu local.
8 Sélectionnez Exporter cet élément et son contenu vers et veillez à bien choisir l’option
Client dans le menu local qui s’affiche dessous.
9 Ajoutez les ordinateurs clients dont vous souhaitez autoriser l’accès au point de partage.
Cliquez sur Ajouter et entrez l’adresse IP ou le nom d’hôte du client que vous souhaitez
ajouter à la liste d’ordinateurs.
Cliquez sur Supprimer pour supprimer l’adresse sélectionnée de la liste.
10 Configurez les autorisations du point de partage.
Sélectionnez Régler Utilisateur root sur aucun et décochez les cases restantes.
11 Cliquez sur Montage de réseau, et authentifiez-vous comme administrateur du
domaine de répertoires dans lequel réside le compte d’utilisateur.
F0170.book Page 139 Monday, May 2, 2005 12:37 PM140 Chapitre 7 Configuration des répertoires de départ
Utilisez le menu local Emplacement pour choisir le domaine de répertoires dans lequel
réside le compte d’utilisateur. Cliquez ensuite sur le verrou et authentifiez-vous comme
administrateur du domaine de répertoires.
12 Sélectionnez Créer un enregistrement de montage pour ce point de partage et Utiliser
pour les répertoires de départ des utilisateurs.
13 Choisissez NFS ou SMB dans le menu local Protocole, puis cliquez sur Enregistrer.
Définition de quotas de disque
Vous pouvez limiter l’espace disque qu’un utilisateur peut utiliser pour stocker des
fichiers qu’il possède dans la partition où se trouve son répertoire de départ.
Ce quota ne s’applique pas au point de partage du répertoire de départ ni à ce dernier,
mais à l’ensemble de la partition dans laquelle le point de partage du répertoire de
départ et ce dernier résident. Pour cette raison, lorsqu’un utilisateur place des fichiers
dans le dossier d’un autre utilisateur, cela peut avoir des conséquences au niveau du
quota de disque de l’utilisateur :
• Quand vous copiez un fichier dans la boîte de dépôt AFP d’un utilisateur, le propriétaire
de cette dernière devient propriétaire du fichier.
• Dans NFS cependant, lorsque vous copiez un fichier dans un autre dossier, vous en
restez le propriétaire et l’opération de copie diminue votre quota de disque sur une
partition spécifique.
F0170.book Page 140 Monday, May 2, 2005 12:37 PMChapitre 7 Configuration des répertoires de départ 141
Pour configurer un quota de disque pour un point de partage du répertoire
de départ à l’aide du Gestionnaire de groupe de travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Sélectionnez le compte d’utilisateur avec lequel vous souhaitez travailler.
Pour sélectionner un compte, connectez-vous au serveur sur lequel le compte réside,
cliquez sur le globe au-dessus de la liste des comptes, ouvrez le domaine de répertoires
dans lequel le compte d’utilisateur réside, cliquez sur le bouton Utilisateurs, puis
sélectionnez l’utilisateur.
3 Pour vous authentifier, cliquez sur le cadenas.
4 Cliquez sur Départ.
5 Spécifiez le quota de disque à l’aide du champ correspondant et du menu local
adjacent.
6 Assurez-vous que les quotas de disque sont actifs pour le volume sur lequel réside
le point de partage.
7 Cliquez sur Partage, sélectionnez le volume dans la liste Tous, puis choisissez Activer
des quotas de disque sur ce volume.
Définition de répertoires de départ par défaut à l’aide de
préréglages
Vous pouvez prédéfinir les réglages du répertoire de départ par défaut des nouveaux
utilisateurs au moyen d’un préréglage. Pour obtenir des informations sur la définition
et l’utilisation de préréglages, consultez la section “Utilisation de préréglages pour
créer des comptes” à la page 73.
Déplacement de répertoires de départ
Si vous devez déplacer un répertoire de départ, créez-en un nouveau et copiez le
contenu de l’ancien dans le nouveau avant de supprimer l’ancien.
Suppression de répertoires de départ
Lorsque vous supprimez un compte d’utilisateur, le répertoire de départ associé n’est
pas automatiquement supprimé. L’administrateur doit supprimer le dossier de départ
manuellement en le faisant glisser dans la Corbeille.
F0170.book Page 141 Monday, May 2, 2005 12:37 PMF0170.book Page 142 Monday, May 2, 2005 12:37 PM8
143
8 Vue d’ensemble de la gestion
des clients
Le présent chapitre contient une introduction à
la gestion des clients dans Mac OS X.
La gestion des clients consiste à administrer de manière centralisée l’environnement
informatique de vos utilisateurs. Elle est généralement mise en place en :
• gérant l’accès aux imprimantes réseau et aux répertoires de départ résidant sur
des serveurs, aux répertoires de groupe et à d’autres dossiers ;
• personnalisant l’environnement de travail de l’ordinateur des différents utilisateurs,
groupes et ordinateurs via la définition des préférences des comptes d’utilisateur,
des comptes de groupe et des listes d’ordinateurs.
Vous pouvez également exploiter deux options supplémentaires en matière de gestion
des clients : l’installation et le démarrage des ordinateurs clients via le réseau (à l’aide
de NetBoot et d’Installation en réseau) et l’administration quotidienne des ordinateurs
(à l’aide d’Apple Remote Desktop).
Le présent chapitre décrit brièvement chacun de ces sujets dans la mesure où ils
s’appliquent à des utilisateurs d’ordinateurs Mac OS X.
Ordinateurs
et
bureaux
Gestion du client
Applications,
dossiers et
fichiers
Imprimantes
et
volumes
Utilisateurs et groupes
F0170.book Page 143 Monday, May 2, 2005 12:37 PM144 Chapitre 8 Vue d’ensemble de la gestion des clients
Utilisation de ressources visibles sur le réseau
Mac OS X Server permet de rendre diverses ressources visibles sur le réseau, afin que
les utilisateurs puissent y accéder à partir d’ordinateurs et d’emplacement différents.
Il existe plusieurs ressources importantes visibles sur le réseau :
• Répertoires de départ réseau. Un répertoire de départ, souvent appelé également
dossier de départ, est un emplacement dans lequel chaque utilisateur Mac OS X peut
conserver des fichiers personnels. Les utilisateurs qui possèdent des enregistrements
dans un répertoire Open Directory partagé peuvent disposer d’un répertoire de départ
réseau, souvent situé sur le serveur où réside leur compte d’utilisateur.
Un répertoire de départ contient plusieurs dossiers, tels que les dossiers Bureau,
Documents et Public, pour faciliter l’organisation des informations. Une fois connecté,
un utilisateur peut accéder à son répertoire de départ réseau en cliquant simplement
sur l’icône du dossier de départ dans le Finder.
• Dossiers de groupe. Lorsque vous configurez un compte de groupe pour des utilisateurs
réseau, vous pouvez associer un dossier de groupe au groupe. Le dossier de groupe
est un emplacement dans lequel les membres d’un groupe peuvent échanger des
informations électroniques. Un dossier de groupe contient trois dossier par défaut :
Documents, Bibliothèque et Public, ce dernier contenant un dossier Boîte de dépôt.
Résidant sur le serveur pour permettre un accès aisé via le réseau, le dossier de groupe
peut être affiché dans le Dock pour permettre à l’utilisateur d’accéder facilement au
réseau chaque fois qu’il veut travailler sur des activités de groupe.
F0170.book Page 144 Monday, May 2, 2005 12:37 PMChapitre 8 Vue d’ensemble de la gestion des clients 145
• Autres dossiers partagés. Vous pouvez configurer d’autres dossiers sur le serveur
pour permettre aux utilisateurs d’accéder à des applications, de la documentation
interne, des annonces, des calendriers et d’autres informations.
• Images de démarrage et d’installation. Vous pouvez utiliser des images de démarrage
et d’installation situées sur le serveur pour automatiser la configuration des ordinateurs
des utilisateurs réseau.
L’ordinateur d’un utilisateur peut démarrer à partir d’une image de démarrage stockée
sur le serveur. En fait, vous pouvez utiliser le même ordinateur pour un laboratoire
de science lorsqu’il démarre à partir d’une image et pour un cours d’anglais lorsqu’il
démarre à partir d’une autre image. À chaque nouveau démarrage de l’ordinateur
de laboratoire, le système reflète l’état original de l’image de démarrage sélectionnée,
indépendamment de ce que les étudiants précédents ont fait sur l’ordinateur.
Une image d’installation installe automatiquement des logiciels sur des ordinateurs
d’utilisateurs, ce qui rend très facile le déploiement à distance et sans interactions de
l’utilisateur du système d’exploitation, d’applications supplémentaires et même de
réglages d’ordinateur personnalisés.
Définition de préférences
Les environnements de travail d’un utilisateur réseau sont gérés en définissant des
préférences, c’est-à-diredes réglages qui personnalisent et contrôlent l’environnement
informatique d’un utilisateur. La sous-fenêtre Préférences comporte deux onglets : Vue
d’ensemble et Détails. L’onglet Vue d’ensemble permet de gérer les préférences système
prédéfinies tandis que l’onglet Détails peut être utilisé pour gérer les préférences de
toute application ou de tout utilitaire qui se comporte correctement dans Mac OS X.
L’onglet Vue d’ensemble est identique pour les utilisateurs et les groupes :
Un élément supplémentaire, “Économiseur d’énergie”, apparaît pour les listes
d’ordinateurs.
F0170.book Page 145 Monday, May 2, 2005 12:37 PM146 Chapitre 8 Vue d’ensemble de la gestion des clients
De nombreux facteurs, notamment les responsabilités de l’utilisateur et les problèmes
de sécurité, déterminent l’environnement de travail informatique à présenter à un
utilisateur. Dans certains cas, l’établissement de directives informelles d’utilisation peut
être autorisée. Dans d’autres cas, il peut s’avérer nécessaire de contrôler strictement
l’utilisation de l’ordinateur, en définissant et en verrouillant tous les réglages système
et en contrôlant toutes les applications. Les préférences que vous définissez doivent
implémenter des fonctionnalités système qui répondent au mieux aux besoins de vos
utilisateurs et de votre organisation.
La puissance des préférences
De nombreuses préférences, telles que celles du Dock et du Finder, sont utilisées
pour personnaliser l’apparence des bureaux. Vous pouvez par exemple configurer
les préférences du Dock et du Finder pour que l’environnement de travail soit très
simplifié.
D’autres préférences sont utilisées pour gérer les éléments accessibles et contrôlables
par l’utilisateur. Vous pouvez par exemple configurer les préférences Accès aux supports
pour empêcher les utilisateurs de graver des CD et des DVD ou d’apporter des
modifications au disque interne d’un ordinateur.
Voici un résumé de la manière dont les préférences affectent l’apparence du bureau
et les activités qu’un utilisateur peut effectuer :
Cette préférence
Adapte
l’environnement
de travail
Limite l’accès et
le contrôle En vous laissant gérer
Applications x Les applications qu’un utilisateur
peut ouvrir
Classic x Le démarrage de l’environnement
Classic
Dock x L’apparence et le contenu du Dock
Économiseur d’énergie x Les réglages relatifs au démarrage,
à l’extinction, à la réactivation, à la
suspension de l’activité et aux
performances
Le Finder x x L’apparence des icônes du bureau
et des éléments du Finder
Internet x Les réglages de courrier et Web
par défaut
F0170.book Page 146 Monday, May 2, 2005 12:37 PMChapitre 8 Vue d’ensemble de la gestion des clients 147
Niveaux de contrôle
Vous pouvez définir des préférences pour les comptes d’utilisateur, les comptes de
groupe et les listes d’ordinateurs qui sont définis dans un domaine de répertoires
partagé. Un utilisateur dont le compte dispose de préférences est appelé un utilisateur
géré. Un ordinateur affecté à une liste d’ordinateurs pour laquelle des préférences ont
été définies est appelé un ordinateur géré. Un groupe pour lequel des préférences ont
été définies est appelé un groupe de travail.
Les préférences Économiseur d’énergie et les réglages relatifs à la fenêtre d’ouverture
de session ne peuvent être définis que pour des listes d’ordinateurs, mais les autres
préférences peuvent être définies pour des utilisateurs, des groupes de travail et /ou
des listes d’ordinateurs.
Ouverture de session x L’environnement d’ouverture
de session
Accès aux données x La possibilité d’utiliser des
supports enregistrables
Mobilité x La création de comptes mobiles
Réseau x x Les serveurs proxy à utiliser
ou à contourner
Impression x Les imprimantes qu’un utilisateur
peut utiliser
Mise à jour de logiciels x Le serveur à utiliser pour les mises
à jour
Préférences Système x Les préférences système activées
sur l’ordinateur de l’utilisateur
Accès universel x Les réglages matériels destinés
aux utilisateurs ayant des besoins
particuliers en matière de vision,
d’audition ou autres
Cette préférence
Adapte
l’environnement
de travail
Limite l’accès et
le contrôle En vous laissant gérer
F0170.book Page 147 Monday, May 2, 2005 12:37 PM148 Chapitre 8 Vue d’ensemble de la gestion des clients
L’illustration ci-après montre comment les préférences gérées interagissent lorsque les
mêmes préférences sont définies à plusieurs niveaux :
• Les préférences d’impression, d’ouverture de session, d’applications et certaines
préférences du Dock (les éléments qui apparaissent dans le Dock) sont combinées.
Par exemple, si vous définissez des préférences d’impression pour des utilisateurs et
des ordinateurs, la liste des imprimantes d’un utilisateur contiendra des imprimantes
configurées pour l’utilisateur et pour l’ordinateur qu’il utilise.
Remarque : on dit que les préférences système gérées sont combinées parce que
différents réglages définis dans le Gestionnaire de groupe de travail agissent de
manière collective à l’ouverture de session.
• D’autres réglages de préférences définis à plusieurs niveaux peuvent être redéfinis à
l’ouverture de session. Lorsqu’un utilisateur ouvre une session sur un ordinateur géré
et choisit un groupe de travail, les préférences d’utilisateur remplacent les préférences
d’ordinateur redondantes et les préférences d’ordinateur remplacent à leur tour les
préférences de groupe de travail.
Imaginons par exemple que vous souhaitiez empêcher tous les étudiants d’utiliser les
périphériques d’enregistrement reliés à un ordinateur de l’université, à l’exception
des étudiants qui font office d’assistants. Vous pourriez configurer des préférences
Accès aux données pour des groupes de travail ou des listes d’ordinateurs afin de
limiter l’accès de tous les élèves, mais remplacer ces restrictions pour les assistants à
l’aide de réglages Accès aux données définis au niveau de leur compte d’utilisateur.
• Les préférences héritées sont des préférences qui ne sont définies qu’à un seul niveau.
Supposons que vous placiez le Dock à gauche de l’écran pour le groupe de travail A,
en bas pour la liste d’ordinateurs contenant l’ordinateur 2 et à droite pour l’utilisateur
Alice. Si Alice ouvre une session sur l’ordinateur 2 et choisit le groupe de travail A, le
Dock apparaîtra à droite sur son écran.
Préférences
Combinées Redéfinies Héritées
Groupe (G)
Ordinateur (O)
Utilisateur (U)
G + O + U
F0170.book Page 148 Monday, May 2, 2005 12:37 PMChapitre 8 Vue d’ensemble de la gestion des clients 149
Imaginons maintenant que vous décidiez d’arrêter de gérer les réglages Affichage du
Dock pour Alice (vous sélectionnez Jamais dans la sous-fenêtre Affichage du Dock
d’Alice). Si Alice ouvre une session sur l’ordinateur 2 et choisit le groupe de travail A,
le Dock apparaîtra en bas de l’écran.
Dans certains cas, il peut s’avérer plus commode et utile de ne définir certaines préférences
qu’à un seul niveau. Vous pouvez, par exemple, définir des préférences d’imprimantes
uniquement pour des ordinateurs ; des préférences d’applications uniquement pour
des groupes de travail ; et des préférences de Dock uniquement pour des utilisateurs.
Dans ce cas, il n’y a ni remplacement ni combinaison de préférences et l’utilisateur
hérite des préférences sans qu’il y ait de compétition entre ces dernières.
La plupart du temps, vous utiliserez des références au niveau du groupe de travail
et de l’ordinateur.
• Les préférences de groupe de travail sont particulièrement adaptées pour
personnaliser l’environnement de travail (comme, par exemple, la visibilité des
applications) de certains groupes d’utilisateurs ou pour utiliser des dossiers de
groupe.
Par exemple, un étudiant peut appartenir au groupe “Classe 2011” pour des raisons
administratives et au groupe de travail “Étudiants” pour limiter ses choix en matière
d’applications et lui fournir un dossier partagé de groupe pour qu’il puisse remettre
ses travaux. On pourrait imaginer un autre groupe de travail appelé “Enseignants”
utilisé pour fournir aux membres du corps enseignant l’accès à des dossiers et des
applications destinés à leur usage exclusif.
• Les préférences d’ordinateur sont pratiques lorsqu’il s’agit de gérer des préférences
pour des utilisateurs indépendamment de leur appartenance à des groupes. Au
niveau de l’ordinateur, vous pourriez, par exemple, souhaiter limiter l’accès aux
préférences système, gérer des réglages d’économie d’énergie, afficher certains
utilisateurs dans la fenêtre d’ouverture de session et empêcher l’enregistrement
de fichiers et d’applications sur des disques enregistrables.
Les préférences d’ordinateur offrent également un moyen de gérer les préférences
des utilisateurs qui ne disposent pas d’un compte réseau, mais qui peuvent ouvrir
une session sur un ordinateur Mac OS X à l’aide d’un compte local. (Le compte
local, défini à l’aide de la sous-fenêtre Comptes des Préférences Système, réside sur
l’ordinateur de l’utilisateur). Vous devriez configurer une liste d’ordinateurs qui gère
les comptes exclusivement locaux. Les préférences associées à la liste d’ordinateurs
et à tout groupe de travail qu’un utilisateur sélectionne à l’ouverture de session
prennent effet. Vous trouverez d’autres informations sur la gestion de
l’environnement d’ouverture de session ci-après.
F0170.book Page 149 Monday, May 2, 2005 12:37 PM150 Chapitre 8 Vue d’ensemble de la gestion des clients
Degrés de permanence
Lorsque vous définissez des préférences, vous pouvez choisir de les gérer Toujours
ou Une fois. Par défaut, elles ne sont Jamais gérées.
• Toujours : cette option permet de maintenir l’application des préférences jusqu’à
ce que vous les modifiez sur le serveur. Les applications Mac OS X bien conçues
désactiveront également le réglage des préférences Toujours par l’utilisateur. Vous
pouvez, par exemple, utiliser l’option Toujours pour vous assurer que les utilisateurs
ne peuvent pas ajouter ni supprimer des éléments du Dock.
• Une fois : cette option est disponible pour certaines préférences. Il s’agit d’une manière
simple et rapide de configurer des préférences par défaut sans les gérer. Vous pourriez,
par exemple, configurer un groupe d’ordinateurs pour afficher le Dock d’une certaine
manière la première fois que les utilisateurs ouvrent une session. Un utilisateur peut
modifier les préférences que vous avez réglées sur Une fois et les modifications
sélectionnées s’appliqueront toujours à cet utilisateur.
Il est impossible de régler les préférences suivantes sur “Une fois” dans la sous-fenêtre
de préférences Vue d’ensemble :Applications, Finder (commandes), Comptes mobiles,
Impression, Préférences Système, Ouverture de session (Scripts, Fenêtre d’ouverture
de session et Options) et Économiseur d’énergie. Pour ces préférences, vous avez
seulement le choix entre Toujours et Jamais.
• Souvent : cette option ne s’applique qu’à l’Éditeur de préférences (mode de présentation
Détails). Les réglages Souvent sont identiques aux réglages Une fois, sauf qu’ils sont
appliqués à chaque ouverture de session et à chaque connexion (ou déconnexion)
de l’ordinateur au réseau. Ils sont surtout pratiques pour les réglages d’application
qui ne désactivent pas l’interface humaine pour les préférences Toujours.
• Jamais : cette option permet à un utilisateur de contrôler ses propres préférences. La
modification de certains réglages de préférences, tels que Comptes et Date et heure,
nécessitent toutefois le nom et le mot de passe d’un administrateur local. L’option
Jamais signifie également que les préférences ne sont pas gérées au niveau de ce
compte, mais qu’elles peuvent être gérées à un niveau supérieur de la hiérarchie.
F0170.book Page 150 Monday, May 2, 2005 12:37 PMChapitre 8 Vue d’ensemble de la gestion des clients 151
Configuration de l’environnement d’ouverture de session
Vous pouvez configurer les préférences d’ouverture de session des listes d’ordinateurs
afin de contrôler l’apparence de la fenêtre d’ouverture de session. Si vous configurez,
par exemple, les options suivantes pour la fenêtre d’ouverture de session dans le
Gestionnaire de groupe de travail :
… la fenêtre prendra l’apparence suivante :
Le premier utilisateur est, dans ce cas, l’administrateur de l’ordinateur local. Les trois
utilisateurs suivants sont des utilisateurs qui disposent de comptes sur le serveur, l’un
d’entre eux disposant d’un compte mobile.
F0170.book Page 151 Monday, May 2, 2005 12:37 PM152 Chapitre 8 Vue d’ensemble de la gestion des clients
Pour ouvrir une session, l’utilisateur sélectionne son nom d’utilisateur dans la liste (si la
fenêtre d’ouverture de session est configurée dans ce sens), puis tape un mot de passe
lorsqu’il y est invité. Si l’utilisateur fait partie de plusieurs groupes de travail (dans le cas
où il s’agit d’un utilisateur réseau ou d’un utilisateur local qui reçoit ses groupes de travail
de la liste d’ordinateurs), une liste de groupes de travail est affichée pour qu’il puisse
sélectionner l’environnement qui l’intéresse. Notez qu’un utilisateur peut appartenir
à un groupe qui n’apparaît pas dans la liste ; seuls les groupes de travail (c’est-à-dire
les groupes qui ont des préférences gérées et uniquement les groupes de travail qui
appartiennent également aux groupes de travail de la liste d’ordinateurs) sont affichés.
Si l’ordinateur est associé à une liste d’ordinateurs qui gère des utilisateurs uniquement
locaux, tous les groupes de travail qui ont reçu l’accès à l’ordinateur via la liste d’ordinateurs
sont affichés lorsqu’un utilisateur local ouvre une session. L’utilisateur peut sélectionner
n’importe lequel d’entre eux.
Toutes les préférences associées à l’utilisateur, au groupe de travail choisi et à l’ordinateur
utilisé entrent en vigueur immédiatement.
Qui peut ouvrir une session ?
Mac OS X permet de contrôler l’identité des utilisateurs autorisés à ouvrir une session
sur un ordinateur. Cela couvre tous les utilisateurs qui figurent dans la liste d’accès de
l’ordinateur. Cette dernière est filtrée car, si à ce moment précis, l’utilisateur a son accès
désactivé dans le serveur de mots de passe, il ne figure pas non plus dans la liste.
F0170.book Page 152 Monday, May 2, 2005 12:37 PMChapitre 8 Vue d’ensemble de la gestion des clients 153
Mise en mémoire cache des préférences
Les préférences peuvent être mises en mémoire cache sur les ordinateurs Mac OS X
afin qu’elles restent en vigueur même lorsque l’ordinateur est déconnecté du réseau :
• Les préférences d’ordinateur et les préférences de tous les groupes de travail qui
peuvent utiliser l’ordinateur sont mises en mémoire cache.
• Les préférences d’utilisateur sont toujours mises en mémoire cache pour les
utilisateurs qui disposent de comptes mobiles.
Lorsqu’un ordinateur client est déconnecté du réseau, seuls les utilisateurs qui
disposent de comptes locaux ou les utilisateurs réseau qui disposent de comptes
mobiles sur cet ordinateur peuvent se connecter.
Aide aux utilisateurs pour trouver des applications
Les applications peuvent être stockées localement sur le disque dur de l’ordinateur
d’un utilisateur ou sur un serveur dans un point de partage. Si les applications sont
stockées localement, les utilisateurs peuvent les trouver dans le dossier Applications. Si
des applications sont stockées sur un serveur, l’utilisateur doit se connecter au serveur
(en choisissant Aller > Se connecter au serveur, dans le Finder) pour localiser et utiliser
les applications. Les applications peuvent également être rendues disponibles à l’aide
d’un point de partage monté automatiquement en tant qu’enregistrement de montage
/Network/Applications.
Pour faciliter la localisation de certaines applications locales, vous pouvez utiliser
les préférences Éléments du Dock pour placer dans le Dock de l’utilisateur un alias
pointant vers le dossier Mes applications. Le dossier Mes applications contient les alias
des applications qu’un utilisateur est autorisé à ouvrir. Cela risque de ralentir l’ouverture
de session des utilisateurs gérés car Mac OS X doit effectuer une recherche sur les
disques disponibles pour établir cette liste chaque fois que vous vous connectez.
La gestion de l’accès des utilisateurs aux applications locales s’effectue en créant
des listes d’applications approuvées dans les préférences Applications. Pour établir
une liste d’applications approuvées, consultez la section “Création d’une liste
d’applications accessibles pour les utilisateurs” à la page 164. Que vous choisissiez
d’utiliser l’environnement d’utilisateur du Finder simplifié ou celui du Finder normal,
cette liste d’applications approuvées détermine ce que vont trouver les utilisateurs
dans le dossier Mes applications situé dans le Dock.
Pour plus d’informations sur l’utilisation du Finder simplifié ou du Finder normal,
consultez la section “Masquage du message d’alerte présenté lorsque l’utilisateur veut
vider la corbeille” à la page 183. Pour placer un alias dans le dossier Mes applications et
d’autres dossiers du Dock d’un utilisateur, consultez la section “Ajout d’éléments au
Dock d’un utilisateur” à la page 175.
F0170.book Page 153 Monday, May 2, 2005 12:37 PM154 Chapitre 8 Vue d’ensemble de la gestion des clients
Aide aux utilisateurs pour trouver des dossiers de groupe
Si vous avez configuré un dossier de groupe, vous pouvez configurer un accès rapide
à ce dernier lorsqu’un utilisateur se connecte au groupe de travail auquel le dossier
de groupe est associé.
Pour ce faire, utilisez les préférences Éléments du Dock. Pour en savoir plus, consultez
la section “Accès aisé aux dossiers de groupes” à la page 174. Pour offrir un accès au
disque de groupe contenant le dossier public et la boîte de dépôt du groupe, consultez
la section “Fourniture d’un accès aisé au point de partage de groupe” à la page 194.
Installation et démarrage via le réseau
L’utilisation d’images Installation en réseau et NetBoot résidant sur Mac OS X Server
constitue la clé pour une configuration initiale rapide de plusieurs ordinateurs
d’utilisateur et une actualisation instantanée des ordinateurs. Les ordinateurs
d’utilisateur démarrent à l’aide de ces images automatiquement.
Utilisez des images Installation en réseau lorsque vous souhaitez installer des logiciels
sur des ordinateurs d’utilisateur. Utilisez des images NetBoot lorsque vous souhaitez
actualiser l’environnement des ordinateurs d’utilisateur à chaque démarrage.
Mac OS X
Server
Images
Installation
en réseau
Images
NetBoot
F0170.book Page 154 Monday, May 2, 2005 12:37 PMChapitre 8 Vue d’ensemble de la gestion des clients 155
L’utilisation d’une image de démarrage en réseau offre de nombreux avantages par
rapport au démarrage à partir d’un disque dur local :
• L’image NetBoot est verrouillée du point de vue de l’utilisateur. Elle ne peut donc pas
être endommagée par accident ou par malveillance. Dans un laboratoire informatique
où les étudiants peuvent faire des erreurs ou pendant un cours d’informatique où la
protection système ne peut pas être utilisée car des outils de programmation sont
utilisés, une image NetBoot permet de redémarrer les ordinateurs afin de rétablir
leur état d’origine après chaque utilisation. L’image revient à son état d’origine à
chaque démarrage, quelles que soient les modifications apportées au système par
l’étudiant précédent.
• L’administrateur réseau chargé des tâches de maintenance n’est pas obligé de
transporter une valise pleine de CD de diagnostic. Il peut faire démarrer un système
à l’aide d’une image réseau qui contient tous les outils de diagnostic et de réparation.
• Plusieurs images peuvent être publiées sur le réseau à partir d’un même serveur
et plusieurs serveurs peuvent être utilisés pour fournir une même image à un
débit optimal.
Le serveur peut héberger jusqu’à 25 images différentes ; vous pouvez donc maintenir
un ensemble de configurations logicielles personnalisées pour différents groupes de
travail et ordinateurs. Vous pouvez, par exemple, utiliser une image pour installer les
applications les plus récentes requises par certains utilisateurs et une autre image
pour faire démarrer les ordinateurs qui se trouvent dans certaines salles de classe,
bureaux ou laboratoires.
Administration quotidienne des clients
L’administration d’ordinateurs en réseau implique la tenue d’archives, des opérations
de service d’assistance et des mises à jour mineures pendant que les utilisateurs sont
connectés et travaillent. Pour accomplir ces tâches et d’autres tâches quotidiennes,
vous pouvez utiliser Apple Remote Desktop (ARD). ARD fournit un environnement
de gestion à distance qui simplifie la configuration, la surveillance et la maintenance
d’ordinateurs d’utilisateur :
• Observation de l’écran. Affichez les écrans des utilisateurs sur votre ordinateur
pour surveiller leurs activités.
• Contrôle de l’écran. Montrez aux utilisateurs comment effectuer certaines tâches
en contrôlant leurs écrans à partir de votre ordinateur.
• Partage d’écrans. Affichez votre écran sur l’écran d’un utilisateur à des fins de
formation et de démonstration.
• Verrouillage d’écran. Empêchez les utilisateurs d’utiliser leurs ordinateurs.
• Communications de texte. Échangez des messages avec un ou plusieurs utilisateurs
et collectez les questions et les requêtes provenant de différents utilisateurs.
• Gestion du matériel et des logiciels. Examinez les informations sur le matériel
et les logiciels installés. Recherchez des fichiers et des dossiers spécifiques sur les
ordinateurs des utilisateurs.
F0170.book Page 155 Monday, May 2, 2005 12:37 PM156 Chapitre 8 Vue d’ensemble de la gestion des clients
• Distribution de logiciels et démarrage. Identifiez les images NetBoot ou Installation
en réseau que les ordinateurs d’utilisateur doivent utiliser. Effectuez des installations
en réseau et contrôlez le démarrage et l’extinction des ordinateurs de vos utilisateurs.
Utilisez ARD pour déployer des fichiers d’installation d’application ou de nouvelles
mises à jour système plutôt que d’exécuter Mise à jour de logiciels sur chaque
ordinateur.
• Dépannage. Effectuez des tâches de dépannage réseau élémentaires en vérifiant les
performances du trafic réseau pour toutes vos stations de travail et tous vos serveurs.
F0170.book Page 156 Monday, May 2, 2005 12:37 PM9
157
9 Gestion des préférences
Ce chapitre fournit des informations sur la gestion des
préférences des utilisateurs, des groupes de travail et
des ordinateurs.
Mode de fonctionnement du Gestionnaire de groupe de
travail avec les préférences Mac OS X
Le Gestionnaire de groupe de travail vous permet de définir et verrouiller certains
réglages système pour les utilisateurs sur le réseau. Vous pouvez soit définir des
préférences initiales, puis autoriser les utilisateurs à les modifier, soit maintenir un
contrôle administratif permanent sur les préférences (vous pouvez également choisir
de n’imposer aucune préférence).
Outre les divers réglages d’utilisateurs, de groupes et de listes d’ordinateurs, Gestionnaire
de groupe de travail contrôle la plupart des préférences système et d’application
principales. L’éditeur de préférences contrôle les autres applications qui requièrent
une gestion.
Volet des préférences Ce que vous pouvez gérer
Applications Applications disponibles pour les utilisateurs
Classic Réglages de démarrage Classic, réglages de suspension d’activité
et accès aux éléments Classic, tels que les tableaux de bord
Dock Emplacement, comportement et éléments du Dock
Économiseur d’énergie Options de performances pour les ordinateurs clients et serveurs
Mac OS X, utilisation de la batterie pour les ordinateurs portables
et options de suspension de l’activité ou de réactivation.
Le Finder Comportement du Finder, éléments et apparence du bureau et
accès aux commandes du menu Finder
Internet Préférences de compte de courrier et de navigateur Web
Ouverture de session Présentation de la fenêtre d’ouverture de session, volumes montés
et éléments ouverts automatiquement lorsque l’utilisateur ouvre
une session
F0170.book Page 157 Monday, May 2, 2005 12:37 PM158 Chapitre 9 Gestion des préférences
Gestion des préférences
Dans Gestionnaire de groupe de travail, les informations sur les utilisateurs, les groupes
et les listes d’ordinateurs sont intégrées aux services de répertoires. Après avoir configuré
les comptes, vous pouvez gérer leurs préférences. La gestion des préférences implique
le contrôle des réglages de certaines préférences Système ainsi que le contrôle de
l’accès des utilisateurs aux préférences Système, applications, imprimantes et supports
amovibles. Les informations concernant les réglages et les préférences figurant dans les
enregistrements d’utilisateurs, de groupes ou d’ordinateurs sont stockées dans un
domaine de répertoire auquel le Gestionnaire de groupe de travail peut accéder, tel
qu’un répertoire LDAP ou un maître Open Directory.
Toutes les préférences sont stockées dans un enregistrement (d’utilisateurs, de groupes
ou d’ordinateurs). À l’ouverture de session, le client MCX place ces enregistrements dans
un emplacement où la liste de gestion combinée finale est appliquée à l’environnement
de l’utilisateur.
Une fois les comptes d’utilisateur et de groupe ainsi que les listes d’ordinateurs créés,
vous pouvez commencer à gérer leurs préférences via la sous-fenêtre Préférences de
Gestionnaire de groupe de travail. Pour gérer les préférences de clients Mac OS X,
assurez-vous que chacun dispose d’un répertoire de départ en réseau ou local. Pour
obtenir des informations sur la configuration d’un volume de groupe ou de répertoires
de départ à l’attention des utilisateurs, consultez le chapitre 4, “Configuration des
comptes d’utilisateur”.
Accès aux données Réglages pour CD, DVD et disques inscriptibles et réglages pour
disques internes et externes, tels que les disques durs ou les
disquettes
Mobilité Création d’un compte mobile à l’ouverture d’une session
Réseau Configuration de serveurs proxy et de réglages spécifiques pour
les hôtes et les domaines à ignorer
Impression Imprimantes disponibles et accès aux imprimantes
Mise à jour de logiciels Serveur spécifique à utiliser pour le service de mise à jour de
logiciels
Préférences Système Préférences Système accessibles aux utilisateurs
Accès universel Réglages permettant de contrôler le comportement de la souris
et du clavier, d’améliorer les réglages d’affichage et d’ajuster le
son ou la synthèse vocale pour les utilisateurs ayant des besoins
particuliers
Volet des préférences Ce que vous pouvez gérer
F0170.book Page 158 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 159
Remarque : lorsque vous gérez les préférences d’un utilisateur, d’un groupe ou d’un
ordinateur, une icône en forme de flèche apparaît en regard de la préférence gérée
dans le panneau Préférences, afin d’indiquer l’état de gestion. Vous pouvez sélectionner
plusieurs utilisateurs, groupes ou ordinateurs afin d’examiner leurs préférences gérées.
Si l’icône de flèche est estompée, les réglages de préférences gérées sont mélangés
pour les éléments sélectionnés.
À propos de la mémoire cache des préférences
La mémoire cache des préférences enregistre les préférences de la liste d’ordinateurs
à laquelle appartient l’ordinateur concerné, les préférences des groupes associés à cet
ordinateur et les préférences des utilisateurs qui ont récemment ouvert une session sur
cet ordinateur. La mémoire cache est utilisée par les utilisateurs réseau mais également
par les groupes de travail des comptes mobiles. Les préférences enregistrées peuvent
influencer le mode de gestion hors connexion d’un utilisateur et l’emploi de la mémoire
cache des préférences peut améliorer les performances.
Les préférences en mémoire cache peuvent vous aider à gérer les comptes d’utilisateur
locaux sur ordinateurs portables même s’ils ne sont pas connectés à un réseau. Vous
pouvez par exemple créer une liste d’ordinateurs à gérer, puis gérer les préférences
de la liste d’ordinateurs. Rendez ensuite ces ordinateurs disponibles aux groupes et
gérez les préférences des groupes. Enfin, configurez des comptes d’utilisateur locaux
sur les ordinateurs. Si un utilisateur décide de travailler hors ligne ou se déconnecte
du réseau, il continue d’être géré par les préférences de l’ordinateur et du groupe en
mémoire cache.
Si vous effectuez une modification qui affecte les informations en cache d’un compte,
le Gestionnaire de groupe de travail place un indicateur dans Open Directory pour
signaler cette modification. Dès qu’un utilisateur ouvre une session, le client est
automatiquement mis à jour.
Remarque : la mémoire cache des préférences est automatiquement actualisée si vous
modifiez un réglage de compte ou de préférence. Les nouvelles préférences prennent
effet lors de l’ouverture ou de la fermeture de session suivante de l’utilisateur. Si ce
dernier a déjà ouvert une session mais ne se trouve pas sur le réseau, il doit fermer la
session puis l’ouvrir à nouveau afin de mettre à jour la mémoire cache des préférences.
Mises à jour régulières de la mémoire cache des préférences
gérées
Vous pouvez régulièrement mettre à jour la mémoire cache des préférences gérées
d’un ordinateur. L’ordinateur contrôle, sur le serveur, les préférences mises à jour
en fonction du calendrier que vous avez défini. La mémoire cache est également
mise à jour automatiquement chaque fois qu’un changement est apporté à l’une des
préférences gérées dans le Gestionnaire de groupe de travail. Si vous gérez des services
de répertoires à l’aide d’un autre outil, vous pouvez toujours utiliser le Gestionnaire de
groupe de travail pour actualiser la mémoire cache à intervalle régulier.
F0170.book Page 159 Monday, May 2, 2005 12:37 PM160 Chapitre 9 Gestion des préférences
Pour définir une fréquence de mise à jour de la mémoire cache des
préférences gérées :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez une ou plusieurs listes
d’ordinateurs.
4 Cliquez sur Cache.
5 Entrez un chiffre correspondant à la fréquence à laquelle vous souhaitez mettre à jour
la mémoire cache, puis choisissez une unité de mise à jour (secondes, minutes, heures,
jours ou semaines) à partir du menu local. Par exemple, vous pouvez opter pour une
mise à jour tous les 5 jours.
6 Cliquez sur Enregistrer.
Remarque : si vous réglez la mise à jour sur “0”, la mémoire cache est désactivée.
N’oubliez pas que sans mémoire cache, les préférences gérées ne fonctionnent
pas si l’ordinateur est déconnecté du réseau.
Mise à jour manuelle de la mémoire cache des préférences
Le cas échéant, vous pouvez mettre à jour manuellement la mémoire cache des
préférences gérées de chaque ordinateur d’une liste d’ordinateurs donnée.
Pour mettre à jour la mémoire cache des préférences gérées :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez une ou plusieurs listes
d’ordinateurs.
4 Cliquez sur la sous-fenêtre Accès et vérifiez (ou ajoutez) les informations demandées.
5 Cliquez sur Cache, sur Mettre à jour le cache, puis sur Enregistrer.
Vous pouvez également effectuer la mise à jour directement sur l’ordinateur client.
Maintenez la touche Option enfoncée lorsque vous ouvrez une session sur l’ordinateur
client (à l’aide d’un nom et d’un mot de passe d’administrateur local), puis cliquez sur
Rafraîchir les préférences dans la zone de dialogue affichée.
Remarque : si vous exécutez cette action alors que l’ordinateur est déconnecté du
réseau, la mémoire cache des préférences est supprimée et l’ordinateur n’est plus géré.
F0170.book Page 160 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 161
Gestion des préférences d’utilisateur
Vous pouvez gérer les préférences d’utilisateurs individuels selon leurs besoins. Toutefois,
si vous disposez d’un grand nombre d’utilisateurs, il peut s’avérer plus efficace de gérer
la majorité des préférences par groupe et par ordinateur. Vous réserverez alors la gestion
des préférences au niveau de l’utilisateur à des cas spécifiques, tels que pour les
administrateurs de domaine de répertoire, les professeurs ou le personnel technique.
Il est conseillé de déterminer les préférences dont vous souhaitez laisser le contrôle
à l’utilisateur. Si, par exemple, le choix de l’emplacement du Dock de l’utilisateur
vous est égal, réglez la gestion de l’affichage du Dock sur Jamais ou sur Une fois.
Pour gérer les préférences d’utilisateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Utilisateurs et sélectionnez un ou plusieurs comptes
d’utilisateur dans la liste.
4 Cliquez sur l’icône de la préférence que vous souhaitez gérer.
5 Dans chaque sous-fenêtre de préférence, choisissez un réglage de gestion.
Dans certains cas (Impression et Accès aux supports, par exemple), le réglage de
gestion est appliqué à toutes les préférences plutôt qu’à certaines sous-fenêtres
de préférence uniquement.
6 Sélectionnez des réglages de préférence ou saisissez les informations à utiliser.
Certains réglages de gestion ne sont pas disponibles pour préférences données, tout
comme certaines préférences ne sont pas disponibles pour des types de comptes.
7 Une fois que vous avez terminé, cliquez sur Appliquer.
Gestion des préférences de groupes
Les préférences d’un groupe sont partagées par tous les utilisateurs de ce groupe. La
définition des préférences au niveau du groupe plutôt que pour chaque utilisateur
permet de gagner du temps, notamment si vous disposez d’un nombre important
d’utilisateurs gérés.
Les utilisateurs pouvant sélectionner un groupe de travail lorsqu’ils se connectent,
ils peuvent choisir un groupe doté de réglages gérés approprié à la tâche en cours,
à l’emplacement ou à l’environnement utilisé. Il peut s’avérer plus judicieux de définir
les préférences une seule fois pour un groupe unique plutôt que de définir des
préférences pour chaque membre du groupe, au cas par cas.
F0170.book Page 161 Monday, May 2, 2005 12:37 PM162 Chapitre 9 Gestion des préférences
Pour gérer les préférences de groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus de
la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Groupes et sélectionnez un ou plusieurs comptes de groupe
dans la liste.
4 Cliquez sur l’icône de la préférence que vous souhaitez gérer.
5 Dans chaque sous-fenêtre de préférence, choisissez un réglage de gestion.
Dans certains cas (Impression et Accès aux supports, par exemple), le réglage de
gestion est appliqué à toutes les préférences plutôt qu’à certaines sous-fenêtres
de préférence uniquement.
6 Sélectionnez des réglages de préférence ou saisissez les informations à utiliser.
Certains réglages de gestion ne sont pas disponibles pour préférences données, tout
comme certaines préférences ne sont pas disponibles pour des types de comptes.
7 Cliquez sur Appliquer.
Gestion des préférences d’ordinateurs
Les préférences d’ordinateurs sont partagées par tous les ordinateurs d’une liste.
Dans certains cas, il peut s’avérer plus utile de gérer des préférences pour des
ordinateurs plutôt que pour des utilisateurs ou des groupes.
Pour gérer les préférences d’ordinateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez une ou plusieurs listes
d’ordinateurs.
Si vous effectuez le réglage des préférences pour le compte Ordinateurs hôtes,
vous devez sélectionner le bouton Définir les préférences des ordinateurs hôtes.
4 Cliquez sur l’icône de la préférence que vous souhaitez gérer.
5 Dans chaque sous-fenêtre de cette préférence, choisissez un réglage de gestion.
Dans certains cas (Impression et Accès aux supports, par exemple), le réglage de
gestion est appliqué à toutes les préférences plutôt qu’à certaines sous-fenêtres
de préférence uniquement.
F0170.book Page 162 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 163
6 Sélectionnez les réglages des préférences ou entrez les informations que vous
souhaitez utiliser.
Certains réglages de gestion ne sont pas disponibles pour préférences données, tout
comme certaines préférences ne sont pas disponibles pour des types de comptes.
7 Cliquez sur Appliquer.
Modification des préférences de plusieurs enregistrements
Vous pouvez modifier simultanément les préférences de plusieurs comptes d’utilisateur,
comptes de groupe ou listes d’ordinateur. Si certains réglages diffèrent entre plusieurs
comptes, une réglette “d’état mixte”, un bouton radio, une case à cocher, un champ
texte ou encore une liste peut apparaître. Pour les réglettes, les boutons radio et les
cases à cocher, un tiret indique que les réglages ne sont pas identiques pour l’ensemble
des comptes sélectionnés. Pour les champs de texte, le terme “Varié” indique un état
mixte. Les listes affichent une combinaison d’éléments pour l’ensemble des comptes
sélectionnés.
Si vous procédez à un réglage mixte, le nouveau réglage sélectionné s’applique à
chaque compte. Par exemple, vous sélectionnez trois comptes de groupe dont les
réglages de taille du Dock diffèrent. Lorsque vous examinez la sous-fenêtre des
préférences de l’affichage du Dock pour ces trois comptes, le curseur de la taille du
Dock est centré et comporte un tiret. Si vous déplacez le curseur de la taille du Dock
pour l’agrandir, tous les comptes sélectionnés seront dotés de Docks de grande taille.
Désactivation de la gestion de préférences spécifiques
Après avoir configuré les préférences gérées d’un compte, vous pouvez désactiver
la gestion de sous-fenêtres de préférences spécifiques en choisissant Jamais.
Remarque : les réglages Une fois et Souvent conservent la dernière valeur appliquée
sur l’ordinateur client.
Pour désactiver la gestion des préférences au cas par cas :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur l’icône d’une préférence en cours de gestion.
F0170.book Page 163 Monday, May 2, 2005 12:37 PM164 Chapitre 9 Gestion des préférences
5 Cliquez sur un bouton pour afficher la sous-fenêtre contenant les réglages de
préférence que vous ne souhaitez plus gérer.
Dans certains cas (Impression et Accès aux supports, par exemple), vous pouvez
ignorer cette étape car les réglages de gestion sont appliqués à toutes les
sous-fenêtres de préférence.
6 Sélectionnez Jamais.
7 Cliquez sur Appliquer.
Remarque : si les préférences sont gérées à un niveau de hiérarchie plus élevé, le
réglage de la gestion sur Jamais n’entraîne pas forcément des préférences non gérées.
Lorsque vous changez les réglages de gestion des préférences, le nouveau réglage
s’applique à l’ensemble des éléments figurant dans la sous-fenêtre des préférences
actif. Pour désactiver totalement la gestion d’une préférence individuelle (comme
celle du Dock par exemple), assurez-vous qu’elle est réglée sur Jamais dans chaque
sous-fenêtre de cette préférence.
Gestion de l’accès aux applications
Les réglages du panneau Applications vous permettent d’offrir aux utilisateurs l’accès
aux applications. Vous pouvez créer des listes d’applications “approuvées” que les
utilisateurs ont le droit d’ouvrir et autoriser ces derniers à ouvrir des éléments sur les
volumes locaux. Vous pouvez également empêcher les applications d’ouvrir certaines
applications interdites.
Remarque : les applications sont identifiées par leur identifiant de groupe (bundle).
Comme il est possible pour un utilisateur de modifier cet identifiant afin de contourner
l’interdiction d’accès, cette interdiction doit être considérée comme une politique
plutôt qu’une barrière infranchissable.
Création d’une liste d’applications accessibles pour les utilisateurs
Il existe deux méthodes pour contrôler l’accès d’un utilisateur aux applications. Vous
pouvez soit fournir l’accès à un ensemble d’applications “approuvées” que les
utilisateurs sont autorisés à ouvrir, soit interdire l’accès à des applications “non
approuvées”.
Si vous créez une liste d’applications approuvées, les utilisateurs peuvent uniquement
ouvrir les applications de cette liste. (Vous pouvez toutefois autoriser les applications à
ouvrir des utilitaires qui ne figurent pas sur la liste.) Si vous créez une liste d’applications
non approuvées, les utilisateurs peuvent ouvrir toutes les applications qui ne figurent
pas dans la liste.
F0170.book Page 164 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 165
Pour établir la liste des applications accessibles :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Applications.
5 Définissez le réglage de gestion sur Toujours.
6 Sélectionnez “L’utilisateur ne peut ouvrir que ces applications” ou “L’utilisateur peut
ouvrir toutes les applications à l’exception de celles-ci”.
7 Ajoutez et supprimez des éléments dans la liste.
Pour rechercher une application, cliquez sur Ajouter.
Pour sélectionner plusieurs éléments, maintenez la touche Commande enfoncée.
8 Une fois la liste des applications créée, cliquez sur Appliquer.
Interdiction aux utilisateurs d’accéder à des applications situées
sur des volumes locaux
Lorsque les utilisateurs ont accès à des volumes locaux, ils sont également en mesure
d’accéder non seulement aux applications situées sur le disque dur local de l’ordinateur,
mais également aux applications approuvées sur des CD, des DVD ou d’autres disques
externes. Si vous souhaitez interdire ce type d’accès, vous pouvez désactiver l’accès au
volume local.
Pour empêcher l’accès aux applications locales :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Applications.
5 Définissez le réglage de gestion sur Toujours.
6 Désélectionnez l’option “L’utilisateur peut également ouvrir les applications sur
des volumes locaux”.
7 Cliquez sur Appliquer.
F0170.book Page 165 Monday, May 2, 2005 12:37 PM166 Chapitre 9 Gestion des préférences
Gestion de l’accès aux utilitaires
Certaines applications utilisent parfois des utilitaires qui effectuent certaines tâches à
leur place. Par exemple, si un utilisateur tente d’ouvrir un lien Web contenu dans un
message électronique, l’application de messagerie peut faire appel à un navigateur
Web pour afficher la page visée par ce lien.
Lorsque vous autorisez des utilisateurs, des groupes ou des listes d’ordinateurs à accéder
à un ensemble d’applications, il est recommandé d’ajouter à la liste les utilitaires les
plus courants. Si vous autorisez les utilisateurs à ouvrir une application de messagerie
par exemple, il est utile d’ajouter également un navigateur Web, un logiciel permettant
de lire des fichiers PDF et un visualiseur d’images pour éviter tout problème d’ouverture
et de visualisation du contenu ou des pièces jointes des messages électroniques.
Lorsque vous configurez une liste d’applications approuvées, vous pouvez choisir
d’autoriser ces applications à faire appel à certains utilitaires ne figurant pas sur
cette liste.
Pour gérer l’accès aux utilitaires :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Applications.
5 Définissez le réglage de gestion sur Toujours.
6 Sélectionnez L’utilisateur ne peut ouvrir que ces applications.
7 Si vous n’avez pas encore créé de liste d’applications approuvées, faites-le (n’oubliez
pas d’inclure les utilitaires).
Pour rechercher une application, cliquez sur Ajouter.
8 Pour permettre l’accès aux utilitaires, sélectionnez “Autoriser les applications
approuvées à lancer celles non approuvées”.
9 Cliquez sur Appliquer.
F0170.book Page 166 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 167
Contrôle du fonctionnement des outils UNIX
Il arrive que certaines applications, ou le système d’exploitation, requièrent l’utilisation
d’outils tels que le convertisseur d’images QuickTime. Il n’est pas possible d’accéder
directement à ces outils et ils fonctionnent généralement en arrière-plan, à l’insu de
l’utilisateur. Vous pouvez toutefois les activer à l’aide d’une interface de ligne de
commande telle que Terminal.
Si vous choisissez de ne pas autoriser l’accès à ce type d’outils, certaines applications
risquent de ne pas pouvoir fonctionner correctement. L’autorisation améliore la
compatibilité entre applications et assure un fonctionnement efficace de ces
dernières ; ne l’accordez pas si vous voulez maintenir un niveau de sécurité très élevé.
Pour autoriser l’accès aux outils UNIX :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Applications.
5 Définissez le réglage de gestion sur Toujours.
6 Sélectionnez Permettre aux outils Unix de s’exécuter.
7 Cliquez sur Appliquer.
Gestion des préférences de Classic
Les préférences Classic permettent de définir les options de démarrage de
l’environnement Classic, d’en sélectionner le Dossier Système, d’en définir
les options de suspension d’activité et de mettre certains éléments du menu
Pomme à la disposition des utilisateurs.
Le tableau ci-dessous décrit la fonction des réglages du panneau Classic.
Panneau des préférences
Classic Ce que vous pouvez contrôler
Démarrage Le dossier système Classic et les actions au démarrage de Classic
Avancé Les éléments du menu Apple, les réglages de suspension de
l’activité de Classic et la possibilité pour l’utilisateur de désactiver
les extensions ou de reconstruire le fichier du bureau Classic lors
du démarrage
F0170.book Page 167 Monday, May 2, 2005 12:37 PM168 Chapitre 9 Gestion des préférences
Sélection des options de démarrage de Classic
Le Gestionnaire de groupe de travail offre plusieurs méthodes pour contrôler le mode
et le moment du démarrage de l’environnement Classic. Si les utilisateurs ont souvent
besoin de travailler avec des applications fonctionnant avec Classic, il peut s’avérer
opportun de programmer le démarrage immédiat de Classic lorsqu’ils se connectent.
Si vos utilisateurs n’ont que rarement recours à Classic, vous pouvez faire en sorte que
le démarrage de Classic ne se produise que lorsqu’un utilisateur ouvre une application
Classic ou un document qui nécessite ce type d’application. Vous pouvez également
choisir d’afficher un message signalant le démarrage de Classic et donnant aux
utilisateurs la possibilité d’annuler ce démarrage.
Pour utiliser les différentes options de démarrage de Classic :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Classic.
5 Cliquez sur Démarrage.
6 Définissez le réglage de gestion sur Toujours.
7 Sélectionnez Démarrer Classic à l’ouverture de session sur cet ordinateur pour
démarrer Classic dès qu’un utilisateur ouvre sa session. Lorsque Classic démarre à
l’ouverture de session, la fenêtre de démarrage est masquée et l’utilisateur ne peut
pas annuler l’opération.
Si vos utilisateurs n’ont que rarement recours à Classic, vous pouvez désélectionner
cette option afin que Classic ne démarre automatiquement que si un utilisateur ouvre
une application ou un document nécessitant cet environnement. Dans ce cas, la fenêtre
de démarrage Classic sera visible pour les utilisateurs et ils pourront annuler l’opération.
8 Sélectionnez Avertir au démarrage de Classic pour afficher un message signalant le
démarrage de Classic si ce dernier est lancé uniquement lorsqu’un utilisateur tente
d’ouvrir une application ou un document Classic.
Les utilisateurs peuvent choisir soit de laisser le démarrage de Classic se poursuivre,
soit d’annuler la procédure. Désélectionnez cette option si vous ne souhaitez pas
que les utilisateurs puissent interrompre le démarrage de Classic.
9 Cliquez sur Appliquer.
F0170.book Page 168 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 169
Choix d’un dossier Système Classic
Il n’existe le plus souvent qu’un seul Dossier Système Mac OS 9 par ordinateur qui se
trouve sur le disque de démarrage Mac OS X. Il n’est donc pas nécessaire de spécifier un
Dossier Système Classic. Si un ordinateur possède plusieurs dossiers Système Mac OS 9
sur le disque de démarrage et que vous n’avez pas défini un chemin d’accès spécifique
vers l’un de ces dossiers, les utilisateurs verront apparaître un message d’erreur et ne
pourront pas utiliser Classic.
S’il existe plusieurs dossiers Système Mac OS 9 sur le disque de démarrage d’un
ordinateur ou si vous souhaitez utiliser un Dossier Système Mac OS 9 qui se trouve
sur un autre disque, vous devez désigner un dossier spécifique à utiliser lorsque
Classic est en service. Il est important de spécifier un chemin d’accès au Dossier
Système Mac OS 9, lequel doit se trouver au même emplacement relatif sur les
disques durs de tous les clients.
Si plusieurs dossiers Système Mac OS 9 sont disponibles et que vous n’avez défini
aucun réglage dans le panneau Démarrage des préférences Classic, les utilisateurs
peuvent choisir parmi les dossiers Système Mac OS 9 disponibles s’ils ont accès aux
Préférences Système Classic.
Pour choisir un Dossier Système de Classic spécifique :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Classic.
5 Cliquez sur Démarrage.
6 Définissez le réglage de gestion sur Toujours.
7 Saisissez le chemin d’accès au dossier Système Classic que vous souhaitez utiliser,
tel que :/Volumes//dossier Système/
ou cliquez sur Choisir pour rechercher le dossier souhaité.
Assurez-vous que le chemin d’accès au Dossier Système Classic sur l’ordinateur client
est identique au chemin du Dossier Système Classic sur l’ordinateur administrateur.
8 Cliquez sur Appliquer.
F0170.book Page 169 Monday, May 2, 2005 12:37 PM170 Chapitre 9 Gestion des préférences
Autorisations d’actions spéciales au démarrage
Si des utilisateurs gérés ont accès aux Préférences Système Classic, ils peuvent cliquer
sur le bouton Démarrer/Redémarrer du panneau Classic pour démarrer ou redémarrer
l’environnement Classic. Vous pouvez autoriser les utilisateurs à effectuer des actions
spéciales, notamment désactiver des extensions ou reconstruire le fichier du bureau
Classic, lorsqu’ils démarrent ou redémarrent Classic à partir de la sous-fenêtre Avancé
des Préférences Système Classic. Il est recommandé de n’accorder ces autorisations
qu’à certains utilisateurs, comme les membres de votre équipe technique.
Pour autoriser des actions spéciales lors du démarrage :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Classic.
5 Cliquez sur Avancé.
6 Définissez le réglage de gestion sur Toujours.
7 Sélectionnez Autoriser modes de démarrage spéciaux.
8 Sélectionnez “Autoriser l’utilisateur à reconstruire le Bureau” pour permettre aux
utilisateurs de reconstruire le fichier du bureau Classic. La désactivation de cette
option a pour effet d’estomper le bouton Reconstruire le Bureau qui se trouve
dans la sous-fenêtre Avancé des Préférences Système Classic.
9 Cliquez sur Appliquer.
Contrôle de l’accès aux éléments du menu Pomme de
l’environnement Classic
Les options de préférences gérées de Classic permettent de contrôler l’accès à certains
éléments du menu Pomme de Classic, y compris les tableaux de bord Mac OS 9, le
Sélecteur et l’Explorateur réseau. Vous pouvez choisir d’afficher ou de masquer la
totalité, certains ou aucun de ces éléments dans le menu Pomme.
Les utilisateurs ne peuvent accéder aux éléments masqués à partir du menu Pomme,
mais il existe des solutions alternatives telles que lancer le Sélecteur via le Dossier
Système Mac OS 9. Pour restreindre davantage l’accès des utilisateurs à ces éléments,
vous pouvez utiliser les préférences Applications du Gestionnaire de groupe de travail
et déterminer les applications que les utilisateurs peuvent ou ne peuvent pas ouvrir.
Pour plus d’informations, consultez la section “Gestion de l’accès aux applications” à la
page 164.
F0170.book Page 170 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 171
Remarque : interdire l’accès au Sélecteur risque d’affecter ce qui se passe lorsqu’un
utilisateur tente d’imprimer à partir de l’environnement Classic si la gestion de
l’impression est également en vigueur. Si les utilisateurs ne peuvent pas accéder
au Sélecteur, il leur est impossible de configurer de nouvelles imprimantes ou de
changer de type d’imprimante (passer d’une imprimante postscript à une non
postscript par exemple).
Pour masquer ou afficher des éléments du menu Pomme :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Classic.
5 Cliquez sur Avancé, puis définissez les réglages de gestion sur Toujours.
6 Sélectionnez Masquer Tableaux de bord pour supprimer cet élément du menu Pomme.
Désélectionnez cette option pour afficher cet élément
7 Sélectionnez Masquer le Sélecteur et l’Explorateur réseau pour supprimer ces deux
éléments du menu Pomme. Désélectionnez cette option pour afficher ces éléments.
8 Sélectionnez Masquer autres éléments du menu Apple pour masquer le reste des
éléments du menu Pomme. Ce groupe comprend des éléments comme la calculatrice,
les touches et les applications récentes. Désélectionnez cette option pour afficher ces
éléments du menu Pomme.
9 Cliquez sur Appliquer.
Réglage des paramètres de suspension d’activité de Classic
Lorsqu’aucune application Classic n’est ouverte, Classic suspend son activité afin de
réduire l’utilisation des ressources du système. Vous pouvez régler la durée du délai qui
s’écoule entre la fermeture de la dernière application Classic utilisée et la suspension
d’activité de l’environnement Classic. Lorsque l’activité de Classic est suspendue,
l’ouverture d’une application Classic peut prendre un peu plus de temps.
Vous pouvez être amené, dans certaines situations, à utiliser des applications qui
fonctionnent à l’arrière-plan, à l’insu de l’utilisateur ou sans interaction avec ce dernier.
Si une application est utilisée à l’arrière-plan au moment où l’environnement Classic
passe en mode de suspension d’activité, cette application suspendra également son
activité. Pour permettre à cette application de fonctionner sans interruption, vous
pouvez régler l’option de suspension d’activité de Classic sur Jamais.
F0170.book Page 171 Monday, May 2, 2005 12:37 PM172 Chapitre 9 Gestion des préférences
Pour procéder aux réglages de suspension d’activité de Classic :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Classic.
5 Cliquez sur Avancé, puis définissez les réglages de gestion sur Toujours.
6 À l’aide de la réglette, définissez la durée avant laquelle Classic passe en veille.
Si vous ne souhaitez pas que Classic suspende son activité, glissez le curseur sur Jamais.
7 Cliquez sur Appliquer.
Maintien de la cohérence des préférences d’utilisateurs pour
l’environnement Classic
Classic recherche généralement les données de préférences Mac OS 9 d’un utilisateur
particulier dans le Dossier Système Mac OS 9. Si un utilisateur se sert de plusieurs
ordinateurs ou si divers utilisateurs travaillent sur le même ordinateur, vous devez
vous assurer que Classic utilise les préférences qui se trouvent dans le dossier de
départ situé dans ~/Bibliothèque/Classic, afin que chaque utilisateur dispose de
ses propres préférences.
Si vous choisissez de ne pas utiliser les préférences du dossier de départ personnel de
l’utilisateur, sachez que les données Mac OS 9 d’un utilisateur sont enregistrées dans
le Dossier Système Mac OS 9 et sont mélangées aux autres données d’utilisateurs. Les
utilisateurs disposent par conséquent de préférences partagées et toute modification
effectuée par le dernier utilisateur sera appliquée à la connexion de l’utilisateur suivant.
Pour choisir l’emplacement de stockage des préférences d’utilisateurs de
l’environnement Classic :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Classic.
5 Cliquez sur Avancé, puis définissez les réglages de gestion sur Toujours.
F0170.book Page 172 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 173
6 Sélectionnez Utiliser les préférences du dossier de départ pour maintenir des
préférences Classic individuelles pour chaque utilisateur.
Désélectionnez cette option pour utiliser le dossier Système Mac OS 9 local pour
toutes les préférences d’utilisateurs Classic.
7 Cliquez sur Appliquer.
Gestion des préférences du Dock
Les réglages du Dock permettent de définir le comportement du Dock et de spécifier
les éléments devant y apparaître. Le tableau ci-dessous décrit la fonction des réglages
du panneau Dock.
Contrôle du Dock de l’utilisateur
Les réglages du Dock permettent de configurer la position du Dock sur le bureau et de
modifier la taille du Dock. Vous pouvez également contrôler les animations du Dock.
Pour définir l’apparence et le comportement du Dock :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Dock.
5 Cliquez sur Affichage du Dock.
6 Sélectionnez un réglage de gestion (Une seule fois ou Toujours).
7 Glissez le curseur Taille du Dock afin d’agrandir ou de réduire le Dock.
8 Si vous souhaitez que les éléments du Dock soient agrandis lorsque l’utilisateur place
le pointeur dessus, cochez la case Agrandissement, puis positionnez le curseur.
L’agrandissement présente de l’intérêt lorsque le Dock comprend de nombreux
éléments.
9 Si vous ne souhaitez pas que le Dock soit visible en permanence, sélectionnez
Masquage/affichage automatique. Le Dock apparaît alors automatiquement
lorsque l’utilisateur place le pointeur sur le bord de l’écran où est situé le Dock.
10 Choisissez de placer le Dock à gauche, à droite ou en bas du bureau.
Panneau des préférences
du Dock Ce que vous pouvez contrôler
Éléments du Dock Les éléments et leur emplacement dans le Dock d’un utilisateur
Affichage du Dock L’emplacement et le comportement du Dock
F0170.book Page 173 Monday, May 2, 2005 12:37 PM174 Chapitre 9 Gestion des préférences
11 Sélectionnez un effet à appliquer lors du masquage du Dock.
12 Pour ne pas utiliser d’icônes animées dans le Dock à l’ouverture d’une application,
désélectionnez Animation à l’ouverture des applications.
13 Cliquez sur Appliquer.
Accès aisé aux dossiers de groupes
Après avoir configuré un volume de groupe, vous pouvez simplifier l’accès des
utilisateurs au répertoire du groupe en plaçant un alias dans leur Dock. Le répertoire
du groupe contient le dossier Bibliothèque, le dossier Documents et le dossier Public
(incluant une boîte de dépôt) du groupe. Pour obtenir de l’aide sur la configuration
d’un point de partage de groupe, lisez la section “Travail avec les réglages du dossier
de groupe” à la page 108.
Si le répertoire du groupe n’est pas disponible lorsque l’utilisateur clique sur l’icône
du dossier de groupe, l’utilisateur doit fournir un nom et un mot de passe pour se
connecter au serveur et ouvrir le répertoire.
Remarque : ce réglage de préférence ne s’applique qu’aux groupes. Vous ne pouvez
pas gérer ce réglage pour les utilisateurs ou les ordinateurs.
Pour ajouter un élément du Dock au répertoire de groupe :
1 Si vous n’avez pas encore configuré un point de partage pour le groupe, faites-le
avant de continuer.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
3 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes et sélectionnez un ou plusieurs comptes de groupe
dans la liste.
5 Cliquez sur Dock.
6 Cliquez sur Éléments du Dock.
7 Sélectionnez un réglage de gestion (Une seule fois ou Toujours).
Si vous sélectionnez Une fois, l’icône du dossier de groupe apparaît initialement
dans le Dock de l’utilisateur, mais ce dernier ne pourra pas la supprimer.
8 Sélectionnez Ajouter un dossier de groupe.
9 Cliquez sur Appliquer.
Si vous changez l’emplacement du point de partage du groupe, veillez à utiliser le
Gestionnaire de groupe de travail pour mettre à jour l’élément de Dock correspondant
pour le groupe.
F0170.book Page 174 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 175
Ajout d’éléments au Dock d’un utilisateur
Vous pouvez ajouter des applications, des dossiers ou des documents au Dock d’un
utilisateur pour en faciliter l’accès.
Pour ajouter des éléments au Dock :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Dock.
5 Cliquez sur Éléments du Dock.
6 Sélectionnez un réglage de gestion (Une seule fois ou Toujours).
7 Pour ajouter des applications, des dossiers normaux et des documents au Dock,
cliquez sur Ajouter, afin de naviguer et sélectionner l’élément souhaité.
Pour supprimer un élément du Dock, sélectionnez-le, puis cliquez sur Supprimer.
Vous pouvez réordonner les éléments du Dock qui se trouvent dans la liste en les
glissant dans l’ordre d’apparition souhaité. Les applications sont toujours rassemblées
d’un côté du Dock, les fichiers et dossiers se trouvant de l’autre côté.
8 Sélectionnez Mes applications, Documents ou Départ du réseau pour ajouter un
ou plusieurs de ces éléments au Dock de l’utilisateur.
Le dossier Mes applications contient les alias des applications disponibles.
Le dossier Documents correspond au dossier Documents qui se trouve dans le
répertoire de départ de l’utilisateur.
Le dossier de départ réseau est le répertoire de départ de l’utilisateur du compte
mobile hébergé sur le serveur.
9 Une fois l’ajout d’éléments du Dock terminé, cliquez sur Appliquer.
Interdiction aux utilisateurs d’ajouter ou de supprimer des
éléments au Dock
Les utilisateurs peuvent habituellement ajouter des éléments à leur propre Dock, mais
il est possible de les en empêcher. Si Toujours (Gérer ces réglages) est sélectionné, ils
ne pourront pas supprimer les éléments que vous ajoutez au Dock.
Pour empêcher les utilisateurs d’ajouter des éléments à leur Dock :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
F0170.book Page 175 Monday, May 2, 2005 12:37 PM176 Chapitre 9 Gestion des préférences
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Dock.
5 Cliquez sur Éléments du Dock, puis définissez les réglages de gestion sur Toujours.
6 Désélectionnez L’utilisateur peut ajouter ou supprimer des éléments du Dock.
7 Cliquez sur Appliquer.
Gestion des préférences de l’Économiseur d’énergie
Les réglages des préférences de l’Économiseur d’énergie vous aide à économiser
l’énergie et la batterie en gérant le moment de la suspension d’activité, de la
réactivation et du redémarrage des serveurs et des ordinateurs clients. Le tableau
ci-dessous résume ce que vous pouvez contrôler à l’aide des réglages de chaque
sous-fenêtre de l’Économiseur d’énergie.
Utilisation des réglages de suspension d’activité et de
réactivation pour les ordinateurs de bureau
La suspension de l’activité d’un ordinateur permet d’économiser l’énergie car elle
provoque l’extinction de l’écran et l’arrêt du disque dur. La réactivation d’un ordinateur
après une suspension d’activité est un processus plus rapide que le démarrage.
Vous pouvez utiliser les réglages des préférences de l’Économiseur d’énergie du
Gestionnaire de groupe de travail pour suspendre automatiquement l’activité des
ordinateurs après une période d’inactivité spécifiée. D’autres réglages vous permettent
de réactiver ou de redémarrer l’ordinateur lorsque certains événements se produisent.
Panneau des préférences
Économiseur d’énergie Ce que vous pouvez contrôler
Bureau La suspension de l’activité de l’ordinateur, de l’écran et
du ou des disques durs, ainsi que les options de réactivation
et de redémarrage de Mac OS X et de Mac OS X Server
Portable Le réglage des performances du processeur, la suspension
d’activité similaire à celle d’un ordinateur de bureau, ainsi que
les options de réactivation et de redémarrage des sources
d’alimentation Adaptateur et Batterie
Menu Batterie L’affichage à l’écran d’un indicateur d’état de la batterie
Planification La planification quotidienne du démarrage, de l’extinction ou
de la suspension de l’activité
F0170.book Page 176 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 177
Pour définir des réglages de suspension d’activité et de réactivation :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Économiseur d’énergie.
5 Cliquez sur Bureau.
6 Choisissez soit Mac OS X, soit Mac OS X Server dans le menu local OS, puis réglez
la gestion sur Toujours.
7 Pour définir les réglages de suspension d’activité, choisissez Veille dans le menu
local Réglages.
Faites glisser le curseur pour définir le délai d’attente précédant la suspension
d’activité de l’ordinateur. Le réglage par défaut est 1 heure. L’ordinateur ne
suspend pas son activité si le curseur est réglé sur Jamais.
Si vous souhaitez fixer un délai différent pour l’écran de l’ordinateur, sélectionnez
“Suspendre l’activité du moniteur si inactif depuis” et faites glisser le curseur. Le
délai choisi ne peut être supérieur au délai adopté pour la suspension d’activité
de l’ordinateur.
Pour suspendre l’activité de l’ordinateur dès que vous ne l’utilisez plus, sélectionnez
“Suspendre l’activité du ou des disques durs dès que possible”.
8 Pour définir des réglages de suspension d’activité et de réactivation, choisissez Options
dans le menu local Réglages.
Pour réactiver l’ordinateur dès que le modem est activé, sélectionnez “Réactiver quand
le modem détecte une sonnerie”.
Pour réactiver l’ordinateur dès qu’un administrateur tente d’y accéder à distance,
sélectionnez “Réactiver pour permettre l’accès à l’administrateur du réseau Ethernet”.
Pour que l’ordinateur redémarre après une panne de courant, sélectionnez Redémarrer
automatiquement après une panne de courant. Pour désactiver le redémarrage
automatique, désélectionnez cette option.
9 Cliquez sur Appliquer.
Pour réactiver manuellement un ordinateur ou un écran en veille, les utilisateurs
peuvent cliquer sur le bouton de la souris ou appuyer sur une touche du clavier.
F0170.book Page 177 Monday, May 2, 2005 12:37 PM178 Chapitre 9 Gestion des préférences
Utilisation des réglages de l’Économiseur d’énergie pour les
ordinateurs portables
Les réglages d’économiseur d’énergie pour portable vous permettent de varier les
conditions de suspension d’activité et de réactivation ainsi que les performances du
processeur en fonction de la source d’alimentation utilisée par un ordinateur portable
(adaptateur secteur ou batterie). Vous pouvez également faire redémarrer l’ordinateur
automatiquement en cas de panne de courant soudaine.
Encouragez les utilisateurs à se servir de l’adaptateur secteur de l’ordinateur dès que
possible afin d’économiser la batterie.
Pour gérer les réglages d’ordinateur portable :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Économiseur d’énergie.
5 Cliquez sur Portable.
6 Choisissez soit Adaptateur, soit Batterie dans le menu local Source d’alimentation,
puis réglez la gestion sur Toujours.
7 Pour définir les réglages de suspension d’activité, choisissez Veille dans le menu local
Réglages.
Faites glisser le curseur pour définir le délai d’attente précédant la suspension d’activité
de l’ordinateur. Le réglage par défaut est 1 heure. L’ordinateur ne suspend pas son
activité si le curseur est réglé sur Jamais.
Pour fixer un délai différent pour l’écran de l’ordinateur, sélectionnez “Suspendre
l’activité du moniteur si inactif depuis” et faites glisser le curseur. Le délai choisi ne
peut être supérieur à celui adopté pour la suspension d’activité de l’ordinateur.
Pour mettre l’ordinateur en veille dès que vous ne l’utilisez plus, sélectionnez
Suspendre l’activité du ou des disques durs dès que possible.
8 Pour définir des réglages de suspension d’activité, de réactivation et de performances
du processeur, choisissez Options dans le menu local Réglages.
Pour réactiver l’ordinateur dès que le modem est activé, sélectionnez “Réactiver quand
le modem détecte une sonnerie”.
Pour réactiver l’ordinateur dès qu’un administrateur tente d’y accéder à distance,
sélectionnez “Réactiver pour permettre l’accès à l’administrateur du réseau Ethernet”.
F0170.book Page 178 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 179
Pour que l’ordinateur redémarre après une panne de courant, sélectionnez Redémarrer
automatiquement après une panne de courant. Pour désactiver le redémarrage
automatique, désélectionnez cette option.
Sélectionnez Maximale, Automatique ou Faible dans le menu local Performance du
processeur. Le réglage recommandé pour les ordinateurs utilisant un adaptateur est
Maximale. Pour les ordinateurs fonctionnant avec une batterie, il est recommandé
d’adopter le réglage Automatique.
9 Cliquez sur Appliquer.
Pour réactiver manuellement un ordinateur ou un écran en veille, les utilisateurs
peuvent cliquer sur le bouton de la souris ou appuyer sur une touche du clavier.
Affichage de l’état de la batterie pour les utilisateurs
Les ordinateurs portables utilisent une batterie comme source d’énergie directe
ou de réserve lorsqu’ils ne sont pas connectés au secteur. L’ordinateur suspend
automatiquement son activité pour économiser l’énergie dès que le niveau de charge
de la batterie devient trop faible. Il suffit que l’utilisateur reconnecte l’ordinateur à une
source d’alimentation directe (en insérant une batterie chargée ou en le connectant
un adaptateur secteur) pour réactiver l’ordinateur et se remettre à travailler.
Encouragez les utilisateurs à surveiller l’état de leur batterie lorsqu’ils utilisent leur
ordinateur en déplacement et à utiliser un adaptateur secteur dès qu’ils en ont la
possibilité afin de conserver une batterie totalement chargée.
Pour afficher l’état de la batterie dans la barre des menus :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Économiseur d’énergie.
5 Cliquez sur Menu Batterie et définissez les réglages de gestion sur Toujours.
6 Sélectionnez Afficher l’état de la batterie dans la barre des menus pour afficher le menu
de la batterie. Pour désactiver le menu de la batterie, désélectionnez cette option.
7 Cliquez sur Appliquer.
F0170.book Page 179 Monday, May 2, 2005 12:37 PM180 Chapitre 9 Gestion des préférences
Programmation du démarrage, de l’extinction ou de la
suspension d’activité automatiques
Vous pouvez choisir de suspendre l’activité des ordinateurs ou de les démarrer ou les
éteindre à des moments spécifiques du jour ou de la semaine. La programmation de
l’arrêt ou de la suspension d’activité peut vous aider à économiser l’énergie pendant
des périodes prévues d’inactivité telles que le soir après la journée de travail, pendant
les week-ends ou à la fin d’un cours. La programmation du démarrage automatique
permet de préparer une classe ou un laboratoire afin que le travail puisse commencer
immédiatement.
Pour programmer des actions automatiques :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Économiseur d’énergie.
5 Cliquez sur Planification.
6 Choisissez soit Mac OS X, soit Mac OS X Server dans le menu local OS, puis réglez la
gestion sur Toujours.
7 Pour programmer le démarrage automatique, sélectionnez Démarrer l’ordinateur, puis
choisissez un jour ou une période (en semaine, le week-end ou tous les jours) dans le
menu local. Tapez ensuite une heure dans le champ prévu à cet effet. Pour désactiver
le démarrage programmé, désélectionnez cette option.
8 Pour programmer la suspension d’activité ou l’extinction automatique, cochez la case
et choisissez Suspendre l’activité ou Éteindre dans le menu local. Choisissez ensuite un
jour ou une période (en semaine, le week-end ou tous les jours) dans le menu local.
Tapez ensuite une heure dans le champ prévu à cet effet. Pour désactiver la suspension
d’activité ou l’arrêt programmé, désélectionnez cette option.
9 Cliquez sur Appliquer.
F0170.book Page 180 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 181
Gestion des préférences du Finder
Vous pouvez contrôler divers aspects des menus et des fenêtres du Finder. Le tableau
ci-dessous résume ce que vous pouvez contrôler dans chaque sous-fenêtre des
préférences du Finder.
Configuration du Finder simplifié
Vous pouvez sélectionner le Finder classique ou le Finder simplifié comme
environnement d’utilisateur. La présentation et le comportement du Finder normal
sont identiques à ceux du bureau Mac OS X standard. Le Finder simplifié offre une
interface de navigation plus facile (les dossiers Documents et Mes applications, par
exemple, sont affichés dans le Dock de l’utilisateur).
Les Préférences Système permettent également de configurer le Finder simplifié sur un
ordinateur client (localement). Si vous utilisez Gestionnaire de groupe de travail pour
appliquer l’environnement Finder simplifié et que cette fonctionnalité n’est pas activée
sur l’ordinateur local, seul le Finder du client est affecté ; les réglages de l’accès au Dock
et aux applications doivent être gérés individuellement. Vous pouvez configurer le
Finder simplifié sur l’ordinateur local et utiliser les fonctions de gestion du Dock et
des applications du Gestionnaire de groupe de travail pour ajouter des éléments
de Dock et des accès aux applications.
Important : pour les ordinateurs clients utilisant Mac OS X version 10.2 à 10.2.8, n’activez
pas le Finder simplifié pour les utilisateurs qui se connectent à un groupe de travail
disposant de son propre dossier de groupe (répertoire). Ces utilisateurs ne peuvent pas
utiliser d’application car le Finder simplifié empêche l’accès au répertoire de groupe.
Panneau des préférences
du Finder Ce que vous pouvez contrôler
Préférences Le comportement de la fenêtre Finder, Le Finder simplifié,
l’affichage d’éléments ouverts sur le bureau, l’affichage des
extensions de nom de fichier et l’affichage du message de
confirmation de la suppression du contenu de Corbeille
Commandes Grâce aux commandes des menus du Finder et du menu Pomme,
les utilisateurs peuvent, entre autres, se connecter aisément aux
serveurs ou de redémarrer l’ordinateur. Dans certains cas, il peut
être préférable de limiter l’accès des utilisateurs à ces commandes.
Les réglages de la sous-fenêtre Commandes vous permettent
de contrôler la disponibilité de certaines commandes pour les
utilisateurs.
Présentations Les présentations du Finder vous permettent de modifier
la disposition et l’apparence des éléments qui se trouvent
sur le bureau d’un utilisateur, dans les fenêtres du Finder et
dans le répertoire du premier niveau de l’ordinateur.
F0170.book Page 181 Monday, May 2, 2005 12:37 PM182 Chapitre 9 Gestion des préférences
Pour activer le Finder simplifié :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Préférences, puis sélectionnez un réglage de gestion (Toujours).
6 Si vous sélectionnez Toujours, vous pouvez sélectionner soit “Utiliser le Finder normal”,
soit “Utiliser le Finder simplifié” pour limiter l’accès à cet ordinateur.
Si vous sélectionnez Une fois, seule l’option “Utiliser le Finder normal” est disponible.
7 Cliquez sur Appliquer.
Masquage des disques et des serveurs sur le bureau de l’utilisateur
En règle générale, lorsqu’un utilisateur insère un disque, l’icône de ce disque apparaît
sur le bureau. Les icônes des disques durs locaux ou des partitions de disques ainsi que
celles des volumes de serveurs montés apparaissent également sur le bureau. Si vous
ne souhaitez pas que les utilisateurs voient ces éléments sur leur bureau, vous pouvez
les masquer.
Ces éléments continuent d’apparaître dans le répertoire du niveau supérieur lorsqu’un
utilisateur clique sur l’icône Ordinateur figurant dans une barre d’outils du Finder.
Pour masquer les icônes de disques et de serveurs sur le bureau :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous êtes
authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus de la
liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Préférences, puis sélectionnez un réglage de gestion (Une fois ou Toujours).
6 Sous la mention Afficher ces éléments sur le bureau, sélectionnez les éléments que
vous souhaitez masquer.
7 Cliquez sur Appliquer.
F0170.book Page 182 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 183
Contrôle du comportement des fenêtres du Finder
Vous pouvez sélectionner le répertoire à afficher lorsqu’un utilisateur ouvre une
nouvelle fenêtre du Finder. Vous êtes également en mesure de définir le contenu
devant s’afficher dans les dossiers à leur ouverture.
Pour définir des préférences pour les fenêtres du Finder :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Préférences, puis sélectionnez un réglage de gestion (Une fois ou Toujours).
6 Sous La nouvelle fenêtre de Finder affiche, spécifiez les éléments à afficher.
Sélectionnez Départ pour afficher les éléments du répertoire de départ de l’utilisateur.
Sélectionnez Ordinateur pour afficher le répertoire du premier niveau, qui comprend
les disques locaux et les volumes montés.
7 Sélectionnez Toujours ouvrir les dossiers dans une nouvelle fenêtre pour afficher le
contenu d’un dossier dans une fenêtre séparée lorsqu’il est ouvert par l’utilisateur. Les
utilisateurs Mac OS X peuvent normalement parcourir plusieurs dossiers à partir d’une
seule fenêtre de Finder.
8 Sélectionnez Ouvrir les fenêtres en présentation par colonne pour une présentation
cohérente de l’ensemble des fenêtres.
9 Cliquez sur Appliquer.
Masquage du message d’alerte présenté lorsque l’utilisateur veut
vider la corbeille
Un message d’alerte s’affiche normalement lorsqu’un utilisateur veut vider la corbeille.
Si vous ne voulez pas que ce message soit présenté aux utilisateurs, désactivez-le.
Pour masquer le message d’avertissement de la corbeille :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
F0170.book Page 183 Monday, May 2, 2005 12:37 PM184 Chapitre 9 Gestion des préférences
5 Cliquez sur Préférences, puis sélectionnez un réglage de gestion (Une fois ou Toujours).
6 Désélectionnez l’option Avertir avant de vider la corbeille.
7 Cliquez sur Appliquer.
Affichage des extensions de nom de fichier
Une extension de nom de fichier apparaît généralement à la fin d’un nom de fichier
(par exemple “.txt” ou “.jpg”) Cette extension permet aux applications d’identifier le
type de fichier concerné.
Pour afficher les extensions de nom de fichier :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Sélectionnez un réglage de gestion (Une seule fois ou Toujours).
6 Sélectionnez Toujours afficher les extensions de fichier.
7 Cliquez sur Appliquer.
Contrôle de l’accès des utilisateurs aux serveurs distants
Les utilisateurs peuvent se connecter à des serveurs distants en sélectionnant la
commande Se connecter au serveur du menu Go du Finder, puis en saisissant le
nom du serveur ou son adresse IP. Si vous ne souhaitez pas que les utilisateurs
visualisent cet élément de menu, vous pouvez masquer la commande.
Pour masquer la commande Se connecter au serveur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Commandes, puis définissez les réglages de gestion sur Toujours.
6 Désélectionnez Se connecter au serveur.
7 Cliquez sur Appliquer.
F0170.book Page 184 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 185
Contrôle de l’accès des utilisateurs à un iDisk
Pour se connecter à un iDisk, les utilisateurs peuvent utiliser la commande Accès
à l’iDisk dans le menu Go du Finder. Si vous ne souhaitez pas que les utilisateurs
visualisent cet élément de menu, vous pouvez masquer la commande.
Pour masquer la commande Accès à l’iDisk :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Commandes, puis définissez les réglages de gestion sur Toujours.
6 Désélectionnez Aller à l’iDisk.
7 Cliquez sur Appliquer.
Mesures contre l’éjection de disques par les utilisateurs
Si vous ne voulez pas que les utilisateurs puissent éjecter des disques (tels que les CD,
DVD, disquettes ou disques FireWire), vous pouvez masquer la commande Éjecter du
menu Fichier du Finder.
Pour masquer la commande Éjecter :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Commandes, puis définissez les réglages de gestion sur Toujours.
6 Désélectionnez Éjecter.
7 Cliquez sur Appliquer.
F0170.book Page 185 Monday, May 2, 2005 12:37 PM186 Chapitre 9 Gestion des préférences
Masquage de la commande Graver le disque dans le Finder
Les ordinateurs équipés du matériel adéquat permettent le gravage de disques
(écriture d’informations sur des CD ou DVD inscriptibles). Si vous ne voulez pas
que les utilisateurs bénéficient de cette possibilité, vous pouvez masquer la
commande Graver le disque du menu Fichier du Finder.
Pour masquer la commande Graver le disque :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Commandes, puis définissez les réglages de gestion sur Toujours.
6 Désélectionnez Graver le disque.
7 Cliquez sur Appliquer.
Pour empêcher l’utilisation ou le gravage de CD ou DVD inscriptibles, utilisez les
réglages des volets d’accès aux données.
Seuls les ordinateurs équipés d’un graveur de CD-RW, d’une unité combinée ou d’un
graveur Superdrive permettent de graver des CD. La commande de gravage de disques
fonctionne uniquement avec des disques CD-R, CD-RW ou DVD-R. Seul un graveur
Superdrive permet de graver des DVD.
Contrôle de l’accès des utilisateurs aux dossiers
Les utilisateurs peuvent ouvrir un dossier spécifique en sélectionnant la commande
Aller au dossier du menu Go du Finder, puis en indiquant le chemin d’accès à ce
dossier. Si vous ne souhaitez pas que les utilisateurs disposent de cette autorisation,
vous pouvez masquer la commande.
Pour masquer la commande Aller au dossier :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Commandes, puis définissez les réglages de gestion sur Toujours.
F0170.book Page 186 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 187
6 Désélectionnez Aller au dossier.
7 Cliquez sur Appliquer.
Suppression des commandes Redémarrer et Éteindre du menu
Pomme
Pour empêcher les utilisateurs de redémarrer ou d’éteindre leurs ordinateurs, vous
pouvez supprimer les commandes Redémarrer et Éteindre du menu Pomme.
Pour masquer les commandes Redémarrer et Éteindre :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Commandes, puis définissez les réglages de gestion sur Toujours.
6 Désélectionnez Redémarrer et Éteindre.
7 Cliquez sur Appliquer.
Une mesure préventive supplémentaire consiste à utiliser les réglages de préférences
d’ouverture de session pour rendre les boutons Redémarrer et Éteindre indisponibles
(estompés) dans la fenêtre d’ouverture de session. Pour obtenir des instructions,
consultez la section “Gestion des préférences d’ouverture de session” à la page 191.
Réglage de l’apparence et de la disposition des éléments du
bureau
Les éléments situés sur le bureau d’un utilisateur se présentent sous forme d’icônes.
Vous pouvez contrôler la taille et la disposition des icônes du bureau.
Pour définir des préférences pour la présentation du bureau :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Présentations, puis sélectionnez un réglage de gestion (Une seule fois
ou Toujours). Ce réglage s’applique aux options des trois modes de présentation.
F0170.book Page 187 Monday, May 2, 2005 12:37 PM188 Chapitre 9 Gestion des préférences
6 Cliquez sur Bureau.
7 Réglez la taille d’icône à l’aide du curseur.
8 Pour maintenir les éléments alignés en rangs et en colonnes, sélectionnez Aligner
sur la grille.
Pour trier les éléments en fonction de critères tels que leur nom ou leur type (par exemple,
tous les dossiers regroupés ensemble), sélectionnez Garder rangé par, puis choisissez une
méthode dans le menu local.
9 Cliquez sur Appliquer.
Réglage de l’apparence du contenu des fenêtres du Finder
Les éléments des fenêtres de Finder peuvent être présentés par liste ou par icônes.
Vous pouvez contrôler certains aspects de la présentation de ces éléments et décider
d’afficher ou non la barre d’outils dans une fenêtre du Finder.
Les réglages de Présentation par défaut permettent de contrôler l’apparence générale
de toutes les fenêtres du Finder. Les réglages de présentation de l’ordinateur permettent
de contrôler la présentation du répertoire du premier niveau de l’ordinateur, dans
lequel sont affichés les disques durs et les partitions, les disques durs externes, les
volumes montés et les supports amovibles tels que les CD ou les disquettes.
Pour définir les préférences pour les présentations par défaut et
de l’ordinateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Finder.
5 Cliquez sur Présentations, puis sélectionnez un réglage de gestion (Une seule fois
ou Toujours). Ce réglage s’applique aux options des trois présentations.
6 Cliquez sur Par défaut.
7 Réglez la taille d’icône à l’aide du curseur.
8 Sélectionnez le type de disposition souhaité.
Sélectionnez Aucune pour permettre aux utilisateurs de placer librement les icônes
sur le bureau.
Sélectionnez Aligner sur la grille, pour maintenir les éléments alignés en rangs
et en colonnes.
F0170.book Page 188 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 189
Sélectionnez Garder rangé pour choisir un mode de disposition dans le menu local. Vous
pouvez ranger les éléments par leur nom, leur date de création ou de modification, leur
taille ou leur type (vous pouvez, par exemple, regrouper tous les dossiers).
9 Procédez aux réglages de la présentation par liste pour la présentation par défaut.
Si vous sélectionnez Utiliser les dates relatives, la date de création ou de modification
d’un élément est indiquée par le terme “Aujourd’hui” et non par “3/24/05”, par exemple.
Si vous sélectionnez Taille des dossiers, l’ordinateur calcule la taille totale de chaque
dossier affiché dans une fenêtre du Finder. Cela risque de prendre beaucoup de temps
pour les dossiers de très grande taille.
Choisissez une taille pour les icônes de la liste.
10 Cliquez sur Ordinateur, puis procédez aux réglages de la présentation des icônes et de
la présentation par liste pour la présentation de l’ordinateur. Les réglages disponibles
sont similaires à ceux de la présentation par défaut décrite aux étapes 5 à 9.
11 Cliquez sur Appliquer.
Gestion des préférences Internet
Les préférences Internet vous permettent de définir les options de messagerie
électronique et de navigateur Web. Il se peut que certains navigateurs Internet
ou applications de messagerie ne gèrent pas ces réglages. Le tableau ci-dessous
décrit la fonction de chacun des réglages du panneau Internet.
Réglage des préférences de messagerie
Les préférences de messagerie vous permettent de désigner une application de
messagerie par défaut et de fournir les informations nécessaires pour votre adresse
électronique, le serveur de courrier entrant et le serveur de courrier sortant.
Remarque : il se peut que certaines applications de courrier électronique ignorent
ces réglages.
Pour définir des préférences de messagerie :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous êtes
authentifié.
Sous-fenêtre des préférences
Internet Ce que vous pouvez contrôler
Message électronique l’application de courrier électronique par défaut et les données
de la messagerie électronique
Web le navigateur Web par défaut et les adresses URL de la page
d’accueil et de la page de recherche
F0170.book Page 189 Monday, May 2, 2005 12:37 PM190 Chapitre 9 Gestion des préférences
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Internet.
5 Cliquez sur Courrier, puis sélectionnez un réglage de gestion (Une seule fois ou Toujours).
6 Pour définir le logiciel de messagerie par défaut, cliquez sur Définir, puis choisissez
votre application de messagerie préférée.
7 Tapez les données nécessaires pour l’adresse électronique, le serveur de courrier
entrant et le serveur de courrier sortant.
8 Sélectionnez un type de compte de messagerie (POP ou IMAP).
9 Cliquez sur Appliquer.
Réglage des préférences du navigateur Web
Pour spécifier un navigateur Web par défaut et un emplacement de stockage des
fichiers téléchargés, utilisez les réglages Web des préférences Internet. Vous pouvez
également choisir une adresse URL de départ pour votre navigateur à l’aide de
l’emplacement Page de départ. L’emplacement Page de recherche vous permet
de spécifier l’adresse URL d’un moteur de recherche.
Remarque : il se peut que certains navigateurs Web ignorent ces réglages.
Pour définir des préférences Web :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Internet.
5 Cliquez sur Web, puis sélectionnez un réglage de gestion (Une seule fois ou Toujours).
6 Pour définir le navigateur Web par défaut, cliquez sur Définir et choisissez l’application
de navigateur Web que vous préférez.
7 Tapez une adresse URL pour la page de départ. Il s’agit de la première page qui
s’affiche lors de l’ouverture du navigateur.
8 Tapez une adresse URL pour la page de recherche.
9 Entrez un emplacement de dossier pour stocker les fichiers téléchargés ou cliquez
sur Définir pour rechercher un dossier.
10 Cliquez sur Appliquer.
F0170.book Page 190 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 191
Gestion des préférences d’ouverture de session
Utilisez les préférences d’ouverture de session pour définir des options d’ouverture de
session pour l’utilisateur, fournir des indices de mot de passe et contrôler la capacité
de l’utilisateur à redémarrer et à éteindre l’ordinateur à partir de l’écran d’ouverture de
session. Vous pouvez également faire automatiquement monter un volume de groupe
ou ouvrir des applications à l’ouverture de session de l’utilisateur. Le tableau ci-dessous
résume ce que vous pouvez contrôler à l’aide des réglages de chaque sous-fenêtre
Ouverture de session.
Les scripts, la fenêtre d’ouverture de session et les options ne peuvent être gérés que
pour les ordinateurs, pas pour les utilisateurs ou les groupes. Les préférences gérées
concernées sont détaillées ci-dessous.
Spécification du mode d’ouverture de session de l’utilisateur
Selon les options que vous choisissez, l’utilisateur verra s’afficher dans la fenêtre
d’ouverture de session soit des champs de nom et de mot de passe, soit une liste
d’utilisateurs. Ces réglages s’appliquent uniquement aux listes d’ordinateurs.
Pour configurer le mode d’ouverture de session d’un utilisateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez une ou plusieurs listes d’ordinateurs.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Fenêtre d’ouverture de session et réglez la gestion sur Toujours.
Sous-fenêtre des préférences
d’ouverture de session Ce que vous pouvez contrôler
Éléments d’ouverture L’accès au volume de groupe, le choix des applications à ouvrir
automatiquement pour l’utilisateur, l’autorisation pour l’utilisateur
de gérer l’ouverture des éléments
Scripts La spécification d’un script à exécuter à l’ouverture ou à la
fermeture de session, l’exécution ou la désactivation des scripts
LoginHook ou LogoutHook de l’ordinateur du client
Fenêtre d’ouverture de session Uniquement pour les listes d’ordinateurs : l’apparence et la fonction
des éléments de la fenêtre d’ouverture de session, l’identité des
utilisateurs figurant sur la liste si une liste d’utilisateurs est spécifiée
Options Uniquement pour les listes d’ordinateurs : la permutation rapide
d’utilisateur. Le nombre de minutes d’inactivité entraînant la
déconnexion de l’utilisateur
F0170.book Page 191 Monday, May 2, 2005 12:37 PM192 Chapitre 9 Gestion des préférences
6 Pour exiger un nom et un mot de passe à l’utilisateur, sélectionnez Champs de saisie
Nom et Mot de passe.
7 Pour permettre à l’utilisateur de sélectionner son nom dans une liste, choisissez Liste
d’utilisateurs de cet ordinateur.
Si vous optez pour l’utilisation d’une liste d’utilisateurs, sélectionnez les catégories
d’utilisateurs à afficher dans cette liste. Pour vous assurer qu’un type d’utilisateur
particulier ne figure pas dans la liste, désélectionnez le réglage correspondant. Pour
autoriser les utilisateurs inconnus, vous pouvez sélectionner Afficher autres utilisateurs.
Remarque : si la case “Autoriser les utilisateurs de comptes exclusivement locaux” est
décochée (dans Gestionnaire de groupe de travail/Comptes/Listes d’ordinateurs/Accès),
les utilisateurs locaux non administrateurs ne peuvent plus ouvrir de session.
La case “administrateurs d’ordinateur” s’applique à tous les administrateurs
d’ordinateur, qu’il s’agisse de comptes locaux ou réseau.
La liste complète qui s’affiche à l’ouverture de session contient uniquement les
utilisateurs autorisés à se connecter, c’est-à-dire ceux qui figurent dans la sous-fenêtre
d’accès à l’ordinateur. Les utilisateurs disposant de comptes désactivés n’apparaissent
pas dans cette liste (voir Réglages de politique de mot de passe).
8 Il est recommandé d’empêcher les utilisateurs d’ouvrir une session à l’aide de la
console Darwin (interface de ligne de commande) dans le but de contourner le
contrôle. Pour désactiver l’ouverture de session via la console Darwin, décochez
l’option Autoriser les utilisateurs à ouvrir une session via >console.
9 Pour désactiver l’ouverture de session automatique en tant qu’utilisateur spécifique
dès le démarrage de l’ordinateur, décochez la case “Activer le réglage d’ouverture de
session client automatique”.
Si vous décidez d’utiliser ce réglage, vous devez régler l’ouverture de session
automatique sur l’ordinateur client. Ouvrez Préférences Système, cliquez sur Comptes,
cliquez sur Fenêtre d’ouverture de session, sélectionnez Activer le réglage d’ouverture
de session client automatique, choisissez un utilisateur dans le menu local, puis saisissez
le mot de passe de ce compte.
10 Une fois la sélection des réglages d’ouverture de session gérée terminée, cliquez sur
Appliquer.
Ouverture automatique d’éléments après l’ouverture de session
Vous pouvez faire ouvrir automatiquement les éléments fréquemment utilisés
par un utilisateur. Vous pouvez également masquer les éléments qui s’ouvrent
automatiquement afin d’éviter l’encombrement de l’écran, tout en gardant
l’élément aisément accessible.
F0170.book Page 192 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 193
Les éléments s’ouvrent selon leur ordre d’apparition dans les préférences d’Éléments
d’ouverture (vous pouvez spécifier cet ordre). À l’ouverture, les éléments s’empilent
les uns sur les autres, le dernier élément ouvert étant situé tout en haut de l’écran.
Par exemple, si vous ouvrez trois éléments et qu’aucun d’entre eux n’est masqué,
l’utilisateur voit la barre des menus du dernier élément ouvert. Si les fenêtres d’une
application sont ouvertes, elles peuvent se chevaucher avec les fenêtres d’autres
applications.
L’utilisateur peut empêcher l’ouverture automatique des éléments en maintenant
enfoncée la touche Maj pendant l’ouverture de session jusqu’à ce que le Finder
s’affiche sur le bureau ; il est possible de désactiver cette fonctionnalité.
Pour qu’un élément s’ouvre automatiquement :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Ouverture à la connexion, puis sélectionnez un réglage de gestion
(Une seule fois ou Toujours).
6 Pour ajouter un élément à la liste, cliquez sur Ajouter.
7 Si vous souhaitez qu’un utilisateur ne visualise pas immédiatement un élément,
cochez la case Masquer correspondante.
L’application reste ouverte, mais ses fenêtres et sa barre de menus demeurent
masquées jusqu’à ce que l’utilisateur active l’application (en cliquant sur son icône
dans le Dock par exemple).
8 Pour empêcher l’utilisateur de disposer de cette fonction, désélectionnez l’option
L’utilisateur peut ajouter et supprimer des éléments supplémentaires. (Cette case est
disponible uniquement si les préférences Éléments d’ouverture sont toujours gérées.)
Les utilisateurs ne peuvent supprimer que les éléments qu’ils ont ajoutés eux-mêmes
à cette liste et non ceux ajoutés par un administrateur.
9 Pour interdire aux utilisateurs d’empêcher l’ouverture automatique d’applications
à l’ouverture de session, désélectionnez l’option “L’utilisateur peut appuyer sur Maj
pour empêcher les éléments de s’ouvrir”. (Cette case est disponible uniquement si
les préférences des éléments d’ouverture sont toujours gérées.)
10 Cliquez sur Appliquer.
F0170.book Page 193 Monday, May 2, 2005 12:37 PM194 Chapitre 9 Gestion des préférences
Fourniture de l’accès au répertoire de départ réseau d’un
utilisateur
Ce réglage concerne principalement les comptes mobiles. Si un utilisateur ouvre une
session alors qu’il est connecté au réseau, le point de partage contenant son répertoire
de départ d’origine (situé sur le serveur) est monté sur le bureau.
Remarque : si vous utilisez des répertoires de départ portables avec des comptes
mobiles, l’accès direct au dossier de départ réseau n’est recommandé que pour les
utilisateurs avancés. En effet, les autres utilisateurs pourraient se tromper de dossier
étant donné qu’ils sont nombreux et qu’ils portent tous leur nom d’utilisateur. En outre,
ils contiennent tous des dossiers intitulés Documents, Musique, etc., dont certains sont
susceptibles de renfermer le même contenu.
Pour monter automatiquement le dossier de départ réseau :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un compte d’utilisateur mobile dans la liste des comptes.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Éléments d’ouverture.
6 Sélectionnez un réglage de gestion (Une seule fois ou Toujours).
7 Sélectionnez Aj. point de part. de départ de réseau.
8 Cliquez sur Appliquer.
Fourniture d’un accès aisé au point de partage de groupe
Après avoir configuré un point de partage de groupe, vous pouvez simplifier la
recherche de répertoires de groupes pour les utilisateurs en leur permettant d’accéder
automatiquement au point de partage dès l’ouverture de session. (Pour obtenir des
informations sur la configuration d’un point de partage de groupe, lisez “Travail avec
les réglages du dossier de groupe” à la page 108.)
Remarque : ce réglage de préférence ne s’applique qu’aux groupes. Vous ne pouvez
pas gérer ce réglage pour les utilisateurs ou les ordinateurs.
Pour ajouter un élément d’ouverture au point de partage de groupe :
1 Si vous n’avez pas encore configuré un point de partage pour le groupe ainsi qu’un
dossier de groupe, faites-le avant de continuer.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
F0170.book Page 194 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 195
3 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
4 Cliquez sur le bouton Groupes et sélectionnez un ou plusieurs comptes de groupe
dans la liste
5 Cliquez sur Ouverture de session.
6 Cliquez sur Éléments d’ouverture.
7 Définissez le réglage de gestion sur Toujours.
8 Sélectionnez Ajouter un point de partage de groupe.
9 Dans la liste sous “Ouvrir automatiquement ces éléments lorsque l’utilisateur ouvre
une session”, sélectionnez le point de partage de groupe que vous venez d’ajouter.
Si vous ne souhaitez pas que ce point de partage apparaisse dans le Dock, cochez
la case Masquer.
10 Assurez-vous que l’option “Monter avec un nom et mot de passe utilisateur” est
sélectionnée.
11 Cliquez sur Appliquer.
Lorsque l’utilisateur ouvre sa session, l’ordinateur se connecte au point de partage de
groupe à l’aide du nom d’utilisateur et du mot de passe donné à l’ouverture de session.
Si vous gérez les préférences du Finder et choisissez de ne pas afficher les serveurs
connectés, l’icône du volume de groupe n’apparaît pas sur le bureau. L’utilisateur peut
toutefois trouver le volume en cliquant sur Ordinateur dans une fenêtre du Finder.
Si vous changez l’emplacement du point de partage du groupe, veillez à mettre à
jour l’élément d’ouverture correspondant pour le groupe dans le Gestionnaire de
groupe de travail.
Interdiction de démarrer ou d’arrêter l’ordinateur lors de la
connexion
Les boutons Redémarrer et Éteindre sont normalement affichés dans le fenêtre
d’ouverture de session. Si vous ne voulez pas que l’utilisateur puisse redémarrer
ou éteindre l’ordinateur, vous pouvez désactiver ces boutons.
Vous pouvez également supprimer les commandes Redémarrer et Éteindre dans
le menu Finder. (Pour obtenir des instructions, consultez la section “Gestion des
préférences du Finder” à la page 181.) Vérifiez la sous-fenêtre Commandes des
préférences Finder et assurez-vous que les boutons Redémarrer et Éteindre ne
sont pas sélectionnés.
F0170.book Page 195 Monday, May 2, 2005 12:37 PM196 Chapitre 9 Gestion des préférences
Remarque : les réglages de la fenêtre d’ouverture de session sont disponibles
uniquement pour les listes d’ordinateurs.
Pour désactiver les boutons Redémarrer et Éteindre :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez un ou plusieurs comptes.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Fenêtre d’ouverture de session et réglez la gestion sur Toujours.
6 Désélectionnez les options “Afficher le bouton Redémarrer dans la fenêtre d’ouverture
de session” et “Afficher le bouton Éteindre dans la fenêtre d’ouverture de session”.
7 Cliquez sur Appliquer.
Utilisation d’indices pour aider les utilisateurs à se souvenir de
leur mot de passe
Vous pouvez utiliser un “indice” afin d’aider les utilisateurs à se rappeler leur mot de
passe. Au bout de trois tentatives consécutives d’ouverture de session à l’aide d’un
mot de passe incorrect, une zone de dialogue affiche l’indice généré.
Les indices de mot de passe créés pour les utilisateurs locaux sont toujours affichés
après trois tentatives, même si l’option d’affichage n’est pas sélectionnée. Les indices
de mot de passe ne sont pas utilisés pour les comptes d’utilisateur en réseau.
Pour afficher un indice de mot de passe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez un ou plusieurs comptes.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Fenêtre d’ouverture de session et réglez la gestion sur Toujours.
6 Sélectionnez Afficher l’indice de mot de passe après 3 tentatives.
7 Cliquez sur Appliquer.
F0170.book Page 196 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 197
Activation de la prise en charge de plusieurs utilisateurs
simultanés sur un ordinateur client
La fonction de changement rapide d’utilisateur vous permet de rendre disponible
simultanément plusieurs comptes sur un même ordinateur. La liste des comptes actifs
actuels (authentifiés) s’affiche dans un menu situé dans la partie droite de la barre des
menus du Finder. Pour basculer sur le compte qui vous intéresse, sélectionnez-le. Si les
utilisateurs doivent s’identifier pour basculer sur leur compte, l’utilisateur précédent
n’est pas obligé pour autant de fermer sa session.
Le changement rapide d’utilisateur s’avère utile pour les ordinateurs utilisés par de
petits groupes stables d’utilisateurs. Cependant, il est possible que cette fonction ne
marche pas entre des utilisateurs disposant de répertoires de départ réseau ou dont
l’accès aux supports est régi par des préférences.
Pour activer le changement rapide d’utilisateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez un ou plusieurs comptes.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Options puis définissez les réglages de gestion sur Toujours.
6 Sélectionnez Activer le changement rapide d’utilisateur pour autoriser les utilisateurs
à employer cette fonction. Pour désactiver cette option, désélectionnez-la.
7 Cliquez sur Appliquer.
Activation de la fermeture de session automatique pour les
utilisateurs inactifs
Vous pouvez réduire la charge sur vos serveurs et rendre les comptes d’utilisateur plus
sûrs en activant la fermeture de session automatique après un délai d’inactivité. Une
fois le délai d’inactivité fixé dépassé, la session de l’utilisateur est fermée et la fenêtre
d’ouverture de session est à l’écran.
Remarque : cette fonctionnalité concerne les clients qui exécutent Mac OS X 10.3
et ultérieur.
Pour fermer automatiquement la session d’un utilisateur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
F0170.book Page 197 Monday, May 2, 2005 12:37 PM198 Chapitre 9 Gestion des préférences
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Cliquez sur le bouton Listes d’ordinateurs et sélectionnez un ou plusieurs comptes.
4 Cliquez sur Ouverture de session.
5 Cliquez sur Fermeture automatique, puis réglez la gestion sur Toujours.
6 Faites glisser le curseur pour fixer le délai pendant lequel l’utilisateur peut demeurer
inactif avant que sa session ne soit fermée automatiquement.
7 Cliquez sur Appliquer.
Scripts d’ouverture et de fermeture de session
Les scripts d’ouverture de session vous permettent d’exécuter un script chaque fois
qu’un utilisateur ouvre une session sur un ordinateur particulier. Les scripts d’ouverture
et de fermeture de session sont très performants car ils sont exécutés en tant que root.
Veillez cependant à ce qu’ils n’altèrent pas les réglages du système ni les fichiers des
utilisateurs. Il existe deux méthodes pour ajouter un script d’ouverture de session à un
ordinateur. Vous pouvez ajouter un script LoginHook à un ordinateur spécifique ou
appliquer un script d’ouverture de session à une liste d’ordinateurs via le Gestionnaire
de groupe de travail. Cette section décrit la configuration des scripts d’ouverture de
session pour listes d’ordinateurs dans le Gestionnaire de groupe de travail. De la même
manière, vous pouvez ajouter des scripts de fermeture de session afin de personnaliser
la fermeture de session.
Pour configurer un script d’ouverture ou de fermeture de session, exécutez les
commandes suivantes sur chaque client :
1 Réglez la clé “EnableMCXLoginScripts” située dans
~root/Library/Preferences/com.apple.loginwidow.plist sur TRUE.
$ sudo defaults write com.apple.loginwindow.plist EnableMCXLoginScripts -
bool TRUE
2 Si vous le souhaitez, réglez la clé MCXScriptTrust située dans
~root/Library/Preferences/com.apple.loginwidow.plist sur une chaîne TRUST valide.
$ sudo defaults write com.apple.loginwindow.plist MCXScriptTrust -string
PartialTrust
Si cette clé n’est pas définie, elle devient une chaîne TRUST invalide. Le niveau de
confiance “FullTrust” est requis pour exécuter les scripts disponibles dans la sousfenêtre Scripts des Préférences Système d’Ouverture de session ci-dessus.
F0170.book Page 198 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 199
Les chaînes TRUST correctes peuvent être classées par ordre de confiance “Anonymous”,
“DHCP”, “Encryption”, “Authenticated”, “PartialTrust”, “FullTrust”. La spécification d’une
chaîne TRUST autorise également les valeurs de confiance supérieures à cette chaîne
TRUST. “Anonymous” autorise donc tous les niveaux de confiance ; “PartialTrust” autorise
“PartialTrust” et “Full Trust”. Notez que la plupart des nœuds Active Directory prennent
en charge “PartialTrust” et non “FullTrust”.
Après avoir effectué les deux étapes précédentes, ajoutez le script d’ouverture ou de
fermeture de session à la liste d’ordinateurs de votre choix à l’aide de Gestionnaire
de groupe de travail. Notez que la taille du script ne peut être supérieure à 30 Ko.
Gestion des préférences d’accès aux données
Les préférences d’accès aux supports permettent de contrôler les réglages de CD, DVD,
disque dur local et disques externes (par exemple, disquettes et lecteurs FireWire), ainsi
que le mode d’accès à ces éléments. Le tableau ci-dessous décrit ce que vous pouvez
contrôler à l’aide des réglages de chaque sous-fenêtre Accès aux supports.
Contrôle de l’accès aux CD, DVD et disques inscriptibles
Dans le cas d’un ordinateur pouvant lire ou enregistrer des CD ou des DVD, vous
pouvez faire en sorte que les utilisateurs aient accès ou non aux éléments (musique,
films, etc.) enregistrés sur ces disques. Il est impossible d’autoriser l’accès à des disques
ou des éléments de disque particuliers.
Dans le cas d’un ordinateur équipé du matériel approprié, vous pouvez faire en
sorte que les utilisateurs puissent ou non graver des disques, c’est-à-dire écrire des
informations sur un disque inscriptible tel qu’un CD-R, un CD-RW ou un DVD-R. Il est
possible de graver des CD sur tout ordinateur équipé d’un graveur de CD-RW, d’une
unité combinée ou d’un graveur Superdrive. Seuls les ordinateurs équipés d’un graveur
Superdrive permettent de graver des DVD.
Pour contrôler l’accès aux supports disque :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Sous-fenêtre des préférences
d’Accès aux supports Ce que vous pouvez contrôler
Support disque Les réglages de CD, de DVD et de disque inscriptible (tels que les
CD-R, CD-RW ou DVD-R). Les ordinateurs qui ne sont pas équipés
du matériel approprié pour utiliser des CD, DVD ou disques
inscriptibles ne sont pas affectés par ces options.
Autres supports Les disques durs internes et les disques externes autres que les CD
et les DVD
F0170.book Page 199 Monday, May 2, 2005 12:37 PM200 Chapitre 9 Gestion des préférences
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès aux supports.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’accès aux données.
6 Cliquez sur Supports disque et sélectionnez les options souhaitées.
7 Cliquez sur Appliquer.
Contrôle de l’accès aux disques durs et aux disques
Vous pouvez contrôler l’accès aux lecteurs de disque internes ou externes tels que
les lecteurs de disquettes, les lecteurs Zip et les lecteurs FireWire.
Remarque : le comportement relatif aux disques durs internes peut légèrement
varier en fonction de la version de Mac OS X dont dispose le client (version 10.2,
Jaguar ou 10.3, Panther). Pour obtenir des résultats plus fiables, vous pouvez définir
des autorisations d’accès aux disques durs internes et aux partitions de disques sur
les ordinateurs clients à l’aide des réglages Propriétaire et Autorisations du Finder.
Pour restreindre l’accès aux disques internes et externes :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès aux supports.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’accès aux données.
6 Cliquez sur Autres Supports et sélectionnez les options souhaitées.
Si vous cochez la case Lecture seule, les utilisateurs peuvent visualiser le contenu d’un
disque, mais ils n’ont pas le droit de modifier ou d’enregistrer des fichiers sur ce disque.
7 Cliquez sur Appliquer.
F0170.book Page 200 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 201
Éjection automatique d’éléments à la fermeture de session de
l’utilisateur
Si vous autorisez les utilisateurs à accéder à des CD, DVD ou disques externes tels
que des disques Zip ou FireWire sur des ordinateurs partagés, il est conseillé d’activer
l’éjection automatique des supports amovibles à la fermeture de session de l’utilisateur.
Pour éjecter automatiquement les supports enregistrables :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès aux supports.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’accès aux données.
6 Cliquez sur Autres supports.
7 Sélectionnez Éjecter tous les disques amovibles à la fermeture de session.
8 Cliquez sur Appliquer.
Gestion des préférences de mobilité
Si un utilisateur requiert un compte mobile, vous pouvez faire en sorte qu’un tel
compte soit automatiquement créé lors de la prochaine ouverture de session de
l’utilisateur. Pour en savoir plus sur les comptes mobiles, notamment sur la manière
d’utiliser les réglages des préférences de mobilité, lisez le chapitre 3, “Gestion des
utilisateurs pour des clients mobiles”.
Gestion des préférences Réseau
Les préférences Réseau vous permettent de sélectionner et de configurer les serveurs
proxy utilisables par les utilisateurs et les groupes. Vous pouvez également spécifier
les hôtes et les domaines pour lesquels il est nécessaire d’ignorer les réglages proxy.
L’avantage de ce système provient du fait que les utilisateurs et les groupes gérés
bénéficient d’une expérience de navigation personnalisée.
Configuration des serveurs proxy par port
Il est possible de configurer des types spécifiques de proxy réservés à certains utilisateurs
ou groupes et de spécifier le port à utiliser. Voici les types de serveurs proxy modifiables
individuellement : FTP, Web (HTTP), Web sécurisé (HTTPS), Diffusion en continu (RTSP),
SOCKS, Gopher et Configuration de proxy automatique.
F0170.book Page 201 Monday, May 2, 2005 12:37 PM202 Chapitre 9 Gestion des préférences
L’administrateur système désigne les utilisateurs ou groupes auxquels sont affectés ces
proxy et spécifie le proxy auquel ils peuvent accéder dans la sous-fenêtre Préférences
de Gestionnaire de groupe de travail. Vous ne pouvez spécifier qu’un type de serveur
proxy pour un utilisateur ou un groupe.
Pour configurer des serveurs proxy pour un utilisateur ou un groupe :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Réseau.
5 Sélectionnez le type précis de proxy à configurer (FTP, Web, etc.).
6 Spécifiez une adresse URL et un port en respectant la forme
suivante :serveurproxy.apple.com:8080/.
7 Cliquez sur Appliquer.
Gestion des préférences d’Impression
Les préférences d’Impression vous permettent de créer des listes d’imprimantes
et de gérer l’accès aux imprimantes. Le tableau ci-dessous décrit la fonction de
chacun des réglages du panneau Impression.
Attribution d’imprimantes aux utilisateurs
Pour fournir aux utilisateurs l’accès aux imprimantes, commencez par configurer une liste
d’imprimantes. Vous pouvez ensuite autoriser des utilisateurs ou des groupes spécifiques
à employer les imprimantes de la liste. Vous pouvez également rendre les imprimantes
disponibles aux ordinateurs. La liste finale d’imprimantes d’un utilisateur consiste en
une combinaison d’imprimantes auxquelles lui-même, le groupe sélectionné à la
connexion et l’ordinateur en cours d’utilisation peuvent accéder.
Pour créer une liste d’imprimantes pour les utilisateurs :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
Sous-fenêtre des préférences
d’Impression Ce que vous pouvez contrôler
Liste d’imprimantes Les imprimantes disponibles et la possibilité pour l’utilisateur
d’ajouter des imprimantes ou d’accéder à une imprimante
directement connectée à un ordinateur
Accès L’imprimante par défaut et l’accès à des imprimantes spécifiques
F0170.book Page 202 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 203
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Impression.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’impression.
6 Cliquez sur Liste des imprimantes.
7 La liste des imprimantes disponibles est générée à partir de la liste des imprimantes
réseau disponibles dans Utilitaire de configuration d’imprimante.
Sélectionnez une imprimante dans la liste des imprimantes disponibles, puis cliquez sur
Ajouter à la liste afin qu’elle soit figure dans la liste des imprimantes de l’utilisateur.
Si l’imprimante souhaitée n’apparaît pas dans la liste Imprimantes disponibles, cliquez
sur Ouvrir configuration d’imprimante, puis ajoutez l’imprimante à la liste d’imprimantes
d’Utilitaire de configuration d’imprimante.
8 Cliquez sur Appliquer.
Méthode pour empêcher les utilisateurs de modifier la liste
d’imprimantes
Il est possible d’empêcher les utilisateurs de modifier la liste des imprimantes
disponibles (ajout ou suppression d’imprimantes).
Pour restreindre l’accès à la liste des imprimantes :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Impression.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’impression.
6 Cliquez sur Liste des imprimantes.
7 Pour que seul l’administrateur soit autorisé à modifier la liste d’imprimantes,
décochez la case Permettre à l’utilisateur de modifier la liste d’imprimantes.
8 Cliquez sur Appliquer.
F0170.book Page 203 Monday, May 2, 2005 12:37 PM204 Chapitre 9 Gestion des préférences
Restriction de l’accès aux imprimantes connectées à un
ordinateur
Il est recommandé, dans certaines situations, de n’autoriser que quelques utilisateurs à
imprimer via une imprimante connectée directement à leur ordinateur. Dans le cas, par
exemple, d’une salle de classe équipée d’un ordinateur connecté à une imprimante,
vous pouvez choisir de réserver l’usage de l’imprimante au professeur en lui créant
un compte d’administrateur, puis en exigeant la saisie d’un nom et d’un mot de passe
d’administrateur pour pouvoir utiliser l’imprimante.
Pour limiter l’accès à une imprimante connectée à un ordinateur spécifique :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Impression.
5 Définissez le réglage de gestion sur Toujours.
Ce réglage s’applique à l’ensemble des options de préférences d’impression.
6 Si vous souhaitez que l’ordinateur client ait accès à une imprimante réseau, cliquez
sur Liste d’imprimantes, sélectionnez l’imprimante et cliquez sur Ajouter à la liste.
7 Pour interdire l’accès des utilisateurs aux imprimantes locales, désélectionnez l’option
“Permettre l’utilisation des imprimantes connectées directement à l’ordinateur”. Pour
exiger un mot de passe d’administrateur pour utiliser l’imprimante, sélectionnez
Requiert un mot de passe d’administrateur.
8 Cliquez sur Appliquer.
Définition d’une imprimante par défaut
Une fois que vous avez configuré une liste d’imprimantes, vous pouvez désigner
l’imprimante qui sera utilisée par défaut. Dès qu’un utilisateur tente d’imprimer
un document, l’imprimante choisie apparaît par défaut dans la zone de dialogue
d’impression de l’application.
Pour définir l’imprimante par défaut :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
F0170.book Page 204 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 205
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Impression.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’impression.
6 Cliquez sur Accès.
7 Choisissez une imprimante dans la liste des imprimantes de l’utilisateur, puis cliquez
sur Par défaut.
8 Cliquez sur Appliquer.
Restriction de l’accès aux imprimantes
Vous pouvez exiger la saisie d’un nom et d’un mot de passe d’administrateur pour
l’utilisation de certaines imprimantes.
Pour restreindre l’accès à une imprimante spécifique :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Impression.
5 Définissez le réglage de gestion sur Toujours. Ce réglage s’applique à l’ensemble
des options de préférences d’impression.
6 Cliquez sur Accès.
7 Sélectionnez une imprimante dans la liste des imprimantes de l’utilisateur, puis
sélectionnez Requiert un mot de passe d’administrateur.
8 Cliquez sur Appliquer.
Gestion des préférences de mise à jour de logiciels
Vous pouvez spécifier un serveur de mise à jour de logiciels par utilisateur ou
par groupe.
Mac OS X Server vous permet de mettre en place vos propres mises à jour de logiciels à
partir d’un serveur local pour des utilisateurs spécifiques. Cela vous permet de libérer de
la bande passante sur le réseau externe tout en laissant la possibilité à l’administrateur
système de désactiver ou de forcer l’installation de certaines mises à jour.
F0170.book Page 205 Monday, May 2, 2005 12:37 PM206 Chapitre 9 Gestion des préférences
Pour gérer l’accès à la mise à jour de logiciels :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Mise à jour de logiciels.
5 Définissez le réglage de gestion sur Toujours.
6 Spécifiez une adresse URL en respectant la forme
suivante : serveurquelconque.apple.com:8080/.
7 Cliquez sur Appliquer.
Gestion de l’accès aux préférences Système
Vous pouvez spécifier quelles sont les Préférences Système qui doivent être visibles
pour les utilisateurs et quelles sont celles qu’ils sont autorisés à modifier. Les utilisateurs
peuvent ouvrir n’importe quel élément des Préférences Système, mais ne peuvent pas
forcément en modifier les réglages. Certaines préférences, notamment celles du disque
de démarrage, exigent un nom et un mot de passe d’administrateur.
Les préférences affichées dans le Gestionnaire de groupe de travail correspondent
à celles qui sont installées sur l’ordinateur que vous utilisez. Si votre ordinateur
administrateur ne dispose pas de certaines Préférences Système, installez-les ou
utilisez Gestionnaire de groupe de travail sur un ordinateur administrateur disposant
de ces préférences.
Pour gérer l’accès aux préférences Système :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Préférences Système.
5 Définissez le réglage de gestion sur Toujours.
6 Décochez la case Afficher pour chaque élément ne devant pas apparaître dans les
Préférences Système d’un utilisateur.
7 Cliquez sur Appliquer.
F0170.book Page 206 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 207
Gestion des préférences Accès universel
Les réglages Accès universel peuvent améliorer l’expérience de certains utilisateurs. Si,
par exemple, un utilisateur souffrant d’un handicap éprouve des difficultés à utiliser un
ordinateur ou souhaite modifier son mode de travail, vous pouvez choisir des réglages
qui lui permettront de travailler de manière plus efficace. Utilisez le Gestionnaire de
groupe de travail pour configurer et gérer les réglages Accès universel pour des
groupes de travail ou d’ordinateurs spécifiques destinés aux utilisateurs ayant des
besoins particuliers.
Le tableau ci-dessous décrit la fonction de chacun des réglages du panneau Accès
universel.
Manipulation des réglages d’affichage pour l’utilisateur
Les préférences Vue du Gestionnaire de groupe de travail permettent aux utilisateurs
de régler l’apparence de l’écran. L’utilisateur peut aisément effectuer un zoom avant ou
arrière sur le bureau à l’aide de raccourcis clavier (combinaisons de touches spécifiques).
Le remplacement des couleurs par des niveaux de gris ou l’utilisation d’un affichage
négatif (blanc sur noir) peut faciliter la lecture du texte à l’écran.
Remarque : si les réglages d’affichage sont gérés une seule fois, les utilisateurs peuvent
alterner entre les options de zoom et de couleurs à l’aide de raccourcis clavier. Si la
gestion est réglée sur Toujours, les utilisateurs ne peuvent pas naviguer entre ces
options.
Pour gérer les préférences Vue :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
Sous-fenêtre des préférences
Accès universel Ce que vous pouvez contrôler
Vue L’affichage à l’écran et le niveau de zoom du bureau
Écoute L’alerte visuelle destinée aux utilisateurs
Clavier La vitesse de réaction du clavier lorsque l’utilisateur appuie
sur des touches et des combinaisons de touches
Souris La réaction du pointeur et la possibilité pour les utilisateurs
d’utiliser le pavé numérique au lieu de la souris
Options Les combinaisons de touches de raccourci, l’utilisation de
périphériques d’aide et la lecture de texte par l’ordinateur
dans la sous-fenêtre des préférences Accès universel
F0170.book Page 207 Monday, May 2, 2005 12:37 PM208 Chapitre 9 Gestion des préférences
4 Cliquez sur Accès universel.
5 Cliquez sur Vue, puis sélectionnez un réglage de gestion (Une seule fois ou Toujours).
6 Effectuez vos modifications.
7 Pour effectuer un réglage plus précis du zoom, cliquez sur Options de zoom.
Faites glisser les curseurs pour fixer un Zoom maximum et un Zoom minimum.
Pour afficher une zone d’aperçu, sélectionnez l’option Afficher un rectangle d’aperçu
lors d’un zoom arrière.
Pour améliorer l’apparence des images agrandies, déselectionnez l’option Lisser les
images.
8 Cliquez sur Appliquer.
Pour personnaliser davantage l’affichage, vous pouvez utiliser les préférences de
présentation du Finder afin de contrôler la taille des icônes des fenêtre du Finder et
les préférences d’affichage du Dock pour agrandir les icônes du Dock de l’utilisateur.
Si vous comptez gérer des ordinateurs dédiés, vous pourrez utiliser les préférences
d’affichage pour modifier la résolution de votre écran et le nombre de couleurs affichées.
Pour conserver les préférences d’affichage locales telles que définies, il est recommandé
de supprimer l’élément Moniteur de la liste des préférences système disponibles en
utilisant les préférences Applications du Gestionnaire de groupe de travail.
Pour autoriser l’utilisation d’un périphérique d’aide (tel qu’un lecteur d’écran) sur un
ordinateur spécifique, cliquez sur Préférences, sélectionnez une liste d’ordinateurs,
cliquez sur Préférences Système, cliquez sur Accès universel, cliquez sur Options,
cliquez sur Toujours et enfin, sélectionnez Activer l’accès aux périphériques d’aide.
Activation d’une alerte visuelle
Il est possible, pour les utilisateurs ayant du mal à entendre les sons d’alerte (tels que le
son émis à l’arrivée d’un message ou lorsqu’une erreur survient), de faire clignoter l’écran.
Pour activer une alerte visuelle :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès universel.
5 Cliquez sur Écoute, puis sélectionnez un réglage de gestion (Une fois ou Toujours).
6 Sélectionnez Faire clignoter l’écran dès qu’un signal d’alerte retentit.
7 Cliquez sur Appliquer.
F0170.book Page 208 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 209
Réglage de la réponse du clavier
Pour les utilisateurs qui éprouvent des difficultés à appuyer sur plusieurs touches à la
fois, vous pouvez utiliser la fonction Touches à auto-maintien pour permettre au clavier
d’interpréter une séquence de frappes de touche individuelles comme combinaison de
touches. L’ordinateur peut afficher chaque touche activée à l’écran, puis diffuser un son
d’alerte dès que la combinaison de touches est terminée.
Remarque : si vous activez les raccourcis clavier d’Accès universel, un utilisateur pourra
activer ou désactiver les touches à auto-maintien en appuyant cinq fois de suite sur la
touche Maj.
Si le clavier s’avère trop réactif pour certains utilisateurs qui éprouvent des problèmes
avec les frappes répétitives, vous pouvez utiliser la fonction Touches lentes pour
augmenter le délai de réponse d’une touche activée. L’ordinateur peut, afin de fournir
un “feedback” à l’utilisateur, émettre un “clic” lorsque les touches sont enfoncées.
Pour définir la manière dont le clavier réagit aux frappes :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès universel.
5 Cliquez sur Clavier, puis sélectionnez un réglage de gestion (Une fois ou Toujours).
6 Sélectionnez Oui pour activer les touches à auto-maintien.
Pour désactiver l’alerte de combinaison de touches, désélectionnez Émettre un son
lors de la définition d’une touche de modification.
Pour désactiver l’affichage à l’écran des touches activées, désélectionnez Afficher les
touches appuyées à l’écran.
Si ces options ne sont pas sélectionnées, certains utilisateurs peuvent éprouver des
difficultés à savoir si une combinaison de touches est terminée ou en cours de saisie.
7 Sélectionnez Oui pour activer les touches lentes.
8 Si vous ne voulez pas que l’ordinateur réagisse aux frappes de touches par un clic,
désélectionnez Émettre un son à chaque touche appuyée.
9 Faites glisser le curseur pour fixer le délai entre le moment où une touche est activée
et celui où l’ordinateur la reconnaît.
10 Cliquez sur Appliquer.
F0170.book Page 209 Monday, May 2, 2005 12:37 PM210 Chapitre 9 Gestion des préférences
Réglage du niveau de réponse de la souris et du pointeur
La fonction Souris permet aux utilisateurs qui éprouvent des difficultés à utiliser une
souris ou qui préfèrent ne pas s’en servir d’utiliser le pavé numérique. Les touches
du pavé numérique correspondent aux directions et aux actions de la souris, ce qui
permet à l’utilisateur de déplacer le pointeur, de cliquer sur le bouton de la souris,
de le maintenir enfoncé ou de le relâcher.
Remarque : si vous activez les raccourcis clavier d’Accès universel, un utilisateur
pourra activer ou désactiver les Touches de souris en appuyant cinq fois de suite
sur la touche Option.
Si le pointeur se déplace trop rapidement pour certains utilisateurs, vous pouvez
régler sa vitesse de réaction et de déplacement.
Pour contrôler les réglages de la souris et du pointeur :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès universel.
5 Cliquez sur Souris, puis sélectionnez un réglage de gestion (Une fois ou Toujours).
6 Sélectionnez Oui pour activer les Touches de souris.
7 Pour contrôler la vitesse de réaction du pointeur, faites glisser le curseur Délai initial.
8 Pour contrôler la vitesse de déplacement du pointeur, faites glisser le curseur Vitesse
maximale.
9 Cliquez sur Appliquer.
F0170.book Page 210 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 211
Activation des raccourcis d’Accès universel
Les raccourcis d’Accès universel sont des combinaisons de touches qui permettent
d’activer une fonction disponible d’Accès universel telle que le zoom sur l’écran ou
les touches à auto-maintien. Si vous décidez de ne pas autoriser les raccourcis d’Accès
universel, vos utilisateurs ne pourront peut-être pas utiliser des fonctions telles que le
zoom et désactiver les fonctions activées telles que les touches à auto-maintien.
Pour autoriser les raccourcis d’Accès universel :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès universel.
5 Cliquez sur Options, puis sélectionnez un réglage de gestion (Une seule fois ou Toujours).
6 Sélectionnez Autoriser les raccourcis d’Accès Universel.
7 Cliquez sur Appliquer.
Autorisation d’appareils d’aide pour les utilisateurs ayant des
besoins particuliers
Vous pouvez, si nécessaire, autoriser les utilisateurs gérés à activer des périphériques
d’aide tels qu’un lecteur d’écran.
Pour autoriser l’utilisation de périphériques d’aide :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié.
Pour passer d’un répertoire à un autre, cliquez sur le petit globe situé au-dessus
de la liste des comptes. Si vous n’êtes pas authentifié, cliquez sur le cadenas.
3 Sélectionnez un ou plusieurs utilisateurs, groupes ou listes d’ordinateurs.
4 Cliquez sur Accès universel.
5 Cliquez sur Options, puis sélectionnez le réglage de gestion Toujours.
6 Sélectionnez Autoriser l’accès pour les périphériques d’aide.
7 Cliquez sur Appliquer.
F0170.book Page 211 Monday, May 2, 2005 12:37 PM212 Chapitre 9 Gestion des préférences
Utilisation de l’éditeur de préférences avec les manifestes
de préférences
L’éditeur de préférences permet de contrôler les applications, utilitaires ou préférences
système Mac OS X bien conçus, qui ne se trouvent pas dans la sous-fenêtre de préférences
Vue d’ensemble de Gestionnaire de groupe de travail. Il permet également d’effectuer
des tâches d’administration.
Certains éditeurs d’applications fournissent des manifestes de préférences qui facilitent
le déchiffrage et la modification des préférences de l’application à l’aide de l’éditeur de
préférences. Il est possible de modifier les valeurs de clé des préférences d’une application
même si celle-ci ne dispose pas d’un manifeste de préférences.
Si vous disposez d’une application dotée d’un manifeste de préférences et que vous
ouvrez l’éditeur de préférences intégré au Gestionnaire de groupe de travail pour
modifier une des valeurs de clé, vous obtiendrez une meilleure description de clés
et la modification sera plus facile. Si vous utilisez l’éditeur de préférences avec Safari,
par exemple, qui contient un manifeste de préférences, vous pouvez facilement trouver
et modifier la page d’accueil affichée lorsqu’un groupe ouvre l’application. Grâce au
manifeste de préférences, l’éditeur de préférences est à même de fournir des descriptions
précises des clés et des actions qu’elles produisent ; il ne se contente pas d’afficher les
noms des valeurs de clé, qui ne sont pas toujours très clairs.
Les manifestes de préférences peuvent être stockés dans des groupes (bundle)
d’application (dans /Contents/Resources) ou constituer des fichiers autonomes.
En tant qu’administrateur, ces manifestes vous aident à modifier et à régler les
préférences gérées (en fournissant les noms et les descriptions et en indiquant
quelles sont les préférences gérées et quelle est leur méthode de réglage). Ils vous
permettent de connaître les valeurs de clé de l’éditeur de préférences prises en compte
par une application et vous indiquent comment régler ces clés pour atteindre votre
objectif. Les manifestes de préférences permettent tout simplement de mieux visualiser
l’éditeur de préférences et ils sont pris en compte automatiquement lorsqu’ils sont
associés à une application.
Les réglages et modifications apportés aux clés d’une application sont stockés dans
les services de répertoire. Lorsque vous modifiez les valeurs de clé des préférences
d’une application dans l’éditeur de préférences, tous les utilisateurs, groupes ou listes
d’ordinateurs sélectionnés sont alors dotés de ces préférences gérées.
F0170.book Page 212 Monday, May 2, 2005 12:37 PMChapitre 9 Gestion des préférences 213
Ajout d’une préférence gérée en l’important depuis une
application
Il est possible d’importer des clés et des valeurs de préférence via les fichiers de
préférences de n’importe quelle application. Cela vous permet de donner à un
utilisateur un environnement d’application particulière identique au vôtre.
Pour importer un fichier de préférences dans des préférences gérées :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences puis sur Détails.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié, puis sélectionnez un ou plusieurs utilisateurs, groupes ou listes
d’ordinateurs.
3 Cliquez sur Ajouter.
4 Sélectionnez com.apple..plist dans la zone de dialogue et cliquez
sur Ajouter.
Si l’application dispose d’un manifeste de préférences, il apparaît dans la liste de
Gestionnaire de groupe de travail (au format Texte). Les préférences gérées qui
ne disposent pas d’un manifeste de préférences sont affichées en italique.
Même si une application ne dispose pas d’un manifeste de préférences, vous pouvez
utiliser l’éditeur de préférences pour importer et ajouter des préférences existantes
(situées dans ~/Bibliothèque/Préférences/) aux services de répertoire et faire en sorte
que les préférences des utilisateurs finaux soient conformes à ces préférences. Ainsi,
toute application utilisant des préférences Mac OS X peut être gérée.
Modification des valeurs de préférence d’une application
Une application bien conçue respecte les réglages du manifeste de préférences. Si ce
manifeste n’existe pas, c’est à vous, en tant qu’administrateur, de veiller à ce que ces
réglages (modifiables dans l’éditeur de préférences) soient appliqués. La gestion des
préférences est généralement plus efficace en mode Souvent. En mode Toujours, la
préférence peut continuer à être appliquée, mais l’application autorisera probablement
qu’elle soit modifiée par l’utilisateur final.
Pour modifier les valeurs de préférence d’une application :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences puis sur Détails.
2 Assurez-vous que vous avez sélectionné le répertoire approprié et que vous vous
êtes authentifié puis sélectionnez un ou plusieurs utilisateurs, groupes ou listes
d’ordinateurs.
3 Double-cliquez sur un élément de la liste (ou sélectionez l’élément et cliquez
sur Modifier).
F0170.book Page 213 Monday, May 2, 2005 12:37 PM214 Chapitre 9 Gestion des préférences
4 Repérez les valeurs à modifier et effectuez vos modifications.
5 Cliquez sur Appliquer puis sur Terminé.
Si vous réglez la clé sur une valeur différente de la valeur du manifeste de préférences
d’une application, l’éditeur de préférences vous le signale dans l’écran de modification
de la clé. Ce type de modification n’est pas interdit, mais il est recommandé de ne pas
l’effectuer.
Suppression des valeurs de préférence via l’éditeur de
préférences
Il est possible de supprimer les préférences de vos applications. En d’autres termes,
vous pouvez supprimer les valeurs de préférence modifiées de toute application
incluse dans les services de répertoire. Cela n’entraînera pas la suppression de vos
manifestes de préférences éventuels.
Pour effacer les valeurs de préférence d’une application :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Préférences puis sur Détails.
2 Sélectionnez l’application ou l’identifiant de groupe (bundle) (cette opération ne
peut être effectuée que pour une seule application à la fois).
3 Cliquez sur Supprimer.
Remarque : aucun manifeste de préférences n’est supprimé, seules les valeurs
(existantes) enregistrées dans les services de répertoire via l’éditeur de préférences
sont supprimées.
F0170.book Page 214 Monday, May 2, 2005 12:37 PM10
215
10 Gestion des présentations
de réseau
Le présent chapitre fournit des informations sur la
gestion des ressources réseau que les utilisateurs
peuvent voir et auxquelles ils peuvent accéder.
Grâce aux présentations de réseau gérées, vous pouvez contrôler ce que les utilisateurs
d’un ordinateur particulier voient lorsqu’ils cliquent sur l’icône Réseau de la barre latérale
d’une fenêtre du Finder ou lorsqu’ils choisissent Aller > Réseau dans le Finder.
Une présentation de réseau gérée est une liste de ressources réseau que vous
personnalisez pour améliorer l’environnement de navigation et de détection des
ressources de l’utilisateur. Vous pouvez ajouter des ressources réseau à ce qu’un
utilisateur voit déjà ou spécifier exactement les éléments visibles pour l’utilisateur.
Vous pouvez personnaliser des présentations de réseau pour un ordinateur individuel,
un groupe d’ordinateurs ou tout un sous-réseau.
Vous pouvez créer des présentations de réseau gérées qui contiennent un ou plusieurs
des composants suivants :
• Un voisinage réseau, c’est-à-dire un ensemble de ressources réseau regroupées
pour un accès aisé. Un voisinage réseau prend la forme d’un dossier dans une
présentation de réseau. Un voisinage peut contenir des ordinateurs, d’autres
voisinages et des listes dynamiques.
• Un ordinateur, c’est-à-dire tout ordinateur connecté au réseau. Vous pouvez ajouter
directement des ordinateurs à une présentation de réseau ou les ajouter à un
voisinage situé au sein d’une présentation de réseau.
• Une liste dynamique permet de générer automatiquement une liste de ressources
réseau à afficher dans un voisinage. Vous pouvez par exemple définir un voisinage
appelé Marketing et y afficher tout ordinateur actif sur le sous-réseau du service
marketing.
F0170.book Page 215 Monday, May 2, 2005 12:37 PM216 Chapitre 10 Gestion des présentations de réseau
Types de présentations de réseau gérées
Vous pouvez créer trois types de présentations de réseau :
• Présentation nommée. Une présentation nommée, personnalisée pour répondre
à des besoins spécifiques d’utilisateur, n’est visible que sur des ordinateurs clients
spécifiques. Pour associer la présentation à un ordinateur, vous devez l’identifier dans
l’enregistrement d’ordinateur ou la nommer à l’aide d’une adresse Ethernet, d’une
adresse IP ou d’une chaîne de sous-réseau. Le répertoire dans lequel la présentation
nommée est stockée doit se trouver dans le chemin de recherche de l’ordinateur client.
• Présentation par défaut. Une présentation nommée par défaut est visible sur un
ordinateur client si le répertoire dans lequel la présentation est stockée se trouve
dans le chemin de recherche et qu’aucune présentation nommée n’a été affectée
à l’ordinateur.
• Présentation publique. Une présentation nommée publique est visible sur un ordinateur
client si le répertoire dans lequel la présentation est stockée ne fournit pas encore de
présentation de réseau à l’ordinateur. Le répertoire peut être n’importe quel répertoire
auquel un ordinateur est autorisé à accéder, qu’il se trouve ou non dans son chemin
de recherche.
Si aucune présentation publique n’est détectée dans l’un de ces répertoires, mais
qu’une présentation par défaut s’y trouve, c’est cette dernière qui est affichée.
Création d’un présentation de réseau gérée
Lorsque vous créez une présentation de réseau, vous associez des voisinages réseau,
des ordinateurs et des listes dynamiques à la présentation. Vous devez également
définir des informations propres au client, telles que l’identité des ordinateurs clients
qui doivent utiliser la présentation.
Pour créer une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel vous souhaitez faire résider la présentation.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Choisissez Serveur > Nouvelle présentation de réseau, sélectionnez le type de
présentation à créer, puis cliquez sur Créer.
5 Si vous définissez une présentation nommée, tapez le nom de la présentation dans
la sous-fenêtre Présentation.
Si vous souhaitez que la présentation nommée soit utilisée par tous les ordinateurs
d’un sous-réseau particulier, donnez-lui comme nom l’identifiant de sous-réseau
(10.201.42.0/22).
F0170.book Page 216 Monday, May 2, 2005 12:37 PMChapitre 10 Gestion des présentations de réseau 217
Si vous souhaitez que la présentation nommée soit visible par un certain ordinateur,
vous pouvez lui donner comme nom l’adresse IP ou l’adresse Ethernet de l’ordinateur.
Vous pouvez également spécifier le nom de la présentation dans certains enregistrements
d’ordinateur (voir “Activation de la visibilité des présentations de réseau gérées” à la
page 225.)
6 Dans la sous-fenêtre Présentation, ajoutez des voisinages, des ordinateurs et des listes
dynamiques à la présentation.
Pour obtenir des instructions, consultez les sections “Ajout de voisinages à des
présentations de réseau gérées” à la page 219, “Affichage d’ordinateurs dans des
présentations de réseau gérées” à la page 220 et “Ajout de listes dynamiques à des
présentations de réseau gérées” à la page 223.
7 Finalisez la hiérarchie des voisinages. Faites glisser des éléments vers le haut ou vers
le bas dans la liste de la sous-fenêtre Présentation pour les ajouter à des voisinages
ou les supprimer de voisinages.
Les éléments de la liste sont affichés dans l’ordre alphabétique, comme dans le Finder.
Si votre présentation contient des ordinateurs et des listes dynamiques que vous n’avez
pas placés dans un voisinage, faites-le. L’affichage de toutes les ressources d’un voisinage
vous permet d’affecter un nom descriptif à un ensemble de ressources.
8 Configurez des réglages d’ordinateur client pour la présentation à l’aide de la sousfenêtre Réglages.
Pour obtenir des instructions, consultez la section “Définition de l’utilisation des
présentations de réseau gérées par des ordinateurs clients” à la page 224.
9 Si vous souhaitez rendre la présentation de réseau visible immédiatement sur
des ordinateurs clients, cliquez sur Présentation, puis sélectionnez la case Activé.
10 Cliquez sur Enregistrer.
Modification de présentations de réseau gérées
Une fois que vous avez créé une présentation de réseau gérée, vous pouvez en modifier
les attributs et l’activer ou la désactiver.
Pour modifier une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez
le répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation que vous souhaitez
modifier.
F0170.book Page 217 Monday, May 2, 2005 12:37 PM218 Chapitre 10 Gestion des présentations de réseau
5 Suivez les étapes 6 à 9 pour apporter des modifications aux objets de la présentation
à l’aide de la sous-fenêtre Présentation.
6 Pour renommer la présentation, tapez le nouveau nom dans le champ Nom.
7 Utilisez la case Activé pour activer ou désactiver la disponibilité de la présentation.
8 Modifiez les objets dans la hiérarchie de la présentation comme vous le souhaitez.
Cliquez sur le bouton Ajouter (+) pour ajouter un voisinage, un ordinateur ou une liste
dynamique à la présentation. Faites glisser le nouvel objet vers l’emplacement de la
hiérarchie de la présentation où vous souhaitez qu’il soit visible.
Pour supprimer un objet de la présentation, sélectionnez-le, puis cliquez sur Supprimer (–).
Pour modifier un objet de la présentation, sélectionnez-le, puis cliquez sur le bouton
Modifier.
9 Pour réorganiser les objets dans la hiérarchie de la présentation, faites-les glisser vers
les emplacements de la hiérarchie de la présentation où vous souhaitez qu’ils soient
visibles.
10 Cliquez sur Réglages pour utiliser des réglages de client, puis suivez les étapes 11 et 12
en fonction de vos besoins.
11 Modifiez en fonction de vos besoins la liste des ordinateurs clients sur laquelle la
présentation est visible.
Cliquez sur Ajouter (+) pour rendre la présentation visible sur d’autres ordinateurs
clients. À l’aide de la liste déroulante, vous pouvez créer un nouvel enregistrement
d’ordinateur ou ouvrir le tiroir d’enregistrement d’ordinateur à partir duquel vous
pouvez faire glisser des ordinateurs dans la liste des ordinateurs clients.
Pour ne pas afficher la présentation sur un ordinateur client, sélectionnez l’ordinateur,
puis cliquez sur Supprimer (–).
Pour modifier la présentation qu’un ordinateur peut voir, sélectionnez l’ordinateur, puis
cliquez sur le bouton Modifier. Sélectionnez une présentation dans la liste déroulante
Présentation de réseau, puis cliquez sur Enregistrer.
12 Accessoirement, modifiez la fréquence à laquelle les ordinateurs clients doivent vérifier
si la présentation a été modifiée.
13 Accessoirement, modifiez la manière dont le Finder affiche la présentation.
14 Cliquez sur Enregistrer pour enregistrer vos modifications ou cliquez sur Revenir
pour revenir à la dernière présentation de réseau enregistrée.
F0170.book Page 218 Monday, May 2, 2005 12:37 PMChapitre 10 Gestion des présentations de réseau 219
Définition de voisinages pour présentations de réseau
gérées
Vous devez créer des voisinages réseau pour organiser et présenter de manière logique
les ressources réseau.
Dans la présentation de réseau, un voisinage réseau ressemble à un dossier. Le voisinage
peut contenir d’autres voisinages, des ordinateurs et des listes dynamiques.
Ajout de voisinages à des présentations de réseau gérées
Vous pouvez ajouter autant de voisinages que vous le souhaitez à une présentation de
réseau. Les voisinages permettent de regrouper des ressources réseau d’une manière
logique et d’organiser la présentation de vos ressources réseau.
Pour ajouter un voisinage à une présentation de réseau existante :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation avec laquelle vous
souhaitez travailler.
5 Dans la sous-fenêtre Présentation, cliquez sur le bouton Ajouter (+), puis choisissez
Nouveau voisinage.
6 Tapez le nom du voisinage, puis cliquez sur Enregistrer.
Remarque : il se peut que le Finder ne puisse pas afficher les noms de présentation
de réseau gérée étendus (plus de 256 caractères) à cause de problèmes liés à la
longueur des noms de fichier/dossier dans le système de fichiers.
7 Ajoutez au moins un ordinateur, une liste dynamique ou un autre voisinage au
voisinage.
Cliquez sur le bouton Ajouter, puis choisissez l’objet que vous souhaitez ajouter au
voisinage. Faites-le ensuite glisser vers le voisinage.
8 Répétez les étapes 5 à 7, si nécessaire.
9 Cliquer sur Enregistrer.
F0170.book Page 219 Monday, May 2, 2005 12:37 PM220 Chapitre 10 Gestion des présentations de réseau
Suppression de voisinages de présentations de réseau gérées
Les voisinages que vous supprimez d’une présentation de réseau gérée sont supprimés
de la liste de ressources visibles dans la présentation. Soyez prudent lorsque vous
supprimez des voisinages car vous ne serez pas averti s’ils contiennent des éléments.
Pour supprimer un voisinage d’une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation avec laquelle vous
souhaitez travailler.
5 Dans la sous-fenêtre Présentation, sélectionnez le voisinage à supprimer.
6 Cliquez sur le triangle d’affichage pour afficher tout ce que le voisinage contient
et confirmez que vous souhaitez bien le supprimer ainsi que tout ce qu’il contient.
Faites glisser des objets de voisinage hors du voisinage si vous souhaitez qu’ils restent
associés à la présentation.
7 Cliquez sur le bouton Supprimer (–) ou choisissez Serveur > Supprimer.
8 Si vous pensez avoir supprimé des objets par inadvertance, cliquez sur Revenir. Sinon,
cliquez sur Enregistrer.
Définition d’ordinateurs pour présentations de réseau
gérées
Vous devez ajoutez des ordinateurs à une définition de présentation de réseau gérée
si vous souhaitez fournir à des utilisateurs l’accès à des ordinateurs spécifiques de la
présentation.
Affichage d’ordinateurs dans des présentations de réseau gérées
Vous pouvez afficher un ordinateur dans une présentation de réseau s’il possède un
enregistrement d’ordinateur dans le répertoire où réside présentation de réseau. Il se
peut que l’enregistrement d’ordinateur existe déjà, sinon, définissez-en un nouveau.
Il se peut qu’un enregistrement d’ordinateur existe déjà parce que :
• l’ordinateur est géré à l’aide de préférences de liste d’ordinateurs ;
• l’ordinateur est déjà associé à une autre présentation de réseau gérée ;
• l’ordinateur a été configuré pour utiliser une autre présentation de réseau gérée
du répertoire.
F0170.book Page 220 Monday, May 2, 2005 12:37 PMChapitre 10 Gestion des présentations de réseau 221
Pour ajouter un ordinateur à une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation à utiliser, puis
assurez-vous que la sous-fenêtre Présentation est bien sélectionnée.
5 Pour ajouter un ordinateur pour lequel il existe déjà un enregistrement d’ordinateur
dans le répertoire actuel, allez à l’étape 6.
Pour créer un nouvel enregistrement d’ordinateur, allez à l’étape 7.
Pour naviguer à la recherche d’un ordinateur, qu’il dispose ou non d’un enregistrement
d’ordinateur, allez à l’étape 8.
6 Pour utiliser un enregistrement d’ordinateur existant, cliquez sur le bouton Ajouter (+),
puis sélectionnez Afficher les ordinateurs. Faites glisser un ordinateur depuis le tiroir
qui apparaît dans la sous-fenêtre Présentation.
7 Pour créer un nouvel enregistrement d’ordinateur, cliquez sur le bouton Ajouter (+),
puis choisissez Nouvel ordinateur.
Dans la zone de dialogue qui apparaît, saisissez des informations dans deux champs.
Dans le champ Nom, tapez le nom que vous souhaitez utiliser pour identifier
l’ordinateur lorsqu’il est affiché dans la présentation.
Dans le champ URL, tapez une ou plusieurs adresses URL par lesquelles on peut
accéder à l’ordinateur.
8 Vous pouvez cliquez sur le bouton Parcourir pour naviguer et identifier un ordinateur
à ajouter. Le serveur lance une recherche sur la base de l’URL pour retrouver des
services avec les types de services de fichiers standard (AFP, SMB/CIFS, FTP et NFS).
Vous pouvez naviguer à travers tous les ordinateurs que vous voyez normalement
sous /Réseau. Sélectionnez un ordinateur dans la liste.
Si l’ordinateur que vous sélectionnez dispose déjà d’un enregistrement d’ordinateur, un
avertissement apparaît et l’ordinateur n’est pas ajouté à la présentation. Pour ajouter
l’ordinateur, utilisez l’étape 6.
Si l’ordinateur que vous sélectionnez ne dispose pas encore d’un enregistrement
d’ordinateur, un enregistrement d’ordinateur est créé et l’ordinateur est ajouté à
la présentation.
9 Cliquer sur Enregistrer.
F0170.book Page 221 Monday, May 2, 2005 12:37 PM222 Chapitre 10 Gestion des présentations de réseau
Suppression d’ordinateurs de présentations de réseau gérées
Lorsque vous supprimez un ordinateur d’une présentation de réseau gérée, il
est supprimé de la liste de ressources visibles dans la présentation.
Pour supprimer un ordinateur d’une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation avec laquelle vous
souhaitez travailler.
5 Dans la sous-fenêtre Présentation, sélectionnez l’enregistrement d’ordinateur que vous
souhaitez supprimer de la présentation. Pour pouvoir voir l’ordinateur dans la liste, il se
peut que vous deviez afficher le contenu des voisinages en cliquant sur les triangles
d’affichage.
6 Cliquez sur le bouton Supprimer (–) ou choisissez Serveur > Supprimer.
7 Si vous pensez avoir supprimé un ordinateur par inadvertance, cliquez sur Revenir.
Sinon, cliquez sur Enregistrer.
8 Pour supprimer d’autres ordinateurs, répétez les étapes 4 à 6.
Vous pouvez supprimer plus d’un ordinateur à la fois en appuyant sur la touche
Commande lorsque vous sélectionnez des ordinateurs dans une présentation
de réseau.
Définition de listes dynamiques pour présentations de
réseau gérées
Vous pouvez associer des listes dynamiques de ressources réseau à une présentation
de réseau.
Mac OS X Server génère ces listes de manière dynamique lorsqu’elles sont
sélectionnées par un utilisateur, à l’aide de protocoles de détection de services
pour lesquels le serveur a été configuré (dans Format de répertoire).
F0170.book Page 222 Monday, May 2, 2005 12:37 PMChapitre 10 Gestion des présentations de réseau 223
Ajout de listes dynamiques à des présentations de réseau gérées
Vous pouvez automatiser l’affichage de listes de ressources réseau dans une
présentation gérée en utilisant des listes dynamiques.
Mac OS X et Mac OS X Server peuvent utiliser Open Directory pour détecter les services
réseau, tels que les serveurs de fichiers, qui se font connaître via les protocoles de
détection de services AppleTalk, SLP ou SMB/CIFS. Vous devez utiliser Format de
répertoire sur le serveur hébergeant les présentations de réseau pour activer ou
désactiver les différents protocoles de détection de services à utiliser pour fournir
des listes dynamiques.
Pour ajouter une liste dynamique à une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation avec laquelle vous
souhaitez travailler.
5 Dans la sous-fenêtre Présentation, cliquez sur le bouton Ajouter (+), puis choisissez
Ajouter une liste dynamique.
6 Dans la liste qui apparaît, sélectionnez un emplacement de détection de services.
Vous pouvez sélectionner plusieurs emplacements en maintenant la touche
Commande enfoncée lorsque vous les sélectionnez.
7 Cliquer sur Ajouter.
8 Cliquer sur Enregistrer.
F0170.book Page 223 Monday, May 2, 2005 12:37 PM224 Chapitre 10 Gestion des présentations de réseau
Suppression de listes dynamiques de présentations de réseau
gérées
Lorsque vous supprimez une liste dynamique d’une présentation de réseau gérée,
elle est supprimée de la liste de ressources visibles dans la présentation.
Pour supprimer une liste dynamique d’une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez
le répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation avec laquelle vous
souhaitez travailler.
5 Dans la sous-fenêtre Présentation, sélectionnez la liste dynamique que vous souhaitez
supprimer de la présentation. Il se peut que vous deviez afficher le contenu de voisinages
à l’aide des triangles d’affichage pour voir la liste.
6 Cliquez sur le bouton Supprimer (–) ou choisissez Serveur > Supprimer.
7 Si vous pensez avoir supprimé une liste par inadvertance, cliquez sur Revenir. Si non,
cliquez sur Enregistrer.
8 Pour supprimer d’autres listes dynamiques, répétez les étapes 4 à 7.
Vous pouvez supprimer plus d’une liste dynamique à la fois en appuyant sur la touche
Commande lorsque vous sélectionnez des ordinateurs dans une présentation de réseau.
Définition de l’utilisation des présentations de réseau
gérées par des ordinateurs clients
Plusieurs techniques sont disponibles pour configurer des ordinateurs afin qu’ils
affichent des présentations de réseau gérées et contrôler le comportement des
présentations sur les ordinateurs clients.
Comment un ordinateur trouve-t-il ses présentations de réseau
gérées
Lorsqu’un ordinateur Mac OS X démarre, il effectue une recherche dans les répertoires
qui se trouvent dans son chemin de recherche. S’il trouve un enregistrement d’ordinateur
qui lui est destiné dans un des répertoires et si cet enregistrement est associé à une
présentation de réseau gérée, il utilise cette présentation et arrête la recherche.
F0170.book Page 224 Monday, May 2, 2005 12:37 PMChapitre 10 Gestion des présentations de réseau 225
Si l’ordinateur ne trouve pas d’enregistrement d’ordinateur associé à une présentation de
réseau, il recherche dans les répertoires qui se trouvent dans son chemin de recherche,
une présentation de réseau dont le nom répond à l’un des critères suivants (dans l’ordre
indiqué) :
• l’adresse Ethernet de l’ordinateur ;
• l’adresse IP de l’ordinateur ;
• la chaîne de sous-réseau de l’ordinateur.
S’il trouve une présentation de réseau répondant à l’un de ces critères, l’ordinateur utilise
cette présentation et arrête la recherche. S’il n’a toujours pas trouvé de présentation
de réseau à ce stade, l’ordinateur cherche alors dans les répertoires qui se trouvent
dans son chemin de recherche une présentation par défaut. La première présentation
par défaut trouvée est utilisée.
Après avoir exploré tous ses chemins de recherche, l’ordinateur client effectue sa
recherche dans tous les répertoires auxquels il est autorisé à accéder, aussi bien dans
son chemin de recherche qu’en dehors de ce dernier. Pour chaque répertoire, s’il trouve
une présentation de réseau publique, il l’affiche dans un dossier portant le nom du
serveur hébergeant le répertoire. S’il ne trouve pas de présentation publique mais
bien une présentation par défaut, cette dernière est affichée dans un dossier nommé.
Activation de la visibilité des présentations de réseau gérées
Utilisez l’une des techniques suivantes pour rendre une présentation de réseau nommée
visible sur un ordinateur client :
• nommez la présentation à l’aide d’un identifiant de sous-réseau comprenant
l’ordinateur ;
• nommez la présentation d’après l’adresse Ethernet ou l’adresse IP de l’ordinateur ;
• nommez la présentation autrement et identifiez-la dans un enregistrement
d’ordinateur pour l’ordinateur.
Assurez-vous ensuite que le chemin de recherche de l’ordinateur est configuré pour
accéder au répertoire dans lequel la présentation est stockée.
Les présentations publiques et par défaut sont accessibles sur tout ordinateur client
qui est configuré pour accéder aux répertoires dans lesquels elles sont stockées.
Pour identifier une présentation de réseau gérée dans un enregistrement
d’ordinateur :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
F0170.book Page 225 Monday, May 2, 2005 12:37 PM226 Chapitre 10 Gestion des présentations de réseau
4 Dans la liste Présentations de réseau, sélectionnez la présentation souhaitée, puis
cliquez sur Réglages.
5 Pour affecter la présentation à un ordinateur pour lequel il existe déjà un enregistrement
d’ordinateur dans le répertoire actuel, allez à l’étape 6.
Pour affecter la présentation à un ordinateur pour lequel il n’existe pas d’enregistrement
d’ordinateur dans le répertoire actuel, allez à l’étape 7.
Pour naviguer à la recherche d’un ordinateur, qu’il dispose ou non d’un enregistrement
d’ordinateur, allez à l’étape 8.
6 Pour affecter la présentation à un ordinateur qui possède un enregistrement d’ordinateur,
cliquez sur le bouton Ajouter (+), puis sélectionnez Afficher les ordinateurs. Faites glisser
un ordinateur depuis le tiroir qui est affiché dans la sous-fenêtre Réglages.
7 Pour affecter la présentation à un ordinateur dans un nouvel enregistrement
d’ordinateur, cliquez sur le bouton Ajouter (+), puis sélectionnez Nouvel ordinateur.
Dans la zone de dialogue qui apparaît, saisissez des informations dans deux champs.
Dans le champ Nom, tapez le nom que vous souhaitez utiliser pour identifier
l’ordinateur.
Dans le champ ID Ethernet, tapez l’adresse Ethernet de l’ordinateur.
8 Vous pouvez cliquez sur le bouton Parcourir pour rechercher un ordinateur auquel vous
souhaitez affecter la présentation. Le serveur recherche les ordinateurs qui possèdent le
type de service “station de travail”. Il s’agit d’ordinateurs qui sont généralement affichés
dans /Network/My Network.
Si l’ordinateur que vous sélectionnez dispose d’un enregistrement d’ordinateur,
un avertissement apparaît et l’ordinateur n’est pas ajouté à la liste des réglages.
Pour ajouter l’ordinateur, utilisez l’étape 6.
Si l’ordinateur que vous sélectionnez ne dispose pas d’un enregistrement d’ordinateur,
un enregistrement d’ordinateur est créé et l’ordinateur est ajouté à la liste.
9 Cliquer sur Enregistrer.
Désactivation de la visibilité des présentations de réseau gérées
Si vous ne souhaitez plus qu’un ordinateur utilise un certaine présentation de réseau,
vous pouvez :
• désactiver la présentation ;
• supprimer la présentation ;
• dissocier la présentation de l’enregistrement d’ordinateur correspondant ;
• changer la présentation associée à l’enregistrement d’ordinateur.
F0170.book Page 226 Monday, May 2, 2005 12:37 PMChapitre 10 Gestion des présentations de réseau 227
Si vous avez nommé une présentation d’après un identifiant de sous-réseau et que
vous ne souhaitez plus afficher la présentation sur l’un des ordinateurs du sous-réseau,
affectez une autre présentation à un enregistrement d’ordinateur de cet ordinateur.
Cette autre présentation peut être une autre présentation nommée ou une
présentation par défaut.
Pour désactiver la visibilité d’une présentation de réseau :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation.
5 Pour désactiver la présentation, allez à l’étape 6.
Pour supprimer la présentation, allez à l’étape 7.
Pour dissocier la présentation d’un enregistrement d’ordinateur, allez à l’étape 8.
Pour changer la présentation affectée à un enregistrement d’ordinateur, allez à l’étape 9.
6 Pour désactiver la présentation, utilisez la sous-fenêtre Présentation.
Désélectionnez la case Activé, puis cliquez sur Enregistrer.
Aucun des ordinateurs configurés pour utiliser la présentation ne pourra voir
la présentation.
7 Pour supprimer la présentation de réseau, choisissez Serveur > Supprimer.
8 Pour supprimer la présentation d’un enregistrement d’ordinateur, utilisez la
sous-fenêtre Réglages.
Sélectionnez dans la liste l’ordinateur (ou les ordinateurs) dont vous souhaitez
désactiver la visibilité de la présentation. Cliquez ensuite sur le bouton Supprimer (–),
puis sur le bouton Enregistrer.
9 Pour remplacer la présentation affectée à un enregistrement d’ordinateur par une
autre présentation située dans le même répertoire, utilisez la sous-fenêtre Réglages.
Sélectionnez l’ordinateur dans la liste, puis cliquez sur le bouton Modifier. Sélectionnez
la nouvelle présentation dans la liste déroulante Présentation de réseau, puis cliquez
sur Enregistrer.
Pour affecter une présentation provenant d’un autre répertoire, cliquez sur le globe audessus de la liste Présentations de réseau pour choisir le répertoire et vous authentifier
en tant qu’administrateur de domaine pour le répertoire. Sélectionnez la présentation,
puis utilisez la sous-fenêtre Réglages pour associer un enregistrement d’ordinateur de
l’ordinateur à la présentation de réseau.
F0170.book Page 227 Monday, May 2, 2005 12:37 PM228 Chapitre 10 Gestion des présentations de réseau
Définition de la fréquence de rafraîchissement d’une
présentation de réseau gérée
Vous pouvez actualiser l’affichage d’une présentation de réseau selon une fréquence
définie en minutes, heures ou jours.
Pour définir la fréquence de rafraîchissement d’une présentation :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation.
5 Dans la sous-fenêtre Réglages, indiquez l’intervalle de rafraîchissement que vous
souhaitez appliquer à la présentation.
6 Cliquer sur Enregistrer.
Définition du comportement du Finder avec des présentations de
réseau gérées
Vous pouvez afficher une présentation de réseau gérée dans le Finder d’un ordinateur
client soit pour remplacer la liste des ressources réseau du Finder, soit en complément
de cette dernière.
Pour définir le comportement d’affichage des présentations de réseau gérées
dans le Finder :
1 Ouvrez le Gestionnaire de groupe de travail, puis cliquez sur Réseau.
2 Cliquez sur le globe au-dessus de la liste Présentations de réseau et choisissez le
répertoire de réseau dans lequel la présentation réside.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine
pour le répertoire.
4 Dans la liste Présentations de réseau, sélectionnez la présentation.
5 Dans la sous-fenêtre Réglages, sélectionnez “ajouter à la présentation de réseau”
pour garder l’affichage par défaut des ressources réseau dans le Finder. Sélectionnez
“remplacer la présentation de réseau” pour n’afficher que la présentation de réseau
gérée dans le Finder.
6 Cliquer sur Enregistrer.
F0170.book Page 228 Monday, May 2, 2005 12:37 PM11
229
11 Résolution des problèmes
Ce chapitre peut vous apporter des solutions aux
éventuels problèmes lors de l’utilisation du Gestionnaire
de groupe de travail.
Aide en ligne et site Web d’assistance et de service Apple
Si vous ne trouvez pas la réponse à une question dans ces lignes, reportez-vous à
l’aide en ligne de Mac OS X Server. Vous pouvez également consulter le site Web
d’assistance et de service Apple pour y rechercher des informations et des
solutions : docs.info.apple.com/article.html?artnum=75178
Résolution des problèmes liés aux comptes
En cas de problèmes relatifs à l’administration de comptes d’utilisateur et de groupe,
suivez les suggestions figurant dans cette section.
Vous ne parvenez pas à modifier un compte à l’aide du
Gestionnaire de groupe de travail
Pour pouvoir modifier un compte à l’aide du Gestionnaire de groupe de travail :
• Le domaine de répertoire doit être un répertoire LDAP d’un maître Open Directory,
d’un domaine NetInfo ou de tout autre domaine de répertoire en lecture/écriture. Seuls
ces derniers peuvent être mis à jour à l’aide du Gestionnaire de groupe de travail.
• Vous devez être authentifié en tant qu’administrateur du domaine de répertoires.
Pour vous authentifier, cliquez sur le cadenas (vers le bas de la fenêtre du
Gestionnaire de groupe de travail).
F0170.book Page 229 Monday, May 2, 2005 12:37 PM230 Chapitre 11 Résolution des problèmes
Vous ne voyez pas certains utilisateurs dans la fenêtre de
connexion
Lorsque vous procédez à la mise à jour avec Mac OS X 10.4 et à la migration des
utilisateurs existants vers un répertoire partagé sur le nouveau serveur, il se peut que
certains utilisateurs n’apparaissent pas dans la fenêtre d’ouverture de connexion. Cette
fenêtre n’affiche pas les utilisateurs qui possèdent un identifiant d’utilisateur inférieur
à 500, mais ces derniers peuvent tout de même ouvrir une session en fournissant leur
nom et leur mot de passe.
Pour configurer la fenêtre d’ouverture de session d’un ordinateur Mac OS X
afin d’afficher les utilisateurs réseau :
1 Configurez un répertoire partagé sur Mac OS X Server.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes.
3 Sélectionnez une liste d’ordinateurs qui résident dans le répertoire partagé.
4 Sélectionnez “Définir ici les préférences de l’ordinateur hôte”, puis cliquez sur
Enregistrer.
5 Cliquez sur Préférences, Ouvrir une session, puis sur Fenêtre d’ouverture de session.
6 Sélectionnez “Liste des utilisateurs de cet ordinateur” et “Afficher les utilisateurs du
réseau”. Cliquez sur Appliquer.
7 Configurez un ordinateur Mac OS X 10.4 associé à la liste d’ordinateurs pour qu’il
utilise le répertoire partagé.
Vous ne parvenez pas à déverrouiller un répertoire LDAP
Pour apporter des modifications à un domaine de répertoires quelconque, vous
devez vous authentifier à l’aide du nom et du mot de passe d’un administrateur de
ce répertoire. Par conséquent, pour modifier une entrée dans un répertoire LDAPv3
partagé, vous devez vous authentifier dans le Gestionnaire de groupe de travail à l’aide
du nom et du mot de passe d’un compte d’administrateur de ce répertoire LDAPv3.
(Vous ne pouvez pas utiliser un compte d’administrateur situé dans /Netinfo/root, le
répertoire local de l’ordinateur, pour vous authentifier en tant qu’administrateur d’un
répertoire LDAP partagé).
F0170.book Page 230 Monday, May 2, 2005 12:37 PMChapitre 11 Résolution des problèmes 231
Vous ne pouvez pas modifier le mot de passe Open Directory
d’un utilisateur
Pour modifier le mot de passe d’un utilisateur dont le type de mot de passe est
Open Directory, vous devez être un administrateur du domaine de répertoire dans
lequel l’enregistrement de l’utilisateur réside. De plus, votre compte d’utilisateur doit
posséder un mot de passe de type Open Directory. Le compte d’utilisateur spécifié lors
de la configuration du maître Open Directory (à l’aide d’Assistant du serveur ou des
réglages de services Open Directory dans Admin Serveur) possède un mot de passe
Open Directory. Ce compte peut être utilisé pour configurer d’autres comptes
d’utilisateur en tant qu’administrateur de domaine de répertoire avec des mots
de passe Open Directory.
Vous ne pouvez pas changer le type de mot de passe d’un
utilisateur en Open Directory
Pour changer le mot de passe d’un utilisateur en authentification Open Directory, vous
devez être un administrateur du domaine de répertoire dans lequel l’enregistrement
de l’utilisateur réside. De plus, votre compte d’utilisateur doit être configuré pour une
authentification Open Directory. Le compte d’utilisateur spécifié lors de la configuration
du maître Open Directory (à l’aide d’Assistant du serveur ou des réglages de services
Open Directory dans Admin Serveur) possède un mot de passe Open Directory.
Ce compte peut être utilisé pour configurer d’autres comptes d’utilisateur en tant
qu’administrateur de domaine de répertoire avec des mots de passe Open Directory.
Vous ne parvenez pas à attribuer des autorisations
d’administrateur de serveur
Pour affecter des autorisations d’administrateur de serveur à un utilisateur, commencez
par vous connecter au serveur concerné dans le Gestionnaire de groupe de travail.
Sélectionnez le compte d’utilisateur (ou créez un nouveau compte pour l’utilisateur)
dans un domaine de répertoires sur ce serveur, puis sélectionnez “L’utilisateur peut
administrer le serveur” dans la sous-fenêtre Élémentaire.
F0170.book Page 231 Monday, May 2, 2005 12:37 PM232 Chapitre 11 Résolution des problèmes
Les utilisateurs ne parviennent pas à se connecter ni à être
authentifiés
Testez les techniques suivantes pour déterminer si l’origine du problème
d’authentification se situe au niveau de la configuration ou du mot de passe lui-même :
• Réinitialisez le mot de passe sur une valeur connue, puis déterminez si le problème
persiste. Essayez d’utiliser un mot de passe ASCII sur 7 bits, supporté par la plupart
des clients.
• Assurez-vous que les caractères contenus dans le mot de passe sont supportés par
le protocole d’authentification. Les espaces en début, en milieu et en fin de chaîne,
ainsi que les caractères spéciaux (par exemple, option + 8) ne sont pas supportés
par tous les protocoles. Par exemple, les espaces en début de chaîne fonctionnent
avec POP ou AFP, mais pas avec IMAP.
• Assurez-vous que le clavier utilisé par l’utilisateur peut générer tous les caractères
qui figurent dans son mot de passe.
• L’authentification élémentaire ne gère pas beaucoup de méthodes d’authentification.
Pour augmenter la probabilité de prise en charge des applications clientes d’un
utilisateur, réglez le type de mot de passe de l’utilisateur sur Open Directory ou
suggérez à l’utilisateur d’essayer une autre application.
• Si le compte de l’utilisateur réside dans un domaine de répertoires qui n’est pas
disponible, vous pouvez créer un compte d’utilisateur dans un domaine de
répertoires disponible.
• Vérifiez que le logiciel client code le mot de passe afin d’être correctement reconnu.
Par exemple, Open Directory reconnaît des chaînes codées UTF-8 pouvant ne pas
être envoyées par certains clients.
• Assurez-vous que l’application et le système d’exploitation utilisés par l’utilisateur
gèrent bien la longueur du mot de passe de l’utilisateur. Les applications Windows
qui utilisent la méthode d’authentification Gestionnaire LAN, par exemple, ne gère
que les mots de passe de 14 caractères, un mot de passe plus long, même géré par le
service Windows de Mac OS X Server, entraînant alors un échec de l’authentification.
• Si vous désactivez des méthodes d’authentification du serveur de mots de passe
Open Directory, telles que APOP ou CRAM-MD5, les applications de l’utilisateur
ne pourront plus s’authentifier à l’aide des méthodes désactivées. Le guide
d’administration d’Open Directory explique comment désactiver et activer des
méthodes d’authentification à l’aide d’un outil de ligne de commande. Après avoir
activé ou désactivé des méthodes d’authentification du serveur de mots de passe
Open Directory, il se peut que vous deviez réinitialiser le mot de passe de l’utilisateur.
• Pour connaître des astuces permettant de résoudre les problèmes liés à Kerberos,
consultez la section “Les utilisateurs ne peuvent pas s’authentifier à l’aide de la
signature unique ou de Kerberos” à la page 234.
F0170.book Page 232 Monday, May 2, 2005 12:37 PMChapitre 11 Résolution des problèmes 233
• Si un ordinateur Mac OS 8.1 à 8.6 ne parvient pas à s’authentifier pour le service de
fichiers Apple, il se peut que le logiciel AppleShare Client de l’ordinateur nécessite
une mise à niveau.
• Les ordinateurs Mac OS 8.6 doivent utiliser la version 3.8.8 d’AppleShare Client.
• Les clients Mac OS 8.1 à 8.5 doivent utiliser la version 3.8.6 d’AppleShare Client.
• Les ordinateurs clients Mac OS 8.1 à 8.6 pour lesquels des volumes du serveur de
fichiers sont automatiquement montés au démarrage doivent utiliser la version
3.8.3 d’AppleShare Client avec le module DHX UAM (User Authentication Module).
Le module DHX UAM est livré avec le logiciel d’installation AppleShare Client 3.8.3.
Les utilisateurs dépendant d’un Serveur de mots de passe ne
parviennent pas à se connecter
Si votre réseau contient un serveur sous Mac OS X Server 10.2, il peut être configuré
pour obtenir l’authentification d’un serveur de mots de passe Open Directory hébergé
par un autre serveur. Si l’ordinateur du Serveur de mots de passe est déconnecté du
réseau, par exemple parce que vous avez débranché la câble du port Ethernet de
l’ordinateur, les utilisateurs dont les mots de passe sont validés à l’aide du Serveur
de mots de passe ne peuvent pas se connecter parce que son adresse IP n’est
pas accessible.
Les utilisateurs peuvent se connecter à Mac OS X Server si vous rebranchez l’ordinateur
du Serveur de mots de passe au réseau. Pendant que l’ordinateur du serveur de mots
de passe est hors ligne, les utilisateurs peuvent se connecter avec des comptes
d’utilisateur dont le type de mot de passe est un mot de passe crypté ou un mot
de passe Shadow.
Les utilisateurs ne peuvent pas se connecter à l’aide de comptes
dans un domaine de répertoire partagé
Les utilisateurs ne peuvent pas se connecter à l’aide de comptes dans un domaine
de répertoire partagé si le serveur hébergeant le répertoire n’est pas accessible. Un
serveur peut devenir inaccessible à cause d’un problème lié au réseau, au logiciel
de serveur ou au matériel du serveur. Les problèmes liés au matériel ou au logiciel
du serveur affectent les utilisateurs qui tentent de se connecter à des ordinateurs
Mac OS X et les utilisateurs qui tentent de se connecter au domaine Windows d’un
PDC Mac OS X Server. Les problèmes liés au réseau peuvent affecter certains
utilisateurs et pas d’autres, en fonction de là où se situe le problème lié au réseau.
Les utilisateurs qui disposent de comptes d’utilisateur mobiles peuvent toujours se
connecter aux ordinateurs Mac OS X qu’ils utilisaient précédemment. Et les utilisateurs
affectés par ces problèmes peuvent se connecter à l’aide d’un compte d’utilisateur local
défini sur l’ordinateur, comme, par exemple, le compte d’utilisateur créé pendant la
configuration initiale, après l’installation de Mac OS X.
F0170.book Page 233 Monday, May 2, 2005 12:37 PM234 Chapitre 11 Résolution des problèmes
Les utilisateurs ne peuvent pas accéder à leur répertoire de départ
Vérifiez que les utilisateurs ont accès aussi bien au point de partage où sont situés leurs
répertoires de départ qu’aux répertoires proprement dits. Les utilisateurs ont besoin
d’un accès en lecture pour le point de partage et d’un accès en lecture et en écriture
pour leurs répertoires d’accueil.
Certains utilisateurs ne peuvent pas changer leur mot de passe
Les utilisateurs qui disposent de comptes dans le répertoire LDAP du serveur et qui ont
un mot de passe de type “Mot de passe crypté” ne peuvent pas changer leur mot de
passe après s’être connecté à partir d’un ordinateur client sous Mac OS X 10.3. Ces
utilisateurs peuvent changer leur mot de passe si vous utilisez la sous-fenêtre Avancé
de Gestionnaire de groupe de travail pour changer le réglage Type du mot de passe de
leur compte en Open Directory. Lorsque vous apportez cette modification, vous devez
aussi saisir un nouveau mot de passe. Expliquez ensuite aux utilisateurs qu’ils doivent
se connecter à l’aide de ce nouveau mot de passe et le changer dans la sous-fenêtre
Comptes des Préférences Système.
Un utilisateur Mac OS X d’un domaine NetInfo partagé ne
parvient pas à se connecter
Ce problème survient lorsqu’un utilisateur tente de se connecter sur un ordinateur
Mac OS X via un compte de domaine NetInfo partagé, alors que le serveur hébergeant
ce domaine n’est pas accessible. L’utilisateur peut se connecter à l’ordinateur Mac OS X
en utilisant le compte d’utilisateur local créé automatiquement lors de la configuration
de l’ordinateur en vue d’utiliser un compte NetInfo. Le nom d’utilisateur “Administrateur”
est proposé par défaut (ainsi que le nom abrégé “admin”), bien que vous puissiez modifier
ces deux noms lorsque l’identifiant d’utilisateur et le mot de passe sont créés au
moment de la création du compte.
Les utilisateurs ne peuvent pas s’authentifier à l’aide de la
signature unique ou de Kerberos
En cas d’échec de l’authentification d’un utilisateur ou d’un service utilisant Kerberos,
essayez les solutions suivantes :
• L’authentification Kerberos est basée sur des horodatages cryptés. S’il existe un écart
de plus de 5 minutes entre le centre de distribution de clés, l’ordinateur client et
l’ordinateur du service, l’authentification peut échouer. Assurez-vous que les horloges
de tous les ordinateurs sont synchronisées à l’aide du service Network Time Protocol
(NTP) de Mac OS X Server ou de tout autre serveur horloge de réseau. Pour obtenir
des informations sur le service NTP de Mac OS X, consultez le network services
administration guide.
• Assurez-vous que l’authentification Kerberos est activée pour le service en question.
F0170.book Page 234 Monday, May 2, 2005 12:37 PMChapitre 11 Résolution des problèmes 235
• Si un serveur Kerberos servant à la validation de mot de passe est indisponible,
réinitialisez le mot de passe de l’utilisateur afin de recourir à un serveur disponible.
• Assurez-vous que le serveur fournissant le service Kerberos dispose bien d’un accès
direct aux domaines de répertoires contenant les comptes des utilisateurs authentifiés
via Kerberos. Les services AFP, de courrier ainsi que d’autres services kerbérisés de
Nomdeproduit ont toujours accès aux comptes d’utilisateur qui se trouvent dans
le domaine de répertoires local et dans tout domaine de répertoires LDAP éventuel
du serveur. Pour obtenir des informations sur la configuration de l’accès à des
domaines de répertoire sur d’autres serveurs, consultez le guide d’administration
d’Open Directory.
• Pour obtenir des informations susceptibles de aider à résoudre certains problèmes,
consultez l’historique du centre de distribution de clés (kdc.log). Des informations de
configuration incorrectes, comme des noms de fichiers de configuration incorrects,
peuvent être détectées à l’aide de ces historiques.
• Si des utilisateurs ne peuvent pas s’authentifier à l’aide de la signature unique ou de
Kerberos pour des services fournis par un serveur connecté à un domaine Kerberos
d’un maître Open Directory, l’enregistrement d’ordinateur du serveur est peut-être
mal configuré dans le répertoire LDAP du maître Open Directory. En particulier, le
nom du serveur qui figure dans la liste d’ordinateurs doit correspondre au nom DNS
complet du serveur et pas simplement au nom d’hôte du serveur. Par exemple,
le nom pourrait être serveur2.exemple.com, mais pas juste serveur2.
Pour reconfigurer un enregistrement d’ordinateur d’un serveur pour la
signature unique et pour l’authentification Kerberos :
1 Supprimez le serveur de la liste d’ordinateurs du répertoire LDAP.
2 Ajoutez à nouveau le serveur à la liste d’ordinateurs.
3 Déléguez à nouveau l’autorité pour connecter le serveur au domaine Kerberos
du maître Open Directory.
4 Liez à nouveau le serveur au maître Open Directory pour la signature unique et
pour l’authentification Kerberos.
Pour des instructions détaillées, consultez la section “Ajout d’ordinateurs à une liste
d’ordinateurs existante” à la page 119, “Suppression d’ordinateurs d’une liste d’ordinateurs”
à la page 121 et le guide d’administration d’Open Directory.
Résolution des problèmes de gestion des préférences
Cette section décrit certains des problèmes que vous pouvez rencontrer en utilisant
le Gestionnaire de groupe de travail pour configurer des comptes ou gérer des clients
Mac OS X. Elle fournit également des conseils de dépannage et des solutions possibles.
Si le problème que vous rencontrez ne trouve pas de solution ici, reportez-vous aux
rubriques de l’aide en ligne du Gestionnaire de groupe de travail ou consultez le site
Web d’assistance et de service Apple (www.apple.com/fr/support/).
F0170.book Page 235 Monday, May 2, 2005 12:37 PM236 Chapitre 11 Résolution des problèmes
Vous ne parvenez pas à appliquer les réglages Web par défaut
Si vous gérez des préférences Internet à l’aide du Gestionnaire de groupe de travail
et configurez un navigateur Web par défaut, une page d’accueil ou de recherche par
défaut ou un emplacement spécifique destiné à conserver les fichiers téléchargés,
certaines applications risquent de ne pas accepter ces réglages. Vous devrez peut-être
configurer une page d’accueil par défaut en utilisant plutôt les réglages de préférences
de l’application.
Vous ne parvenez pas à appliquer les réglages de courrier par défaut
Si vous gérez des préférences Internet à l’aide du Gestionnaire de groupe de travail et
configurez un lecteur de messages, une adresse de courrier ou des serveurs de courrier
par défaut, certaines applications risquent de ne pas accepter ces réglages. Il vous faudra
peut-être utiliser les préférences de l’application de messagerie de l’ordinateur client.
Les utilisateurs ne voient pas de liste de groupes de travail lors de
la connexion
Si l’utilisateur d’un compte réseau ne voit pas une liste de groupes de travail lorsqu’il
se connecte :
• Il se peut que cet utilisateur appartienne à un ou aucun groupe. Maintenez la touche
Option enfoncée pendant la connexion pour afficher la liste des groupes de travail.
• Il se peut que l’ordinateur de l’utilisateur n’appartienne à aucune liste d’ordinateurs.
Ajoutez-le à une liste d’ordinateurs ou à la liste Ordinateurs hôtes.
Si l’utilisateur d’un compte local ne voit pas une liste de groupes de travail lorsqu’il
se connecte :
• L’ordinateur de cet utilisateur n’est peut-être associé à aucun groupe de travail.
Affectez un ou plusieurs groupes à la liste d’ordinateurs (ou à la liste Ordinateurs
hôtes) dont fait partie l’ordinateur.
• Il se peut que l’ordinateur de l’utilisateur n’appartienne à aucune liste d’ordinateurs.
Ajoutez-le à une liste d’ordinateurs ou à la liste Ordinateurs hôtes.
Les utilisateurs ne parviennent pas à ouvrir des fichiers
Généralement, lorsque les utilisateurs double-cliquent sur un fichier dans le Finder ou
sélectionnent un fichier à ouvrir à l’aide du menu Fichier du Finder, une application par
défaut appropriée ouvre le fichier. Si les utilisateurs travaillent dans un environnement
géré, cette méthode peut ne pas fonctionner.
Supposons par exemple que l’application Aperçu soit désignée par défaut pour lire
les fichiers PDF. Un utilisateur se connecte, puis double-clique sur un fichier PDF qui
se trouve sur son bureau. Si les réglages de gestion appliqués à cet utilisateur ne
prévoient pas l’accès à Aperçu, le fichier ne pourra pas être ouvert de cette manière.
Si l’utilisateur est autorisé à accéder à une autre application capable de lire les fichiers
PDF, il pourra lancer cette application afin d’ouvrir le fichier.
F0170.book Page 236 Monday, May 2, 2005 12:37 PMChapitre 11 Résolution des problèmes 237
Pour vous assurer que les applications les plus utilisées sont accessibles aux utilisateurs,
groupes ou listes d’ordinateurs, utilisez le Gestionnaire de groupe de travail pour
ajouter l’application à la liste de la sous-fenêtre Applications des préférences.
Les utilisateurs ne parviennent pas à ajouter des imprimantes à la
liste d’imprimantes
Les utilisateurs peuvent ajouter des imprimantes à la liste d’imprimantes de
Configuration d’imprimante si vous sélectionnez Toujours comme option de gestion
pour les préférences d’imprimante, puis choisissez Autoriser l’utilisateur à ajouter des
imprimantes à la liste. Toutefois, si l’utilisateur tente d’imprimer un document à partir
d’une application, il ne verra pas les imprimantes qu’il a ajoutées dans la liste des
imprimantes disponibles.
Le Gestionnaire de groupe de travail permet aux administrateurs d’interdire l’accès à
des imprimantes ou de mettre un nombre quelconque d’imprimantes à la disposition
d’utilisateurs, de groupes ou de listes d’ordinateurs spécifiques à l’aide de la sousfenêtre Liste d’imprimantes des préférences Imprimante.
Remarque : si l’option Autoriser l’utilisateur à ajouter des imprimantes à la liste n’est
pas sélectionnée, un mot de passe d’administrateur est nécessaire pour ajouter ou
retirer des imprimantes de Configuration d’imprimante.
Les éléments d’ouverture ajoutés par un utilisateur ne s’ouvrent pas
Le Gestionnaire de groupe de travail vous permet d’utiliser des réglages d’éléments
d’ouverture pour spécifier les éléments qui seront ouverts automatiquement lors de
la connexion d’un utilisateur. L’ensemble des éléments qui s’ouvrent à la connexion
dépend de ceux spécifiés par l’utilisateur, de l’ordinateur utilisé et du groupe choisi
lors de la connexion.
Un utilisateur peut ajouter des éléments d’ouverture supplémentaires s’il en a reçu
l’autorisation. Toutefois, si vous sélectionnez Une fois comme option de gestion pour
les éléments d’ouverture, tout élément ajouté par l’utilisateur sera supprimé à sa
prochaine connexion. L’utilisateur pourra par la suite ajouter d’autres éléments
d’ouverture s’il est autorisé à le faire.
F0170.book Page 237 Monday, May 2, 2005 12:37 PM238 Chapitre 11 Résolution des problèmes
Les éléments du Dock placés par un utilisateur sont manquants
Le Gestionnaire de groupe de travail vous permet d’utiliser des réglages d’éléments
du Dock pour spécifier les éléments qui apparaissent dans le Dock d’un utilisateur.
L’ensemble des éléments du Dock d’un utilisateur dépend des éléments spécifiés
par l’utilisateur, de l’ordinateur utilisé et du groupe choisi lors de la connexion.
Un utilisateur peut ajouter des éléments supplémentaires à son Dock s’il en a reçu
l’autorisation. Toutefois, si vous sélectionnez Une fois comme option de gestion pour
les éléments du Dock, tout élément ajouté par l’utilisateur sera supprimé lors de sa
prochaine connexion. L’utilisateur pourra par la suite placer des éléments
supplémentaires dans le Dock s’il est autorisé à le faire.
Le Dock d’un utilisateur comporte des éléments en double
Lorsque vous utilisez le Gestionnaire de groupe de travail pour configurer les mêmes
préférences d’élément de Dock pour plusieurs types de compte (utilisateur, groupe
ou ordinateur), il se peut que le Dock d’un utilisateur géré contienne des éléments en
double. Il peut arriver, par exemple, qu’une icône d’application soit affichée plusieurs
fois dans le Dock de l’utilisateur.
Cela n’a pas d’incidence sur les éléments du Dock ; tous fonctionnent parfaitement.
Vous pouvez corriger ce problème en supprimant les réglages d’élément de Dock
de tous les comptes affectés, puis en les redéfinissant.
Un point d’interrogation apparaît dans le Dock des utilisateurs
Vous pouvez utiliser le Gestionnaire de groupe de travail pour contrôler les éléments
qu’un utilisateur peut voir dans son Dock. Les éléments du Dock sont en fait des alias
qui renvoient à des éléments originaux stockés ailleurs, comme sur le disque dur ou
sur un serveur distant par exemple. Si les éléments d’origine sont situés sur un serveur
distant et que l’utilisateur n’est pas connecté à ce serveur, les éléments correspondants
du Dock apparaîtront sous forme de points d’interrogation.
L’utilisateur peut cliquer sur un point d’interrogation pour se reconnecter à un serveur
(le serveur invitera éventuellement l’utilisateur à saisir un mot de passe). Une fois
l’utilisateur connecté au serveur contenant les éléments orignaux, les icônes de son
Dock retrouvent leur aspect normal et il est possible de cliquer dessus pour ouvrir
l’élément correspondant.
F0170.book Page 238 Monday, May 2, 2005 12:37 PMChapitre 11 Résolution des problèmes 239
Un message d’erreur inattendue est affiché à l’intention des
utilisateurs
Si vous gérez les préférences Classic et que vous essayez d’utiliser les tableaux de
bord des applications Gestionnaire d’extensions, Partage de fichiers et Mise à jour de
logiciels, il se peut qu’un message du type L’opération n’a pu être effectuée en raison
d’un erreur inopinée (code d’erreur 1016) soit affiché. Ce message indique qu’un
administrateur a restreint l’accès à l’élément auquel l’utilisateur tente d’accéder, en
interdisant par exemple l’ouverture d’une application spécifique par cet utilisateur.
Les utilisateurs ne sont pas autorisés à accéder aux tableaux de bord mentionnés cidessus lorsque les préférences Classic sont gérées. Ce type de message peut également
être envoyé aux utilisateurs si vous avez choisi Masquer le Sélecteur et l’Explorateur
réseau et qu’ils essaient d’utiliser le Sélecteur.
Le message apparaît également si un utilisateur tente d’ouvrir une application non
approuvée (ne figurant pas dans le panneau Éléments des préférences Applications
du Gestionnaire de groupe de travail) soit sous l’environnement Classic, soit sous
Mac OS X.
F0170.book Page 239 Monday, May 2, 2005 12:37 PMF0170.book Page 240 Monday, May 2, 2005 12:37 PM 241
A Annexe
A Importation et exportation
d’informations de compte
L’annexe A fournit des instructions pour l’importation et
l’exportation d’informations de compte.
Plusieurs outils, comme le Gestionnaire de groupe de travail et dsimport, sont
disponibles pour exporter et importer des comptes.
Quels sont les éléments que l’on peut exporter et
importer
Mac OS X Server contient des fonctionnalités d’exportation intégrées à Gestionnaire de
groupe de travail. L’exportation est désormais un processus en deux étapes effectué à
partir de l’une ou l’autre des trois sous-fenêtres Comptes de Gestionnaire de groupe
de travail : Utilisateurs, Groupes et Listes d’ordinateurs. Il est possible d’exporter toute
information que vous pouvez mettre en surbrillance dans les Comptes de Gestionnaire
de groupe de travail en sélectionnant simplement Serveur > Exporter. Cela vaut pour
un ou plusieurs utilisateurs dans la sous-fenêtre Utilisateurs, un ou plusieurs groupes
dans la sous-fenêtre Groupes ou un ou plusieurs ordinateurs ou listes dans la sousfenêtre Listes d’ordinateurs des Comptes de Gestionnaire de groupe de travail.
Le guide d’administration d’Open Directory répertorie de nombreux types
d’enregistrements et leurs attributs les plus connus et décrit comment afficher et
modifier les attributs autorisés pour chaque type d’enregistrement dans un répertoire
LDAP particulier.
F0170.book Page 241 Monday, May 2, 2005 12:37 PM242 Annexe A Importation et exportation d’informations de compte
Vous pouvez importer tous les types d’enregistrements répertoriés dans Gestionnaire
de groupe de travail, y compris mais sans s’y limiter, les types d’enregistrements suivants :
utilisateurs, groupes, listes d’ordinateurs, ordinateurs, etc. À partir de Mac OS X 10.4,
vous pouvez même importer des attributs partiels d’enregistrements individuels, tels
que les attributs UserName, UserData, FirstName, MiddleName, LastName, AllNames,
ENetAddress, NetDomains, NetGroups, HostServices, People, Locations, SharePoints, etc.
Vous pouvez même combiner des attributs provenant de différents enregistrements
pour importer tout ensemble d’informations que vous pouvez générer manuellement.
Vous pouvez utiliser l’outil dsimport pour importer un nombre quelconque
d’enregistrements à partir d’un fichier de texte avec séparateurs utilisant
n’importe quels attributs définis dans le fichier suivant :
/System/Library/Frameworks/DirectoryService.framework/Headers/DirServicesConst.h
Le seul attribut obligatoire dans un enregistrement est le nom de l’enregistrement.
Remarque : vous devrez redéfinir le mot de passe des comptes d’utilisateur dont le type
de mot de passe est Open Directory. L’importation de mots de passe ne fonctionne
généralement que si le mot de passe est stocké sous la forme d’une chaîne de texte
dans le fichier d’importation, car le format de mot de passe stocké dans les fichiers de
mot de passe standard ne peut pas être récupéré à partir de la forme cryptée dans
laquelle il est enregistré.
Le guide d’administration d’Open Directory décrit comment les attributs de compte
d’utilisateur et de groupe que vous pouvez importer varient en fonction du type de
fichier d’importation, comme par exemple :
• Fichiers XML créés avec Mac OS X Server version 10.1 ou antérieures
• Fichiers XML créés avec AppleShare IP 6.3
• Fichiers délimités par des caractères
Vous ne pouvez pas utiliser de fichier d’importation pour modifier les utilisateurs
prédéfinis suivants : daemon, root, nobody, unknown ou www, ni pour modifier les
groupes prédéfinis suivants : admin, bin, daemon, dialer, mail, network, nobody,
nogroup, operator, staff, sys, tty unknown, utmp, uucp, wheel ou www. Vous pouvez
toutefois ajouter des utilisateurs aux groupes wheel et admin.
Remarque : les mots de passe ne peuvent pas être exportés à l’aide de Gestionnaire
de groupe de travail ni par aucune autre méthode. Si vous importez des comptes
d’utilisateur à partir d’un fichier exporté, n’oubliez pas de définir les mots de passe
manuellement ou de donner à l’attribut du mot de passe une valeur par défaut connue
qui pourra être modifiée ultérieurement.
F0170.book Page 242 Monday, May 2, 2005 12:37 PMAnnexe A Importation et exportation d’informations de compte 243
Utilisation du Gestionnaire de groupe de travail pour
importer des utilisateurs et des groupes
Vous pouvez utiliser le Gestionnaire de groupe de travail pour importer des comptes
d’utilisateur et de groupe dans le répertoire LDAP d’un maître Open Directory ou dans
un domaine NetInfo. Quand un fichier est importé, le Gestionnaire de groupe de travail
identifie automatiquement le format d’enregistrement.
Pour obtenir des informations sur la création de fichiers à importer, consultez les
sections suivantes :
• “Utilisation de fichiers XML créés avec Mac OS X Server 10.1 ou antérieur” à la
page 245
• “Utilisation de fichiers XML créés avec AppleShare IP 6.3” à la page 246
• “Utilisation de fichiers délimités par des caractères” à la page 247
Pour importer des comptes à l’aide du Gestionnaire de groupe de travail :
1 Créez un fichier délimité par des caractères ou XML contenant les comptes à importer,
puis placez-le de manière à ce qu’il soit accessible du serveur sur lequel vous utilisez
le Gestionnaire de groupe de travail. Le répertoire LDAP d’un maître Open Directory
prend en charge jusqu’à 100 000 enregistrements. Pour les bases de données NetInfo
locales, veillez à ce que le fichier ne contienne pas plus de 10 000 enregistrements.
2 Dans Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur l’icône de globe
située sous la barre d’outils et choisissez le domaine de répertoires dans lequel vous
souhaitez importer les comptes.
3 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine.
4 Facultativement, vous pouvez définir un préréglage de compte d’utilisateur dans le
répertoire LDAP du serveur.
Lorsque vous créez un préréglage pour l’importation de comptes d’utilisateur, définissez
des options de mot de passe afin que les utilisateurs soient forcés de changer leur mot
de passe lors de leur prochaine connexion. De la sorte, il n’est pas nécessaire de spécifier
des mots de passe individuels pour chacun des utilisateurs dans le fichier d’exportation
ou dans Gestionnaire de groupe de travail après l’importation des utilisateurs. Pour
accéder aux options de mot de passe, cliquez sur Avancé, puis sur Options. Consultez
la section “Création d’un préréglage pour des comptes d’utilisateur” à la page 72.
5 Vous pouvez également définir un préréglage de compte de groupe dans le répertoire
LDAP du serveur.
Consultez la section “Création d’un préréglage pour des comptes de groupe” à la
page 102.
6 Choisissez Importation dans le menu Serveur, puis sélectionnez le fichier d’importation.
7 Sélectionnez l’une des options Gestion des doublons pour spécifier la marche à suivre
si le nom abrégé d’un compte en cours d’importation est identique à celui d’un
compte existant.
F0170.book Page 243 Monday, May 2, 2005 12:37 PM244 Annexe A Importation et exportation d’informations de compte
L’option Écraser enregistrement existant permet de supprimer tout enregistrement
existant dans le domaine de répertoires.
L’option Ignorer nouvel enregistrement ignore un compte situé dans le fichier
d’importation.
L’option Ajouter aux champs vides fusionne les données du fichier d’importation
dans le compte existant lorsque les données correspondent à un attribut auquel
n’est attribuée aucune valeur.
L’option Ajouter à l’enregistrement existant ajoute des données aux données déjà
présentes dans le compte attribut particulier à plusieurs valeurs situé dans le compte
existant. Il n’y a pas création de doublons. Cette option peut par exemple être utilisée
pour importer de nouveaux membres dans un groupe existant.
8 Si vous le souhaitez, choisissez un préréglage utilisateur et/ou préréglage de groupe
dans les menus locaux de préréglages pour utilisateurs ou de préréglages pour
groupes.
9 Dans le champ ID du premier utilisateur, vous pouvez entrer l’identifiant d’utilisateur à
partir duquel commencer l’affectation d’identifiants aux nouveaux comptes d’utilisateur
pour lesquels le fichier d’importation ne contient pas identifiant d’utilisateur.
10 Dans le champ ID du groupe principal, vous pouvez entrer l’identifiant de groupe à
affecter aux nouveaux comptes d’utilisateur pour lesquels le fichier d’importation ne
contient pas d’identifiant de groupe principal.
11 Cliquez sur Importation pour lancer l’opération d’importation.
Utilisation du Gestionnaire de groupe de travail pour
exporter des utilisateurs et des groupes
Avec le Gestionnaire de groupe de travail, vous pouvez exporter des comptes
d’utilisateur et de groupe à partir du répertoire LDAP d’un maître Open Directory
ou d’un domaine NetInfo vers un fichier délimité par des caractères, lequel peut à
son tour être importé dans un domaine NetInfo ou LDAP différent.
Pour exporter des comptes à l’aide du Gestionnaire de groupe de travail :
1 Dans Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur l’icône
représentant un globe sous la barre d’outils et choisissez le domaine de répertoires
à partir duquel vous souhaitez exporter des comptes.
2 Cliquez sur le cadenas pour vous authentifier en tant qu’administrateur de domaine.
3 Cliquez sur le bouton Utilisateurs pour exporter des utilisateurs ou sur le bouton
Groupes pour exporter des groupes.
F0170.book Page 244 Monday, May 2, 2005 12:37 PMAnnexe A Importation et exportation d’informations de compte 245
4 Pour exporter l’ensemble des comptes de la liste, sélectionnez-les tous. Pour exporter
un compte spécifique, sélectionnez-le. Pour exporter plusieurs comptes, sélectionnezles en maintenant enfoncée la touche Commande ou Maj.
5 Choisissez Exporter dans le menu Serveur.
6 Spécifiez le nom à attribuer au fichier d’exportation ainsi que son emplacement.
7 Cliquez sur Exporter.
Utilisation de dsimport pour importer des utilisateurs et
des groupes
Vous pouvez utiliser l’outil de ligne de commande dsimport pour importer des
comptes d’utilisateur et de groupe dans un répertoire. dsimport permet la
journalisation à trois niveaux grâce à l’option -l. Pour obtenir des instructions,
consultez la page man ou le guide d’administration de la ligne de commande.
Utilisation de fichiers XML créés avec Mac OS X Server 10.1
ou antérieur
Vous pouvez utiliser Admin Serveur pour créer un fichier d’exportation à partir des
versions 10.1 ou antérieures de Mac OS X Server, puis importer ce fichier dans le
répertoire LDAP d’un maître Open Directory ou dans un domaine NetInfo à l’aide
du Gestionnaire de groupe de travail ou de dsimport.
Les attributs d’utilisateurs ci-dessous sont exportés dans ces fichiers XML. Les attributs
entre chevrons (<>) sont obligatoires et génèrent un message d’erreur s’ils sont absents
lorsque vous utilisez le fichier en tant que fichier d’importation :
• indication signalant si un utilisateur peut se connecter
• indication signalant si un utilisateur est un administrateur de serveur
•
•
• shell
• commentaire
•
•
• et
• données de courrier Apple
• ara (Apple Remote Access ; cette donnée est ignorée)
F0170.book Page 245 Monday, May 2, 2005 12:37 PM246 Annexe A Importation et exportation d’informations de compte
Les attributs de comptes ci-après peuvent figurer dans ces fichiers XML :
•
•
•
• noms abrégés d’autres membres
Utilisation de fichiers XML créés avec AppleShare IP 6.3
Vous pouvez utiliser l’application Admin Web et Fichier pour créer un fichier
d’exportation sur un serveur AppleShare IP 6.3, puis importer ce fichier dans le
répertoire LDAP d’un maître Open Directory ou dans un domaine NetInfo à l’aide
du Gestionnaire de groupe de travail ou de dsimport.
Les attributs d’utilisateurs ci-dessous sont exportés dans ces fichiers XML. Les attributs
entre chevrons (<>) sont obligatoires et génèrent un message d’erreur s’ils sont absents
lorsque vous utilisez le fichier en tant que fichier d’importation :
• (associé à un nom complet)
• inetAlias (associé à un nom abrégé)
• commentaire
• indication signalant si un utilisateur peut se connecter
• et
• données de courrier Apple
• indicateur signalant si l’utilisateur est un administrateur de serveur, si le mot de
passe a changé et permettant de forcer la modification du mot de passe (ces
données sont ignorées).
L’outil dsimport génère des identifiants d’utilisateur lorsque vous importez ce fichier
XML à l’aide du paramètre -s pour déterminer l’identifiant d’utilisateur de départ et
incrémente l’identifiant d’utilisateur de chaque nouveau compte importé par la suite
d’une unité. Il génère des ID de groupe principal à l’aide du paramètre -r. Lorsque
vous procédez à une importation à l’aide du Gestionnaire de groupe de travail, les
identifiants d’utilisateur et les identifiants de groupe principal sont générés au moment
spécifié dans la boîte de dialogue.
Les attributs de comptes ci-après peuvent figurer dans ces fichiers XML :
•
•
• noms abrégés d’autres membres
F0170.book Page 246 Monday, May 2, 2005 12:37 PMAnnexe A Importation et exportation d’informations de compte 247
L’outil dsimport génère des identifiants de groupe lorsque vous importez ce fichier
XML à l’aide du paramètre -r pour déterminer l’identifiant de groupe de départ et
incrémenter l’identifiant de groupe de chaque nouveau compte importé par la suite
d’une unité. Lorsque vous procédez à une importation à l’aide du Gestionnaire de
groupe de travail, les identifiants de groupe sont générés à l’aide des informations
fournies pour ceux de groupe principal dans la boîte de dialogue d’importation.
Utilisation de fichiers délimités par des caractères
Vous pouvez créer un fichier délimité par des caractères à l’aide du Gestionnaire de
groupe de travail ou de dsimport afin d’exporter des comptes vers un fichier dans
le répertoire LDAP d’un maître Open Directory ou dans un domaine NetInfo. Vous
pouvez également créer un fichier délimité par des caractères soit manuellement,
soit en utilisant une application de base de données ou de tableur.
Le premier enregistrement du fichier doit être représentatif du format de chaque
compte du fichier. Il existe trois options :
• écrire une description d’enregistrement complète ;
• utiliser le raccourci StandardUserRecord ;
• utiliser le raccourci StandardGroupRecord.
Les autres enregistrements du fichier décrivent les comptes d’utilisateur et de groupe,
encodés au format décrit par le premier enregistrement.
Écriture d’une description d’enregistrement
Une description d’enregistrement identifie les champs de chaque enregistrement
que vous souhaitez importer à partir d’un fichier délimité par des caractères, indique
comment les enregistrements, les champs et les valeurs sont séparées et décrit le
caractère d’échappement qui précède les caractères spéciaux dans un enregistrement.
Encodez la description d’enregistrement à l’aide des éléments suivants dans l’ordre
spécifié, en les séparant par un espace :
• indicateur de fin d’enregistrement (en notation hexa) ;
• caractère d’échappement (en notation hexa) ;
• séparateur de champ (en notation hexa) ;
• séparateur de valeur (en notation hexa) ;
• type de comptes du fichier (DSRecTypeStandard:Users ou DSRecTypeStandard:Groups) ;
• nombre d’attributs par compte ;
• liste des attributs.
F0170.book Page 247 Monday, May 2, 2005 12:37 PM248 Annexe A Importation et exportation d’informations de compte
Pour les comptes d’utilisateur, la liste d’attributs doit, pour être complète, posséder
un nom d’enregistrement et contenir les informations suivantes :
• RecordName (nom abrégé de l’utilisateur)
• RealName (nom complet de l’utilisateur)
• Répertoire d’accueil NFS
• Password
• UniqueID (identifiant d’utilisateur)1
• PrimaryGroupID1
De plus, vous pouvez inclure :
• UserShell (le shell par défaut)
• NFSHomeDirectory (le chemin d’accès au répertoire de départ de l’utilisateur
sur son ordinateur)
• D’autres types de données d’utilisateur décrits dans le guide d’administration
d’Open Directory
Pour les compte de groupe, la liste d’attributs doit contenir les attributs suivants :
• RecordName (le nom du groupe)
• PrimaryGroupID (l’identifiant de groupe)
• GroupMembership
Voici un exemple de description d’enregistrement :
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 7
RecordName Password UniqueID PrimaryGroupID
RealName NFSHomeDirectory UserShell
Voici un exemple d’enregistrement encodé à l’aide de la description :
jim:Adl47E$:408:20:J. Dupont, Jean:/Network/Servers/somemac/Homes/jim:/bin/
csh
Un enregistrement est composé de valeurs délimitées par des deux-points. Utilisez
un double deux-points (::) pour indiquer qu’il manque une valeur.
Lorsque vous importez des mots de passe d’utilisateur, vous pouvez insérer les
informations suivantes dans la liste des attributs pour régler le type de mot de passe
de l’utilisateur sur Open Directory :
dsAttrTypeStandard:AuthMethod
1.
Vous pouvez omettre ces derniers si vous spécifiez un identifiant d’utilisateur de départ et un identifiant de groupe
principal par défaut lorsque vous importez le fichier.
F0170.book Page 248 Monday, May 2, 2005 12:37 PMAnnexe A Importation et exportation d’informations de compte 249
La méthode permettant de régler le type de mot de passe d’un utilisateur importé sur
Open Directory nécessite que les données importées possèdent une valeur pour le mot
de passe. Si la valeur de mot de passe est absente pour un utilisateur, l’enregistrement
d’utilisateur correspondant sera créé avec un type de mot de passe crypté ou shadow.
Insérez ensuite les informations suivantes dans l’enregistrement formaté (dans notre
exemple, le mot de passe de l’utilisateur est “mdp”) :
dsAuthMethodStandard\:dsAuthClearText:mdp
Remarque : dans cet exemple, le deux-points (:) constitue le séparateur de champs.
Comme il y a un deux-points dans la description de cet attribut, il faut utiliser le
caractère d’échappement pour indiquer que le deux-points ne doit pas être traité
comme un délimiteur. Le caractère d’échappement dans cet exemple est la barre
oblique inverse ( \ ). Si le séparateur de champs est un caractère différent du deuxpoints, il n’est pas nécessaire d’utiliser de caractère d’échappement.
Voici un exemple d’en-tête provenant d’un fichier d’importation d’utilisateurs standard
contenant des utilisateurs qui utilisent le serveur de mots de passe. Il doit être saisi
sous la forme d’une ligne de texte dans laquelle les éléments sont séparés par des
espaces et sans sauts de ligne, comme ci-dessous. Même si votre navigateur adapte
le texte aux dimensions de l’écran, vous pouvez constater que la ligne ne contient pas
de sauts de ligne si vous la copiez et la collez dans un éditeur de texte dans lequel le
renvoi automatique à la ligne est désactivé :
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 8
dsAttrTypeStandard:RecordName dsAttrTypeStandard:AuthMethod
dsAttrTypeStandard:Password dsAttrTypeStandard:UniqueID
dsAttrTypeStandard:PrimaryGroupID dsAttrTypeStandard:Comment
dsAttrTypeStandard:RealName dsAttrTypeStandard:UserShell
Voici un exemple d’enregistrement formaté avec les valeurs et les attributs suivants :
:
Nom de l’enregistrement (nom abrégé) : jdupont
Méthode d’authentification : dsAuthClearText
Mot de passe : mdp1
Identifiant unique : 1242
Identifiant de groupe principal : 20
Commentaires :
Nom réel (nom complet) : Jean Dupont
Shell utilisateur : /bin/tcsh
jdupont:dsAuthMethodStandard\:dsAuthClearText:mdp1:1242:20::Jean Dupont:/
bin/tcsh
F0170.book Page 249 Monday, May 2, 2005 12:37 PM250 Annexe A Importation et exportation d’informations de compte
Remarque : dans cet exemple, les deux-points (:) sont également utilisés comme
séparateurs de champs et la barre oblique inverse (\) comme caractère d’échappement.
Comme ces exemples l’illustrent, vous pouvez soit utiliser le préfixe
dsAttrTypeStandard: si vous faites référence à un attribut, soit l’omettre. Lorsque vous
utilisez Gestionnaire de groupe de travail pour exporter des fichiers délimités par des
caractères, il utilise le préfixe dans le fichier généré.
F0170.book Page 250 Monday, May 2, 2005 12:37 PM 251
B Annexe
B Autorisations de liste ACL et
adhésions de groupe via GUID
Mac OS X Server 10.4 fournit un nouvel attribut
d’utilisateur et de groupe pour la détermination des
autorisations et de l’adhésion aux groupes du système
de fichiers.
Mac OS X 10.4 s’écarte ainsi des pratiques historiques du système UNIX qui consistaient à :
• ne baser les autorisations de système de fichiers que sur les attributs UID et GID ;
• baser l’adhésion de groupe sur le nom abrégé d’utilisateur.
Ce changement permet à Mac OS X 10.4 d’ajouter des listes ACL aux autorisations POSIX
standard du système de fichiers. Il permet également à Mac OS X 10.4 de maintenir les
adhésions de groupe lors du changement des noms abrégés d’utilisateur et de gérer
les adhésions de groupe imbriquées.
Cette amélioration des fonctionnalités ne supprime ni ne modifie les autorisations
POSIX et n’affecte pas l’interopérabilité de Mac OS X avec les systèmes UNIX hérités
ou d’autres systèmes d’exploitation.
Important : après la mise à niveau avec Mac OS X Server 10.4 ou la migration de votre
serveur vers ce système, il est vivement recommandé de créer une nouvelle copie de
sauvegarde en exportant les comptes d’utilisateur et de groupe existants qui disposent
désormais d’attributs GUID. Si vous devez restaurer des comptes utilisateur ou de groupe
ultérieurement, ce nouveau fichier d’exportation vous permettra d’importer les
utilisateurs et les groupes en conservant leur nouveau GUID.
Rôle des GUID
À partir de Mac OS X 10.4, un identifiant universel appelé identifiant GUID (de l’anglais
“Globally Unique Identifier”, prononcez “gou-id”) fournit l’identité d’utilisateur et de
groupe pour les autorisations ACL. Le GUID associe également un utilisateur à des
adhésions de groupe et de groupes imbriqués.
F0170.book Page 251 Monday, May 2, 2005 12:37 PM252 Annexe B Autorisations de liste ACL et adhésions de groupe via GUID
Les outils d’administration de Mac OS X Server 10.2 et ultérieur affectent déjà
automatiquement un nouvel identifiant GUID à chaque nouveau compte d’utilisateur
et à chaque compte d’utilisateur importé, mais Mac OS X 10.4 est la première version à
utiliser les GUID et à les incorporer dans les fichiers d’exportation. L’identifiant GUID est
un attribut masqué. Pour afficher l’attribut GUID, utilisez l’Inspecteur du Gestionnaire
de groupe de travail.
Désormais, si deux utilisateurs peuvent avoir des noms étendus, noms abrégés,
identifiants d’utilisateur et identifiants de groupe identiques, ils possèdent néanmoins
des identifiants GUID différents. Ils pourront donc avoir des autorisations ACL différentes
et appartenir à des groupes différents. Comme l’identifiant GUID est une valeur de 128 bits,
la probabilité d’obtenir des doublons est extrêmement faible.
En tant qu’administrateur, vous devez maintenant vous assurer qu’il est possible de
restaurer des comptes d’utilisateur en conservant les GUID. La restauration des comptes
d’utilisateur avec leurs identifiants UID, GID et leur nom abrégé, mais sans leur identifiant
GUID ne permet pas de restaurer les autorisations ACL ni l’adhésion de groupe sous
Mac OS X 10.4 ou ultérieur.
Les listes de contrôle d’accès ACL complètent les
autorisations POSIX
Une liste ACL est une liste d’entrées de contrôle d’accès (en anglais “Access Control
Entry” ou ACE), qui spécifient les autorisations d’accès à un dossier et à son contenu
données ou refusées à un groupe ou un utilisateur. Les listes ACL spécifient également
la manière dont leurs autorisations sont propagées à travers les hiérarchies de fichiers.
Vous pouvez définir des autorisations ACL en plus des autorisations POSIX standard.
Tout fichier ou dossier dispose toujours d’autorisations POSIX. À moins qu’un
administrateur n’attribue des autorisations ACL, les autorisations POSIX continuent de
déterminer l’accès dont bénéficient les utilisateurs dans un système Mac OS X 10.4. Si
vous attribuez des autorisations ACL, elles auront priorité sur les autorisations POSIX
standard. Pour en savoir plus sur les autorisations ACL et POSIX, consultez les guide
des services de fichiers.
Identifiants GUID et groupes
Mac OS X 10.4 vérifie l’adhésion de groupe et de groupes imbriqués à l’aide des
identifiants GUID. L’identifiant GUID d’un groupe est également utilisé par les listes
ACL du système de fichiers et est stocké sur disque dans l’entrée ACE.
Le nom abrégé d’utilisateur hérité n’est utilisé que s’il n’y a pas d’identifiant GUID dans
l’enregistrement de groupe.
F0170.book Page 252 Monday, May 2, 2005 12:37 PMAnnexe B Autorisations de liste ACL et adhésions de groupe via GUID 253
Autorisations et synchronisation de fichiers
Pour que des fichiers synchronisés sur deux ordinateurs aient les mêmes autorisations
POSIX, il faut que leurs identifiants UID soient identiques sur les deux ordinateurs. Pour
avoir les mêmes autorisations ACL sur les deux ordinateurs, il faut que les identifiants
GUID correspondent également. Cela peut se faire à l’aide de Gestionnaire de groupe
de travail, d’outils de ligne de commande d’édition de répertoire ou, plus simplement,
en partageant le même répertoire entre les deux ordinateurs.
Les répertoires de départ portables PHD (Portable Home Directories) obligent
l’utilisateur à disposer du même identifiant GUID dans le compte d’utilisateur local sur
l’ordinateur de l’utilisateur et dans le compte d’utilisateur réseau sur un serveur Open
Directory. Cela permet de s’assurer que les autorisations de fichiers sont identiques que
l’utilisateur se connecte à l’aide du compte d’utilisateur local (lorsqu’il est déconnecté
du réseau) ou du compte d’utilisateur réseau.
Pour obtenir des information sur l’implémentation des identifiants GUID dans des
répertoires, consultez le guide d’administration d’Open Directory.
Interopérabilité des identifiants de sécurité SID et de
Windows
Les identifiants de sécurité SID (Security identifiers) pour systèmes Windows possèdent
des fonctions semblables aux identifiants GUID pour systèmes Mac OS X. Chaque fois
que Mac OS X affecte un identifiant GUID à un processus ou à un fichier, un identifiant
SID est affecté également. Cela permet aux systèmes Mac OS X de fonctionner de
manière transparente avec les systèmes Windows.
Importation et exportation d’utilisateurs
La possession d’un fichier d’exportation contenant un identifiant GUID pour chaque
utilisateur et groupe vous permet de restaurer rapidement des utilisateurs et des
groupes en conservant intactes leurs autorisations de fichiers ni leurs adhésions
de groupe. L’attribut GUID est automatiquement inclus lors de l’exportation des
enregistrements d’utilisateur à partir de Gestionnaire de groupe de travail ou de
la ligne de commande sous Mac OS X Server 10.4.
Si vous perdez des comptes d’utilisateur et créez de nouveaux comptes portant les
mêmes identifiants d’utilisateur UID, identifiants de groupe GID et noms abrégés que
les comptes perdus, les nouveaux comptes recevront de nouveaux identifiants GUID.
Le nouvel identifiant GUID d’un utilisateur ne sera pas identique à l’identifiant GUID
précédent et l’utilisateur ne conservera donc pas les anciennes autorisations ACL ou
adhésions de groupe. De même, si vous importez des utilisateurs ou des groupes à
partir d’un fichier ne contenant pas d’attribut GUID, Mac OS X Server affectera de
nouveaux identifiants GUID à chaque utilisateur et groupe importé.
F0170.book Page 253 Monday, May 2, 2005 12:37 PMF0170.book Page 254 Monday, May 2, 2005 12:37 PM 255
Glossaire
Glossaire
Ce glossaire définit les termes et les abréviations apparaissant dans l’aide en ligne ou
les différents manuels de référence de Mac OS X Server. Les références à des termes
définis ailleurs dans ce glossaire apparaissent en italiques.
administrateur Utilisateur disposant d’autorisations d’administration de serveur ou
de domaine de répertoires. Les administrateurs sont toujours membres du groupe
“admin” prédéfini.
adresse IP dynamique Adresse IP attribuée pour une durée limitée ou jusqu’à ce
que l’ordinateur client n’en ait plus besoin.
adresse IP statique Adresse IP affectée de manière permanente à un ordinateur ou
un périphérique.
AFP Apple Filing Protocol. Protocole client/serveur utilisé par le service de fichiers
Apple sur les ordinateurs compatibles Macintosh pour partager des services de fichiers
et de réseau. AFP utilise TCP/IP et d’autres protocoles pour les communications entre
ordinateurs d’un réseau.
attribut d’autorité d’authentification Valeur qui identifie le système de validation
de mot de passe spécifié pour un utilisateur et fournit, si nécessaire, des informations
supplémentaires.
autorisations Droit d’accéder à des zones restreintes d’un système ou d’effectuer
certaines tâches (telles que des tâches de gestion) dans le système.
BIND Berkeley Internet Name Domain Programme inclus dans Mac OS X Server et qui
implémente le service DNS. Ce programme est également appelé démon lorsqu’il est
en cours d’exécution.
boîte de dépôt Dossier partagé dont les privilèges permettent à d’autres utilisateurs
d’écrire des données dans son contenu, mais pas de le lire. Seul le propriétaire de la
boîte peut y accéder sans restriction. Les boîtes de dépôt ne doivent être créées qu’à
l’aide d’AFP. Lorsqu’un dossier est partagé via AFP, l’appartenance d’un élément placé
dans la boîte est automatiquement transférée au propriétaire du dossier qui peut alors
accéder sans restriction et contrôler tous les éléments de la boîte de dépôt.
F0170.book Page 255 Monday, May 2, 2005 12:37 PM256 Glossaire
BSD Berkeley System Distribution. Version d’UNIX sur laquelle repose le logiciel Mac OS X.
cache des préférences Emplacement de stockage servant à héberger les préférences
de l’ordinateur et celles des groupes associés à cet ordinateur. Les préférences mises
en cache vous aident à gérer des comptes d’utilisateurs locaux sur des ordinateurs
portables.
caractère générique Plage de valeurs possibles pour tout segment d’une adresse IP.
CGI Common Gateway Interface. Script ou programme permettant d’ajouter des
fonctions dynamiques à un site Web. Un script CGI transmet les informations entre
un site Web et une application au service du site.
chemin de recherche Voir politique de recherche.
client géré Utilisateur, groupe ou ordinateur dont les autorisations d’accès et/ou
les préférences sont sous le contrôle d’un administrateur.
client sans système Ordinateur sur le disque dur duquel aucun système d’exploitation
n’est installé. Les ordinateurs sans système peuvent démarrer à partir d’une image
disque installée sur un serveur NetBoot.
compte d’ordinateur Voir liste d’ordinateurs.
comptes prédéfinis Comptes d’utilisateurs créés automatiquement lorsque vous
installez Mac OS X. Certains comptes de groupes sont également prédéfinis.
coupe-feu Logiciel destiné à protéger les applications réseau exécutées sur votre
serveur. Le service de coupe-feu IP, intégré au logiciel Mac OS X Server, examine
les paquets IP entrants et les refuse ou les accepte en fonction des filtres établis.
délai de bail Période limitée durant laquelle les adresses IP sont affectées. Avec des
baux courts, DHCP peut réaffecter des adresses IP sur des réseaux comptant plus
d’ordinateurs que d’adresses disponibles.
démon nfsd Processus de serveur NFS tournant en permanence en arrière-plan et
traitant les requêtes de lecture et d’écriture provenant des clients. Plus il y a de démons
disponibles et plus nombreux sont les clients qui peuvent être servis simultanément.
DHCP Dynamic Host Configuration Protocol. Protocole utilisé pour la répartition
dynamique d’adresses IP entre les ordinateurs clients. Chaque fois qu’un ordinateur
client démarre, le protocole recherche un serveur DHCP et demande une adresse IP
au serveur DHCP rencontré. Ce serveur cherche une adresse IP disponible et l’envoie
à l’ordinateur client accompagnée d’un délai de bail—période pendant laquelle
l’ordinateur client est autorisé à utiliser l’adresse.
F0170.book Page 256 Monday, May 2, 2005 12:37 PMGlossaire 257
DNS Domain Name System. Base de données distribuée qui fait correspondre des
adresses IP à des noms de domaines. Un serveur DNS, appelé également serveur
de noms, conserve la liste des noms et des adresses IP associées à chaque nom.
DNS en multidiffusion Protocole développé par Apple pour la détection automatique
d’ordinateurs, de périphériques et de services sur les réseaux IP. Ce protocole standard
Internet à l’état de proposition est parfois également appelé “ZeroConf”. Pour plus
d’informations, consultez le site www.apple.fr ou www.zeroconf.org. Pour voir comment
ce protocole est utilisé dans Mac OS X Server, voir nom d’hôte local.
domaine de répertoire Base de données spécialisée qui stocke des informations de
référence sur les utilisateurs et les ressources réseau nécessaires au logiciel système et
aux applications. La base de données est optimisée pour gérer de nombreuses requêtes
d’informations et trouver et obtenir rapidement ces informations. Le domaine de
répertoires peut également être appelé nœud de répertoire ou simplement répertoire.
domaine local Domaine de répertoires accessible uniquement à partir de l’ordinateur
sur lequel il réside.
dossier de groupe Répertoire servant à organiser les documents et les applications
d’un intérêt particulier pour les membres d’un groupe et leur permettant d’échanger
des informations.
enfant Ordinateur dont les informations de configuration proviennent du domaine
de répertoire partagé d’un parent.
enregistrement MX Enregistrement Mail Exchange. Entrée d’un tableau DNS qui
détermine l’ordinateur gérant le courrier pour un domaine Internet. Lorsqu’un
serveur de courrier doit remettre des messages à un domaine Internet, il demande
l’enregistrement MX du domaine concerné. Le serveur envoie les messages à
l’ordinateur spécifié dans l’enregistrement MX.
étendue Groupe de services. Une étendue peut consister en regroupements logiques
d’ordinateurs, tels que tous les ordinateurs utilisés par le département de production
ou en regroupements physiques, tels que tous les ordinateurs situés au premier étage
d’un bâtiment. Vous pouvez définir une étendue en tant que partie ou ensemble de
votre réseau.
exportation Dans le système NFS (Network File System), moyen de partager un
répertoire avec des clients sur un réseau. À définir pour le contexte RAID.
FAI Fournisseur d’accès à Internet. Entreprise qui commercialise l’accès à Internet
et fournit généralement un service d’hébergement de sites Web pour le commerce
électronique, ainsi que des services de courrier.
F0170.book Page 257 Monday, May 2, 2005 12:37 PM258 Glossaire
file d’attente d’impression Zone dans laquelle les tâches d’impression attendent
qu’une imprimante soit disponible. Le service d’impression de Mac OS X Server
utilise les files d’attente d’impression sur le serveur pour faciliter la gestion.
filtre Méthode de “filtrage” utilisée pour contrôler l’accès à un serveur. Un filtre est
constitué d’une adresse IP, d’un masque de sous-réseau et parfois d’un numéro de
port et d’un type d’accès. L’adresse IP et le masque de sous-réseau déterminent la
plage d’adresses IP à laquelle s’applique le filtre.
Finder simplifié Environnement utilisateur comportant tableaux et grandes icônes
et qui offre aux débutants une interface conviviale et simple. Les volumes ou disques
montés auxquels les utilisateurs ont accès apparaissent dans des tableaux plutôt que
sur le bureau standard.
FTP File Transfer Protocol. Protocole permettant aux ordinateurs de transférer des
fichiers sur un réseau. Les clients FTP dont le système d’exploitation gère le protocole
FTP peuvent se connecter à un serveur de fichiers et télécharger des fichiers, en fonction
des autorisations d’accès dont ils bénéficient. La plupart des navigateurs Internet et bon
nombre d’applications gratuites peuvent être utilisés pour accéder à un serveur FTP.
groupe Ensemble d’utilisateurs ayant les mêmes besoins. Les groupes simplifient
l’administration des ressources partagées.
groupe de travail Ensemble d’utilisateurs pour lesquels vous définissez des
préférences et des autorisations de groupe. Toutes les préférences que vous définissez
pour un groupe sont stockées dans le compte de groupe.
groupe principal Groupe par défaut d’un utilisateur. Le système de fichiers utilise
l’identifiant du groupe principal lorsqu’un utilisateur accède à un fichier dont il n’est
pas le possesseur.
hiérarchie de domaine de répertoire Mode d’organisation des domaines de
répertoires partagés et locaux. Une hiérarchie possède une structure arborescente
inversée, le domaine racine (root) étant placé en haut et les domaines locaux en bas.
hôte de courrier Ordinateur qui fournit le service de courrier.
HTML Hypertext Markup Language. Ensemble de symboles ou de codes insérés dans
un fichier à afficher par un navigateur Web. Le balisage indique au navigateur Web
comment afficher les mots et images d’une page Web pour l’utilisateur.
HTTP Hypertext Transfer Protocol. Protocole client/serveur pour le Web. Le protocole
HTTP constitue pour un navigateur Web un moyen d’accès à un serveur Web et de
requête de documents hypermedia HTML.
IANA Internet Assigned Numbers Authority. Organisation chargée d’attribuer des
adresses IP et des paramètres de protocole, ainsi que de gérer des noms de domaines.
F0170.book Page 258 Monday, May 2, 2005 12:37 PMGlossaire 259
ICMP Internet Control Message Protocol. Protocole dédié au contrôle des messages
et à la génération de rapports d’erreurs, utilisé entre serveurs hôtes et passerelles. Par
exemple, certaines applications Internet utilisent le protocole ICMP pour envoyer un
paquet en aller-retour entre deux hôtes, déterminer ainsi la durée requise par le trajet
et détecter ainsi d’éventuels problèmes sur le réseau.
Id. Util. Identifiant d’utilisateur. Numéro qui identifie un utilisateur de manière unique
dans un système de fichiers. Les ordinateurs Mac OS X utilisent les identifiants d’utilisateurs
pour contrôler l’appartenance de répertoires et de fichiers à un utilisateur.
identifiant de groupe principal Numéro unique identifiant un groupe principal.
IGMP Internet Group Management Protocol. Protocole Internet utilisé par les hôtes et
les routeurs pour envoyer des paquets à des listes d’hôtes volontaires, dans le cadre d’un
processus appelé multidiffusion. Le Serveur Enchaînement QuickTime (QTSS) utilise
l’adressage multidiffusion, de même que le protocole SLP (Service Location Protocol).
image disque Fichier qui, une fois ouvert, crée sur un bureau Mac OS une icône dont
la présentation et le comportement sont similaires à ceux d’un véritable disque ou
volume. Les ordinateurs clients peuvent, à l’aide de NetBoot, démarrer via le réseau à
partir d’une image disque basée sur un serveur et contenant un logiciel système. Les
fichiers d’image disque présentent l’extension .img ou .dmg. Les deux formats d’image
sont similaires et sont représentés par la même icône dans le Finder. Le format .dmg ne
peut pas être utilisé sur les ordinateurs qui exécutent Mac OS 9.
image fantôme Fichier créé par le processus démon NetBoot pour chaque client
utilisant NetBoot, pour lequel les applications qui s’exécutent sur le client peuvent
écrire des données temporaires.
IMAP Internet Message Access Protocol. Protocole client/serveur de courrier permettant
aux utilisateurs de stocker leur courrier sur le serveur de courrier plutôt que de le
télécharger sur l’ordinateur local. Le courrier demeure sur le serveur jusqu’à ce que
l’utilisateur décide de l’effacer.
IP Internet Protocol. Également désigné par IPv4. Méthode utilisée conjointement
avec le protocole TCP (Transmission Control Protocol) pour envoyer des données
d’un ordinateur à un autre via un réseau local ou via Internet. Le protocole IP envoie
les paquets de données, alors que le protocole TCP se charge de leur suivi.
Kerberos Système d’authentification réseau sécurisé. Kerberos utilise des tickets,
délivrés pour un utilisateur, un service et une période déterminés. Une fois l’utilisateur
authentifié, celui-ci peut accéder à des services supplémentaires sans devoir resaisir de
mot de passe (signature unique) pourvu que ces services aient été configurés pour
accepter les tickets Kerberos. Mac OS X Server utilise Kerberos v5.
F0170.book Page 259 Monday, May 2, 2005 12:37 PM260 Glossaire
LDAP Lightweight Directory Access Protocol. Protocole client/serveur standard pour
accéder à un domaine de répertoires.
liste d’ordinateurs Liste d’ordinateurs partageant les mêmes réglages de préférences
et accessibles par les mêmes utilisateurs et groupes.
LPR Line Printer Remote. Protocole standard d’impression via TCP/IP.
maître Open Directory Serveur qui fournit le service de répertoire LDAP, le service
d’authentification Kerberos et le serveur de mots de passe Open Directory.
MBONE Multicast Backbone. Réseau virtuel gérant la multidiffusion IP. Un réseau
MBONE utilise le même support physique qu’Internet, sauf qu’il est conçu pour
réassembler les paquets de données de multidiffusion afin qu’ils s’apparentent à
des paquets de données de diffusion individuelle.
MIB Management Information Base. Base de données virtuelle permettant de
surveiller un périphérique à l’aide d’applications SNMP.
MIME Multipurpose Internet Mail Extensions. Standard Internet utilisé pour spécifier
comment un navigateur Web doit traiter un fichier possédant certaines caractéristiques.
L’extension du fichier indique son type. Vous pouvez déterminer la façon dont un
serveur doit réagir lorsqu’il reçoit des fichiers portant certains suffixes. Chaque suffixe
et la réponse qui lui correspond constituent une association de type MIME.
MTA Mail Transfer Agent. Service de courrier qui envoie le courrier sortant, reçoit le
courrier entrant à l’attention des destinataires locaux et fait suivre le courrier entrant
des destinataires non locaux vers d’autres MTA.
multi-adressage Capacité à gérer plusieurs connexions réseau. Lorsque plusieurs
connexions sont disponibles, Mac OS X sélectionne celle adéquate en fonction de
l’ordre spécifié dans les préférences réseau.
NetBIOS Network Basic Input/Output System. Programme permettant aux applications
situées sur différents ordinateurs de communiquer au sein d’un réseau local.
NetInfo L’un des protocoles Apple d’accès à un domaine de répertoires.
NFS Network File System. Protocole client/serveur utilisant le protocole IP (Internet
Protocol) pour permettre aux utilisateurs distants d’accéder à des fichiers comme s’ils
se trouvaient sur leur disque. Le service NFS exporte les volumes partagés vers les
ordinateurs en fonction de l’adresse IP, plutôt que du nom et mot de passe utilisateur.
nœud de répertoire Voir domaine de répertoire.
nom abrégé Abréviation du nom d’un utilisateur. Le nom abrégé est utilisé par Mac OS X
pour les répertoires de départ, l’authentification et les adresses électroniques.
F0170.book Page 260 Monday, May 2, 2005 12:37 PMGlossaire 261
nom canonique Nom “réel” d’un serveur, si vous lui avez attribué un “surnom” ou un
alias. Le serveur courrier.apple.com, par exemple, peut avoir comme nom canonique
SrvCourrier473.apple.com.
nom complet Forme longue d’un nom d’utilisateur ou de groupe. Voir aussi nom
d’utilisateur.
nom complet Voir nom long.
nom d’hôte local Nom qui désigne un ordinateur sur un sous-réseau local. Il peut
être utilisé sans système DNS global afin de résoudre les noms en adresses IP. Il est
constitué de lettres minuscules, de chiffres et de traits d’union (sauf en tant que dernier
caractère), et se termine par “.local” (par exemple, factures-ordinateur.local). Bien que le
nom soit défini par défaut à partir du nom d’ordinateur, l’utilisateur peut définir ce nom
dans la sous-fenêtre Réseau des Préférences Système. Il peut être modifié facilement et
utilisé partout où un nom DNS ou un nom de domaine complet est utilisé. Il peut
uniquement être résolu sur le même sous-réseau que l’ordinateur qui l’utilise.
nom d’utilisateur Nom complet d’un utilisateur, parfois qualifié de réel. Voir aussi nom
abrégé.
Open Directory Architecture des services de répertoires Apple qui peut accéder à
des informations de référence sur les utilisateurs et les ressources réseau à partir de
domaines de répertoires utilisant les protocoles LDAP, NetInfo, ou Active Directory,
les fichiers de configuration BSD et les services de réseau.
ORBS Open Relay Behavior-modification System. Service Internet qui répertorie dans
une liste noire les serveurs connus pour être des relais ouverts ou supposés comme tels
pour les expéditeurs de courrier indésirable. Les serveurs ORBS sont également appelés
serveurs “trou noir”.
ordinateur administrateur Ordinateur Mac OS X sur lequel vous avez installé les
applications de serveur situées sur le CD Serveur Mac OS X Server Admin.
ordinateur invité Ordinateur inconnu ne figurant dans aucune liste d’ordinateurs
de votre serveur.
parent Ordinateur dont le domaine de répertoires partagé fournit des informations
de configuration à un autre ordinateur.
PHP PHP Hypertext Preprocessor (à l’origine Personal Home Page). Langage de script
incorporé au langage HTML et utilisé pour créer des pages Web dynamiques.
point de partage Dossier, disque dur (ou partition de disque dur) ou CD accessible via
le réseau. Un point de partage constitue le point d’accès situé au premier niveau d’un
groupe d’éléments partagés. Les points de partage peuvent être partagés à l’aide des
protocoles AFP, Windows SMB, NFS (exportation) ou FTP.
F0170.book Page 261 Monday, May 2, 2005 12:37 PM262 Glossaire
point de relais Voir relais ouvert.
politique de recherche Liste des domaines de répertoire parmi lesquels un ordinateur
Mac OS X effectue ses recherches lorsqu’il a besoin d’informations de configuration.
Désigne également l’ordre dans lequel les domaines sont pris en compte lors de la
recherche. Parfois appelé “chemin de recherche”.
POP Post Office Protocol. Protocole destiné à récupérer le courrier entrant. Une fois
qu’un utilisateur a récupéré son courrier POP, ce dernier est stocké sur l’ordinateur
de l’utilisateur et, généralement, supprimé automatiquement du serveur de courrier.
préférences gérées Préférences Système ou d’applications sous le contrôle d’un
administrateur. Le Gestionnaire de groupe de travail permet aux administrateurs de
contrôler les réglages de certaines préférences système pour les clients gérés Mac OS X.
préréglages Attributs d’origine par défaut que vous spécifiez pour les nouveaux
comptes créés à l’aide du Gestionnaire de groupe de travail. Vous ne pouvez utiliser
les préréglages que lors de la création d’un compte.
profil d’utilisateur Ensemble de réglages personnels relatifs au bureau et aux
préférences, que Windows enregistre pour un utilisateur et applique chaque fois
que ce dernier se connecte.
propriétaire Le propriétaire d’un élément peut définir des autorisations de Lecture et
écriture, Lecture seule ou Accès interdit pour le Propriétaire, le groupe et les Autres. Le
propriétaire peut également attribuer la propriété d’un élément à un autre utilisateur
et affecter des autorisations de groupe à un autre groupe. Par défaut, le propriétaire
dispose d’autorisations Lecture et écriture.
QTSS QuickTime Streaming Server. Technologie permettant de diffuser des données
en temps réel sur Internet.
relais Dans QuickTime Streaming Server, un relais reçoit un flux entrant et le réexpédie
vers un serveur de diffusion en continu ou plus. Les relais permettent de réduire la
consommation de bande passante Internet et sont très utiles pour les diffusions
avec de nombreux spectateurs dans différents emplacements. En terme de courrier
électronique Internet, un relais est un petit serveur SMTP de courrier électronique qui
envoie le courrier entrant à un autre serveur SMTP plutôt qu’à sa destination finale.
relais ouvert Serveur recevant et transférant automatiquement le courrier vers un
autre serveur. Les émetteurs de courrier indésirable exploitent les serveurs relais
ouverts, afin que leurs propres serveurs de courrier ne figurent pas sur les listes noires
référençant les sources de courrier indésirable.
répartition de la charge Processus qui consiste à répartir sur plusieurs services les
demandes de services réseau effectuées par les ordinateurs clients, afin d’optimiser
les performances.
F0170.book Page 262 Monday, May 2, 2005 12:37 PMGlossaire 263
répertoire de départ Dossier destiné à l’usage personnel d’un utilisateur. Entre autres,
Mac OS X utilise également le répertoire de départ pour stocker des Préférences
Système et des réglages d’utilisateur gérés pour les utilisateurs Mac OS X.
répertoire de départ local Répertoire de départ résidant sur le disque dur de
l’ordinateur auquel est connecté un utilisateur. Il n’est accessible que par ouverture
de session directe sur l’ordinateur où il réside, sauf si vous ouvrez une session sur
l’ordinateur via SSH.
réseau géré Éléments que les clients gérés sont autorisés à “voir” lorsqu’ils cliquent sur
l’icône Réseau dans une fenêtre du Finder. Les administrateurs contrôlent ce réglage à
l’aide du Gestionnaire de groupe de travail. Également appelé “présentation de réseau”.
ROM de démarrage Instructions sur les exigences matérielles utilisées par un
ordinateur au cours des premières étapes du démarrage.
royaume À définir ; terme général avec plusieurs applications. Voir royaume WebDAV,
royaume Kerberos.
royaume Kerberos Domaine d’authentification comprenant les utilisateurs et les
services enregistrés auprès du même serveur Kerberos. Les services et utilisateurs
enregistrés font confiance au serveur Kerberos pour vérifier l’identité de chacun.
royaume WebDAV Région d’un site Web, généralement un dossier ou un répertoire,
réservé aux utilisateurs et groupes WebDAV.
RTP Real-Time Transport Protocol. Protocole de transport réseau de bout en bout
adapté aux applications qui transmettent des données en temps réel (audio, vidéo
ou simulation) par l’intermédiaire de services réseau en multi ou monodiffusion.
RTSP Real Time Streaming Protocol. Protocole de niveau applicatif servant à contrôler
la transmission des données ayant des propriétés de temps réel. Ce protocole RTSP
propose une structure extensible qui permet de transmettre les données en temps réel
sous contrôle et sur demande, des données audio ou vidéo par exemple. Les sources
de données peuvent inclure aussi bien des données en direct que des clips enregistrés.
SDP Session Description Protocol. Fichier texte utilisé avec un serveur d’enchaînement
QuickTime pour fournir des informations sur le format, la synchronisation et la paternité
d’une diffusion en direct, ainsi qu’indiquer à l’utilisateur comment effectuer la
syntonisation.
serveur de noms Serveur d’un réseau qui tient à jour une liste des noms de domaines
et des adresses IP associées à chaque nom. Voir aussi DNS, WINS.
serveur NetBoot Serveur Mac OS X sur lequel le logiciel NetBoot est installé et
configuré pour autoriser les clients à démarrer à partir d’images disque situées sur
le serveur.
F0170.book Page 263 Monday, May 2, 2005 12:37 PM264 Glossaire
serveur proxy Serveur placé entre une application cliente, telle qu’un navigateur Web,
et un serveur réel. Le serveur proxy intercepte toutes les requêtes destinées au serveur
réel pour vérifier s’il ne peut y répondre lui-même. Si tel n’est pas le cas, il fait suivre la
requête au serveur réel.
services de répertoire Services fournissant au logiciel système et aux applications un
accès uniforme aux domaines de répertoire et autres sources d’informations sur les
utilisateurs et les ressources.
SLP DA Service Location Protocol Directory Agent. Protocole utilisé pour répertorier
les services disponibles sur un réseau, afin de permettre aux utilisateurs d’y accéder
facilement. Lorsqu’un service est ajouté au réseau, il utilise le protocole SLP pour
s’enregistrer sur le réseau. SLP/DA conserve les services de réseau enregistrés dans
un emplacement centralisé.
SMB/CIFS Server Message Block/Common Internet File System. Protocole permettant à
des ordinateurs clients d’accéder à des fichiers et à des services de réseau. Il peut être
utilisé via TCP/IP, Internet ou d’autres protocoles. Les services Windows utilisent le
protocole SMB/CIFS pour fournir l’accès aux serveurs, imprimantes et autres ressources
réseau.
SMTP Simple Mail Transfer Protocol. Protocole utilisé pour envoyer et transférer du
courrier. Sa capacité à placer les messages entrants en file d’attente étant limitée, il
n’est généralement utilisé que pour envoyer des messages, POP ou IMAP étant utilisés
pour les recevoir.
SNMP Simple Network Management Protocol. Ensemble de protocoles standard
utilisés pour gérer et contrôler des périphériques réseau sur plusieurs plates-formes.
sous-réseau Regroupement d’ordinateurs clients faisant partie du même réseau,
structuré en fonction de l’emplacement physique (les différents étages d’un bâtiment,
par exemple) ou de l’utilisation (tous les élèves d’une même classe par exemple).
L’utilisation de sous-réseaux permet de simplifier les tâches d’administration. Voir
aussi sous-réseau IP.
sous-réseau IP Partie d’un réseau IP, pouvant être un segment de réseau physiquement
indépendant, partageant une adresse réseau avec d’autres parties du réseau et
identifiée par un numéro de sous-réseau.
spam Courrier non sollicité, indésirable.
SSL Secure Sockets Layer. Protocole permettant d’envoyer sur Internet des informations
cryptées et authentifiées. Les versions plus récentes de SSL sont appelées TLS
(Transport Level Security).
F0170.book Page 264 Monday, May 2, 2005 12:37 PMGlossaire 265
TCP Transmission Control Protocol. Méthode utilisée avec le protocole IP (Internet
Protocol) pour envoyer, via Internet, des données sous forme d’unités de messages
entre ordinateurs. Le protocole IP se charge de gérer le transfert des données, alors
que le protocole TCP effectue le suivi individuel des unités de données (paquets).
Chaque message est fractionné en plusieurs unités afin d’assurer un routage efficace
via Internet.
Tomcat Implémentation de référence officielle de Java Servlet 2.2 et JavaServer
Pages 1.1, deux technologies complémentaires développées dans le cadre de Java
Community Process.
tous Tout utilisateur pouvant se connecter à un serveur de fichiers : utilisateur
référencé ou invité, utilisateur FTP anonyme ou visiteur d’un site Web.
TTL Time-to-live, ou durée de vie. Durée spécifiée pendant laquelle les informations
DNS sont stockées en cache. Lorsqu’une paire nom de domaine/adresse IP se trouve
en cache depuis plus longtemps que la durée TTL spécifiée, l’entrée est supprimée du
cache du serveur de noms (mais pas du serveur DNS principal).
UDP User Datagram Protocol. Méthode de communication utilisant le protocole IP
pour envoyer une unité de données (datagramme) d’un ordinateur à un autre sur un
réseau. Les applications réseau devant échanger de toutes petites unités de données
peuvent utiliser le protocole UDP à la place de TCP.
Unicode Standard affectant un nombre unique à chaque caractère, sans tenir compte
de la langue ou du système d’exploitation utilisé pour afficher la langue.
USB Universal Serial Bus. Standard de communication entre un ordinateur et des
périphériques externes utilisant un câble de connexion directe bon marché.
utilisateur inactif Utilisateur connecté au serveur, mais qui n’en sollicite plus le volume
depuis un certain de temps.
utilisateur invité Utilisateur pouvant se connecter à votre serveur sans fournir de nom
ni de mot de passe.
utilisateur virtuel Autre adresse électronique (nom abrégé) d’un utilisateur. Similaire
à un alias, mais impliquant la création d’un nouveau compte d’utilisateur.
valide Uniform Resource Locator. Adresse d’un ordinateur, d’un fichier ou d’une
ressource accessible sur un réseau local ou sur Internet. L’adresse URL se compose
du nom du protocole utilisé pour accéder à la ressource, du nom de domaine qui
identifie un ordinateur spécifique sur Internet et de la description hiérarchique de
l’emplacement du fichier sur l’ordinateur.
F0170.book Page 265 Monday, May 2, 2005 12:37 PM266 Glossaire
VPN Virtual Private Network. Réseau privé virtuel utilisant le cryptage ainsi que
d’autres technologies pour fournir des communications sécurisées sur un réseau public,
en général Internet. Ces réseaux sont généralement moins onéreux que des réseaux
privés réels qui recourent à des lignes privées, mais s’appuient sur le même système
de cryptage aux deux extrémités de la ligne. Le cryptage peut être réalisé par des
logiciels de coupe-feu ou par des routeurs.
WebDAV Web-based Distributed Authoring and Versioning. Environnement de
création en direct permettant aux utilisateurs clients d’extraire des pages Web
d’un site, de les modifier, puis de les replacer sur le site sans que ce dernier ne
cesse de fonctionner.
WINS Windows Internet Naming Service. Service de résolution de noms utilisé par les
ordinateurs Windows pour faire correspondre les noms des clients avec des adresses IP.
Un serveur WINS peut se trouver soit sur le réseau local, soit sur Internet.
F0170.book Page 266 Monday, May 2, 2005 12:37 PM267
Index
Index
A
accès
à des ordinateurs 124
au point de partage de groupe 194
au répertoire de départ 194
aux applications 164, 166
aux dossiers 186
aux dossiers de groupes(ajouter un élément au
Dock) 174
aux éléments de menu (Redémarrer,
Éteindre) 187
aux éléments du menu (Classic) 170
aux icônes de disque et de serveur 182
aux iDisk 185
aux outils UNIX 167
aux serveurs distants 184
aux supports 199
administrateur de domaine 43
administrateurs de serveur
autorisations 82
adresses
ajout pour les utilisateurs 14
AFP (Apple Filing Protocol)
configuration de points de partage à l’aide
de 137
aide 15
AirPort 62
applications
gestion de l’accès 164–167
authentification 45, 48
résolution de problèmes 232
autorisations 32, 53, 71, 80–89, 105, 111, 131, 200
administrateur de serveur 83
administration de domaine de répertoire 83
B
bouton Groupes 46
bouton Listes des ordinateurs 46
bouton Utilisateurs 46
bureau
apparence des éléments du bureau 187
autoriser l’utilisateur à reconstruire 170
C
cache des préférence
comment la vider 160
cache des préférences
mise à jour 159
Carnet d’adresses 14
changement rapide d’utilisateur 197
clients mobiles 55–62
commande Graver le disque 186
commentaires
modification 87
compte d’administrateur de domaine 36
comptes
actualisation de la liste 49
personnalisation de la liste 38
recherche de comptes spécifiques 50
Voir aussi comptes d’utilisateur, comptes de
groupe, listes d’ordinateurs, comptes d’invités 37
comptes d’utilisateur
commentaires 87
création 67
création de comptes LDAPv3 en lecture/
écriture 68
désactivation 72
groupe par défaut 88
lecture seule 70
locaux 125
modification 68
modification des 69
mots-clés 87
préréglages 72–74
suppression 71
utilisateurs invités 70
comptes d’utilisateurs invités 71
comptes de groupe
ajout d’utilisateurs 89, 105
à propos des 27, 99
attribution du nom 106
création 101
création de préréglages 102
définition d’identifiants 107
définition du groupe principal d’un utilisateur 88
en lecture seule 104
F0170.book Page 267 Monday, May 2, 2005 12:37 PM268 Index
gestion des préférences 161
modification 102, 103, 104
suppression 114
suppression d’utilisateurs 90, 106
vérification des groupes auxquels appartient un
utilisateur 90
connexion
résolution de problèmes 232, 233, 234
D
dépannage 229–239
utilisateurs et groupes 229
Dock
ajout d’éléments 175
contrôle des éléments 175
données
ajout d’informations personnelles pour les
utilisateurs 14
sauvegarde et restauration 53
données d’utilisateurs
ajout de données personnelles 14
dossiers
pour groupes 38
dossiers de groupe
accessible à plusieurs groupes 114
à propos des 27
configuration 108
dans un nouveau point de partage 110
dans un point de partage existant 109
dans un sous-dossier d’un point de partage 112
option pas de dossier de groupe 108
dossier Système
spécification pour Classic 169
dsimport
importation d’utilisateurs et de groupes 245
paramètres d’importation 245
duplication de réglages Voir préréglages
E
éjection de disques 185, 201
état de la batterie 179
exportation d’utilisateurs et de groupes 47
exportation de point de partage NFS 138
extensions
désactivation (Classic) 170
extensions de nom de fichier 184
F
Fenêtres du Finder 188
fermeture de session automatique 197
fermeture de session pour les utilisateurs
inactifs 197
Finder simplifié 181
G
gestion des clients, Mac OS X
résolution des problèmes 235–239
gestion de serveur
informations supplémentaires 18
gestion des préférences, Mac OS X
désactivation 163
icône d’indication 159
modification de plusieurs enregistrements 163
navigateurs 190
préférences Accès aux données 199
préférences Accès universel 207
préférences Autres supports d’Accès aux
données 199
préférences avancées de Classic 167
préférences Classic 167
préférences d’applications 164
préférences d’impression 202
préférences d’ordinateur 162
préférences d’ouverture de session 191
préférences d’utilisateur 161
préférences de groupe 161
préférences de l’Économiseur d’énergie 176
préférences du Dock 173
préférences du Finder 181
préférences Internet 189
réglages Classic 169
réglages Commandes du Finder 181
réglages d’affichage du Dock 173
réglages d’impression Liste d’imprimantes 202
réglages de courrier électronique via Internet 189
réglages des éléments du Dock 173
réglages Disques de données d’Accès aux
données 199
réglages Éléments d’ouverture 191
réglages Présentations du Finder 181
réglages Web Internet 190
Gestionnaire de groupe de travail
exportation d’utilisateurs et de groupes dans 244
importation d’utilisateurs et de groupes dans 243
préférences système et 157
résolution des problèmes 229
utilisation 46
vue d’ensemble 19
gestions des clients, Mac OS X
gestion des préférences 158
groupes de travail
description 27
I
identifiants d’utilisateur 81
importation d’utilisateurs et de groupes 47
importation et exportation
à partir du Gestionnaire de groupe de travail 244
avec le Gestionnaire de groupe de travail 243
F0170.book Page 268 Monday, May 2, 2005 12:37 PMIndex 269
création de fichiers délimités par des
caractères 247
création de fichiers XML à l’aide d’Admin
Serveur 245
création de fichiers XML à l’aide d’AppleShare
IP 246
formats de fichier pris en charge 242
impression
gestion 93–96, 202–205
informations 14
K
Kerberos
résolution de problèmes 234
L
listes d’ordinateurs
ajout d’ordinateurs 119
à propos des 28, 115
création 116
création d’un préréglage 118
déplacement d’ordinateurs 120
pour les ordinateurs Windows 115
recherche 122
suppression d’ordinateurs 121
M
Mac OS X Server
informations supplémentaires 17
menus
contrôle de l’accès (Classic) 170
messagerie
préférences 189
mots-clés 86–87
mots de passe 82
indices 196
modification impossible 231
mots de passe Open Directory
résolution de problèmes 231
N
NFS (Network File System)
configuration de points de partage via 138
noms iChat 14
numéros de téléphone
ajout pour les utilisateurs 14
O
Open Directory 31, 34, 60, 65
ordinateur administrateur 35
ordinateurs
gestion des préférences 162
modification d’informations 120
ordinateurs hôtes 122
ordinateurs portables
configuration 55
réglages de l’Économiseur d’énergie 178
Voir aussi clients mobiles
ordinateurs Windows 35, 38, 97
outils UNIX
contrôle de l’accès 167
P
points de partage 46
AFP 137
NFS 138
préférences Classic 167–173
préférences d’accès universel 207–211
préférences d’écoute 208
préférences d’ouverture de session 191–198
préférences d’utilisateur
gestion, Mac OS X 161
préférences de clavier 209
préférences de l’économiseur d’énergie 176–180
préférences de la souris 210
préférences du Dock 173–176
préférences du Finder 181–189
préférences du navigateur 190
préférences du navigateur Web 190
préférences gérées
Voir gestion des préférences
préférences Système 205, 206
préférences vue 207
préréglages
pour comptes de groupe 102
pour les comptes d’utilisateur 72–74
pour listes d’ordinateurs 115–120
R
recherche
comptes 47–51
réglages d’ouverture de session 84
réglages de courrier 91–93
réglages de membres 105–107
Réglages de suspension de l’activité 176
réglages du démarrage et de l’extinction 180
répertoires de départ
à propos des 20, 127
configuration 127
création pour des utilisateurs locaux 131
dans un point de partage AFP 137
dans un point de partage NFS 138
déplacement 141
personnalisation 134
pour ordinateurs Windows 128
réglages de quotas de disque des 140
répartition sur plusieurs serveurs 129
réseau 133
résolution des problèmes 234
spécification d’aucun répertoire de départ 130
F0170.book Page 269 Monday, May 2, 2005 12:37 PM270 Index
suppression 141
ressources
Mac OS X Server 17
S
service sans fil
gestion des clients 62
site Web d’Apache 18
Sous-fenê 14
Suppression 121
synchronisation
données de compte mobile 56
U
utilisateurs
définition de noms 74–82
utilisateurs et groupes
résolution des problèmes 229
utilitaires 166
F0170.book Page 270 Monday, May 2, 2005 12:37 PM
Mac OS X Server
Administration des services réseau
Pour la version 10.4 ou ultérieure Apple Computer, Inc.
© 2005 Apple Computer, Inc. Tous droits réservés.
Le détenteur ou l’utilisateur autorisé d’une copie
valide du logiciel de Mac Os X Server peut reproduire
cette publication dans le but d’apprendre à utiliser le
logiciel. Cette publication ne peut être reproduite ou
transmise en tout ou partie à des fins commerciales,
comme la vente de copies de cette publication ou la
fourniture d’un service d’assistance payant.
Tout a été mis en œuvre pour que les informations
contenues dans ce manuel soient exactes. Apple
Computer, Inc., n’est pas responsable des erreurs
d’impression ou de typographie.
Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com
L’utilisation du logo “clavier” d’Apple (Option + Maj + K)
à des fins commerciales, sans le consentement préalable
écrit d’Apple, pourra constituer un acte de contrefaçon
et/ou de concurrence déloyale, contraire aux lois
en vigueur.
Apple, le logo Apple, AirPort, AppleScript, AppleShare,
AppleTalk, Mac, Mac OS, Macintosh, Power Mac, Power
Macintosh, QuickTime, Sherlock et WebObjects sont
des marques déposées d’Apple Computer, Inc., aux
États-Unis et dans d’autres pays.
Java et tous les logos et marques dérivés de Java
sont des marques ou des marques déposées de Sun
Microsystems, Inc. aux États-Unis et dans d’autres pays.
UNIX est une marque déposée aux États-Unis et
dans d’autres pays, sous licence exclusive de X/Open
Company Ltd.
Tous les autres noms de produits sont des marques de
leurs propriétaires respectifs. Les produits commercialisés
par des entreprises tierces ne sont mentionnés qu’à titre
d’information, sans aucune intention de préconisation ni
de recommandation. Apple ne se porte pas garant de ces
produits et décline toute responsabilité quant à leur
utilisation et à leur fonctionnement.
F019-0165/3-24-05 3
1 Table des matières
Préface 9 À propos de ce guide
9 Nouveautés de la version 10.4
9 Contenu de ce guide
10 Utilisation de ce guide
10 Utilisation de l’aide à l’écran
11 La suite Mac OS X Server
13 Obtenir des mises à jour de documentation
13 Informations complémentaires
Chapitre 1 15 Connecter votre réseau à Internet
15 Comprendre Assistant réglages de passerelle
16 Utilisation de l’Assistant réglages de passerelle
17 Exemples de configurations
17 Connexion d’un réseau local câblé à Internet
19 Connexion d’un réseau local câblé et des clients sans fil à Internet
21 Connexion d’un réseau local sans fil à Internet
Chapitre 2 23 Service DHCP
23 Avant de configurer le service DHCP
24 Création de sous-réseaux
24 Affectation dynamique d’adresses IP
24 Utilisation d’adresses IP statiques
25 Localisation du serveur DHCP
25 Interaction avec d’autres serveurs DHCP
25 Utilisation de plusieurs serveurs DHCP sur un réseau
25 Affectation d’adresses IP réservées
26 Complément d’informations sur le processus DHCP
26 Configuration initiale du service DHCP
27 Gestion du service DHCP
27 Démarrage et arrêt du service DHCP
27 Création de sous-réseaux dans le service DHCP
28 Modification des réglages des sous-réseaux dans le service DHCP
28 Suppression de sous-réseaux du service DHCP4 Table des matières
28 Désactivation temporaire des sous-réseaux
29 Modification de la durée du bail des adresses IP d’un sous-réseau
29 Réglage du serveur DNS pour un sous-réseau DHCP
30 Configuration des options LDAP pour un sous-réseau
30 Configuration des options WINS pour un sous-réseau
31 Affectation d’adresses IP statiques à l’aide de DHCP
32 Suppression ou modification de mappages d’adresses statiques
32 Contrôle du service DHCP
32 Affichage de la vue d’ensemble de l’état du service DHCP
33 Réglage du niveau de détail de l’historique du service DHCP
33 Visualisation des entrées d’historique du service DHCP
33 Visualisation de la liste des clients DHCP
34 Configurations réseau courantes qui utilisent DHCP
37 Autres sources d’informations
Chapitre 3 39 Service DNS
40 Avant de configurer le service DNS
40 DNS et BIND
40 Configuration de plusieurs serveurs de noms
41 Configuration initiale du service DNS
43 Gestion du service DNS
43 Démarrage et arrêt du service DNS
44 Activation ou désactivation des transferts de zone
44 Activation ou désactivation de la récursion
45 Gestion de zones DNS
46 Ajout d’une zone principale
47 Ajout d’une zone secondaire
47 Duplication d’une zone
48 Modification d’une zone
48 Suppression d’une zone
48 Utilisation d’un fichier de zone
49 Gestion d’enregistrements d’ordinateur DNS
50 Ajout d’un enregistrement d’ordinateur à une zone DNS
51 Modification d’un enregistrement d’ordinateur dans une zone DNS
52 Suppression d’un enregistrement d’ordinateur d’une zone DNS
52 Contrôle du DNS
52 Affichage de l’état du service DNS
53 Affichage des entrées d’historique DNS
53 Modification du niveau de détail de l’historique DNS
53 Modification de l’emplacement du fichier d’historique DNS
54 Sécurisation du serveur DNS
54 DNS Spoofing
55 Exploration de donnéesTable des matières 5
55 Profilage du service DNS
56 Déni de service (en anglais “Denial of Service” ou “DoS”)
56 “Service Piggybacking”
57 Tâches courantes d’administration du réseau utilisant le service DNS
57 Configuration des enregistrements MX
60 Configuration d’un espace de noms derrière une passerelle NAT
60 Répartition de la charge du réseau (ou permutation circulaire)
61 Configuration d’un réseau TCP/IP privé
62 Hébergement de plusieurs services Internet à une seule adresse IP
62 Hébergement de plusieurs domaines sur le même serveur
63 Autres sources d’informations
Chapitre 4 65 Service de coupe-feu IP
66 Pratiques élémentaires en matière de coupe-feu
68 Démarrage du coupe-feu
68 Comprendre les règles de coupe-feu
69 Une règle de coupe-feu, qu’est-ce que c’est ?
71 Utilisation de plages d’adresses
71 Mécanisme et ordre de priorité des règles
72 Adresses IP multiples
72 Configuration initiale du service de coupe-feu
74 Gestion du service de coupe-feu
74 Gestion de coupe-feu Panther Server 10.3 avec Admin Serveur de Tiger Server 10.4
74 Démarrage et arrêt du service de coupe-feu
74 Création d’un groupe d’adresses
75 Modification ou suppression d’un groupe d’adresses
76 Duplication d’un groupe d’adresses
76 Ouverture du coupe-feu pour les services standard
77 Ajout de ports personnalisés à la liste des services
78 Modification ou suppression d’éléments dans la liste des services
78 Création d’une règle de coupe-feu IP avancée
79 Modification ou suppression de règles de coupe-feu IP avancées
80 Modification de l’ordre des règles de coupe-feu IP avancées
80 Activation du mode furtif
81 Initialisation d’un serveur injoignable
81 Contrôle du service de coupe-feu
82 Comprendre le panneau Règles actives
82 Affichage de la vue d’ensemble de l’état du coupe-feu
82 Affichage des règles de règles de coupe-feu actives
83 Configuration des historiques du service de coupe-feu
83 Affichage de l’historique du coupe-feu
84 Affichage des paquets refusés
85 Affichage des paquets consignés par des règles de coupe-feu6 Table des matières
85 Dépannage de règles de coupe-feu IP avancées
86 Exemples pratiques
86 Utilisation d’un coupe-feu IP avec la traduction d’adresses de réseau
87 Blocage de l’accès Web à des utilisateurs Internet
88 Consignation de l’accès à Internet par les utilisateurs du réseau local
88 Blocage du courrier indésirable
89 Client autorisé à accéder au serveur de fichiers Apple
90 Tâches courantes d’administration réseau utilisant le service de coupe-feu
90 Prévention des attaques par déni de service (DoS)
90 Contrôle ou autorisation de l’utilisation du réseau en peer-to-peer
91 Contrôle ou activation de l’utilisation des jeux en réseau
92 Références de ports
97 Autres sources d’informations
Chapitre 5 99 Service NAT
99 Utilisation de la traduction d’adresses de réseau avec d’autres services réseau
100 Vue d’ensemble de la configuration d’un réseau local avec traduction des adresses
de réseau
101 Démarrage et arrêt du service NAT
101 Configuration du service NAT
102 Création d’une passerelle sans traduction d’adresses de réseau
103 Configuration de la réexpédition de port
104 Exemples de réexpédition du trafic du port
105 Contrôle du service NAT
105 Affichage de la vue d’ensemble de l’état NAT
106 Tâches d’administration réseau courantes qui utilisent la traduction d’adresses
de réseau
106 Liaison d’un réseau local à Internet via une adresse IP
108 Configuration d’un tournoi de jeux en réseau
109 Configuration de serveurs virtuels
111 Autres sources d’informations
Chapitre 6 113 Service VPN
114 VPN et sécurité
114 Protocoles de transport
114 Méthode d’authentification
115 Avant de configurer le service VPN
116 Configuration d’autres services réseau pour VPN
116 Gestion du service VPN
116 Démarrage ou arrêt du service VPN
116 Activation et configuration du protocole de transport L2TP
117 Activation et configuration du protocole de transport PPTP
118 Configuration de réglages réseau supplémentaires pour les clients VPNTable des matières 7
118 Configuration des définitions de routage réseau VPN
120 Limitation de l’accès VPN à certains utilisateurs ou groupes
121 Limitation de l’accès VPN à certains adresses IP entrantes
122 Instructions de configuration supplémentaires
124 Contrôle du service VPN
124 Affichage de la vue d’ensemble de l’état du VPN
124 Configuration du niveau de détail de l’historique du service VPN
124 Affichage de l’historique du VPN
125 Affichage des connexions client VPN
125 Tâches d’administration réseau courantes qui utilisent le VPN
125 Liaison d’un ordinateur d’un réseau local avec un réseau distant
127 Accès à un élément de parc informatique situé derrière le coupe-feu du
réseau distant
128 Liaison de deux sites réseau distants ou plus
132 Autres sources d’informations
Chapitre 7 133 Service NTP
133 Fonctionnement du service NTP
134 Utilisation du service NTP sur votre réseau
134 Configuration du service NTP
135 Configuration de NTP sur des clients
135 Autres sources d’informations
Chapitre 8 137 Prise en charge des réseaux locaux virtuels
137 Comprendre les réseaux locaux virtuels
137 Configuration de l’adhésion des clients à un réseau local virtuel
138 Autres sources d’informations
Chapitre 9 139 Gestion IPv6
140 Services compatibles IPv6
140 Adresses IPv6 dans Admin Serveur
140 Adresses IPv6
140 Notation
141 Adresses réservées IPv6
141 Modèle d’adressage IPv6
141 Types d’adresse IPv6
142 Autres sources d’informations
Glossaire 143
Index 157 9
Préface
À propos de ce guide
Le présent guide explique comment configurer et
administrer les services réseau de Mac OS X Server.
Nouveautés de la version 10.4
La version 10.4 de Nomdeproduit comporte de nombreuses améliorations et nouvelles
fonctionnalités par rapport à la version 10.3. Parmi celles-ci, citons les suivantes :
• Nouvel Assistant réglages de passerelle
• Interface DNS revue et améliorée
• Mappage d’adresses IP statiques via DHCP
• Interface de coupe-feu revue et améliorée
• Aide sur VPN étendue
• Aide sur NAT étendue
• Informations sur la prise en charge de VLAN
Contenu de ce guide
Ce guide comporte neuf chapitres et un glossaire :
• Le chapitre 1, “Connecter votre réseau à Internet”, à la page 15 explique comment
utiliser Assistant réglages de passerelle pour connecter votre réseau à Internet.
• Le chapitre 2, “Service DHCP”, à la page 23 explique comment configurer et utiliser
DHCP pour affecter des adresses IP sur votre réseau.
• Le chapitre 3, “Service DNS”, à la page 39 explique comment utiliser Nomdeproduit en
tant que serveur de noms de domaine.
• Le chapitre 4, “Service de coupe-feu IP”, à la page 65 explique comment maintenir
la sécurité d’un réseau à l’aide d’un coupe-feu.
• Le chapitre 5, “Service NAT”, à la page 99 explique comment configurer et utiliser la
traduction d’adresses de réseau pour connecter plusieurs ordinateurs à Internet avec
une seule adresse IP publique.
• Le chapitre 6, “Service VPN”, à la page 113 explique comment configurer et utiliser VPN
pour permettre à des utilisateurs distants d’accéder en toute sécurité à votre réseau
local privé.10 Préface À propos de ce guide
• Le chapitre 7, “Service NTP”, à la page 133 explique comment faire de votre serveur
un serveur d’horloge.
• Le chapitre 8, “Prise en charge des réseaux locaux virtuels”, à la page 137 contient
des informations utiles sur la prise en charge de VLAN pour certaines configurations
matérielles de serveur.
• Le chapitre 9, “Gestion IPv6”, à la page 139 contient des informations utiles sur IPv6
et sur les services qui prennent en charge l’adressage IPv6.
• Le “Glossaire” à la page 143 contient des définitions des principaux termes utilisés
dans ce guide.
Utilisation de ce guide
Chaque chapitre couvre un service réseau particulier. Lisez le chapitre qui correspond au
service que vous prévoyez de fournir à vos utilisateurs. Vous y trouverez des informations
sur le fonctionnement du service, son utilité, les stratégies d’utilisation, sa configuration
initiale et son administration dans le temps.
Lisez également les chapitres qui traitent des services avec lesquels vous n’êtes pas
familiarisé. Vous constaterez peut-être que certains des services que vous n’aviez pas
utilisés jusqu’à présent peuvent vous permettre de gérer votre réseau de manière
plus efficace et d’en améliorer les performances pour vos utilisateurs.
La plupart des chapitres se terminent par une section appelée “Autres sources
d’informations”. Cette section vous dirige vers des sites Web et des documents
de référence contenant davantage d’informations sur le service concerné.
Utilisation de l’aide à l’écran
Vous pouvez afficher des instructions et d’autres informations utiles sur la suite serveur
en utilisant l’aide à l’écran.
Sur un ordinateur qui exécute Mac OS X Server, vous pouvez accéder à l’aide à l’écran
après avoir ouvert le Gestionnaire de groupe de travail ou Admin Serveur. À partir du
menu d’aide, sélectionnez l’une des options :
• Aide Gestionnaire de groupe de travail ou Aide Admin Serveur affiche des informations
sur l’application.
• Aide Mac OS X Server affiche la page d’aide principale du serveur, à partir de laquelle
vous pouvez rechercher des informations sur le serveur.
• Documentation vous permet d’accéder au site www.apple.com/fr/server/documentation,
à partir duquel vous pouvez télécharger la documentation du serveur.Préface À propos de ce guide 11
Vous pouvez également accéder à l’aide à l’écran à partir du Finder ou d’autres
applications d’un serveur ou d’un ordinateur administrateur. Un ordinateur administrateur
est un ordinateur Mac OS X sur lequel est installé un logiciel d’administration de serveur.
Utilisez le menu Aide afin d’ouvrir Visualisation Aide, puis choisissez Bibliothèque > Aide
Mac OS X Server.
Pour consulter les toutes dernières rubriques d’aide, assurez-vous que l’ordinateur
serveur ou administrateur est connecté à Internet lorsque vous utilisez Visualisation
Aide. Visualisation Aide extrait et met en cache automatiquement les toutes dernières
rubriques d’aide sur Internet concernant le serveur. Lorsque vous n’êtes pas connecté
à Internet, Visualisation Aide affiche les rubriques d’aide mises en cache.
La suite Mac OS X Server
La documentation de Mac OS X Server comprend une série de guides présentant les
services offerts ainsi que les instructions relatives à leur configuration, leur gestion et
leur dépannage. Tous les guides sont disponibles au format PDF via :
www.apple.com/fr/server/documentation/
Ce guide ... explique comment :
Mac OS X Server Premiers contacts
pour la version 10.4 ou ultérieure
installer Mac OS X Server et le configurer pour la première fois.
Mac OS X Server Mise à niveau et
migration vers la version 10.4 ou
ultérieure
utiliser les données et réglages des services actuellement utilisés
sur les versions antérieures du serveur.
Mac OS X Server Gestion des
utilisateurs pour la version 10.4 ou
ultérieure
créer et gérer les utilisateurs, groupes et listes d’ordinateurs ;
configurer les préférences gérées des clients Mac OS X.
Mac OS X Server Administration
des services de fichiers pour la
version 10.4 ou ultérieure
partager des volumes ou dossiers de serveur sélectionnés parmi
les clients du serveur via les protocoles suivants : AFP, NFS, FTP
et SMB/CIFS.
Mac OS X Server Administration
du service d'impression pour la
version 10.4 ou ultérieure
héberger les imprimantes partagées et gérer les files d’attente
et travaux d’impression associés.
Mac OS X Server Administration
des images système et de la mise
à jour de logiciels pour la version
10.4 ou ultérieure
utiliser NetBoot et Installation en réseau pour créer des images
disque à partir desquelles les ordinateurs Macintosh peuvent
démarrer sur le réseau ; configurer un serveur de mise à jour de
logiciels pour la mise à jour d’ordinateurs clients via le réseau.
Mac OS X Server Administration
du service de messagerie pour la
version 10.4 ou ultérieure
installer, configurer et administrer les services de courrier
sur le serveur.
Mac OS X Server Administration
des technologies Web pour la
version 10.4 ou ultérieure
configurer et gérer un serveur Web, dont WebDAV, WebMail,
et les modules Web.12 Préface À propos de ce guide
Mac OS X Server Administration
des services réseau pour la version
10.4 ou ultérieure
installer, configurer et administrer les services DHCP, DNS, VPN, NTP,
de coupe-feu IP et NAT sur le serveur.
Mac OS X Server Administration
d'Open Directory pour la version
10.4 ou ultérieure
gérer les services de répertoires et d’authentification.
Mac OS X Server Administration de
QuickTime Streaming Server 5.5
pour la version 10.4 ou ultérieure
configurer et gérer les services d’enchaînement QuickTime.
Mac OS X Server Administration
des services Windows pour la
version 10.4 ou ultérieure
configurer et gérer des services tels que PDC, BDC, fichiers
et impression pour les utilisateurs d’ordinateurs Windows.
Mac OS X Server Migration à
partir de Windows NT pour la
version 10.4 ou ultérieure
déplacer des comptes, des dossiers partagés et des services
à partir de serveurs Windows NT vers Mac OS X Server.
Mac OS X Server Administration
du serveur d’applications Java
pour la version 10.4 ou ultérieure
configurer et administrer un serveur d’applications JBoss
sur Mac OS X Server.
Mac OS X Server Administration
de la ligne de commande pour la
version 10.4 ou ultérieure
utiliser les commandes et les fichiers de configuration pour
exécuter les tâches d’administration du serveur via l’interpréteur
de commandes UNIX.
Mac OS X Server Administration
des services de collaboration pour
la version 10.4 ou ultérieure
configurer et gérer Weblog, la discussion en ligne et d’autres
services qui facilitent les interactions entre utilisateurs.
Mac OS X Server Administration
de la haute disponibilité pour la
version 10.4 ou ultérieure
gérer le basculement IP, l’agrégation des liens, l’équilibrage de
charge et d’autres configurations matérielles et logicielles pour
garantir la haute disponibilité des services de Nomdeproduit.
Mac OS X Server Administration
Xgrid pour la version 10.4 ou
ultérieure
gérer des clusters de calcul Xserve à l’aide de l’application Xgrid.
Mac OS X Server Glossaire :
Contient la terminologie relative à
Mac OS X Server, Xserve, Xserve
RAID et Xsan
interpréter les termes utilisés pour les produits de serveur
et les produits de stockage.
Ce guide ... explique comment :Préface À propos de ce guide 13
Obtenir des mises à jour de documentation
Apple publie régulièrement de nouvelles rubriques d’aide à l’écran, des guides révisés
et des documents de solutions. Les nouvelles rubriques d’aide incluent des mises à jour
des guides les plus récents.
• Pour afficher de nouvelles rubriques d’aide à l’écran, assurez-vous que votre ordinateur
serveur ou administrateur est connecté à Internet et cliquez sur le lien Informations de
dernière minute dans la page d’aide principale de Mac OS X Server.
• Pour télécharger les guides et documents de solutions les plus récents au format PDF,
rendez-vous à la page Web de documentation de Mac OS X Server :
www.apple.com/fr/server/documentation.
Informations complémentaires
Pour plus d’informations, consultez les ressources suivantes :
Documents Ouvrez-moi : mises à jour importantes et informations spécifiques.
Recherchez-les sur les disques du serveur.
Site Web de Mac OS X Server : passerelle vers des informations détaillées sur des produits
et technologies.
www.apple.com/fr/macosx/server/
Site Web Service & Support AppleCare : accès à des centaines d’articles provenant
de l’organisation d’assistance d’Apple.
www.apple.com/fr/support/
Formation des clients Apple : cours en salle et autoformations afin de développer
vos compétences en termes d’administration de serveur.
train.apple.com
Groupes de discussion Apple : moyen de partager des questions, des connaissances
et des conseils avec d’autres administrateurs.
discussions.info.apple.com
Répertoire de liste de diffusion Apple : abonnez-vous à des listes de diffusion afin de
pouvoir communiquer par courrier électronique avec d’autres administrateurs.
www.lists.apple.com 1
15
1 Connecter votre réseau à Internet
Utilisez Assistant réglages de passerelle pour connecter
votre réseau à Internet. Il vous guide lors de la configuration
initiale d’un serveur destiné à servir de passerelle entre votre
réseau privé et Internet.
Comprendre Assistant réglages de passerelle
Assistant réglages de passerelle vous aide à configurer rapidement et aisément un
serveur sous Mac OS X Server 10.4 pour partager votre connexion à Internet avec votre
réseau local (LAN). Après vous avoir fait faire quelques choix en matière de configuration,
l’assistant enregistre tous les réglages nécessaires au partage de la connexion du serveur.
En fonction des choix réalisés en matière de configuration, l’Assistant exécute les
tâches suivantes :
• Affecter au serveur une adresse IP statique par interface réseau interne.
L’adresse affectée est 192.168.x.1. Le numéro utilisé pour x est déterminé par l’ordre de
l’interface réseau dans la sous-fenêtre des Préférences Système Réseau. Par exemple,
pour la première interface, x est égal à 0, pour la seconde interface de la liste, x est
égal à 1.
• Autoriser DHCP à allouer des adresses sur le réseau interne, en supprimant les sousréseaux DHCP existants.
• Réserver certaines adresses internes (192.168.x.x) pour DHCP.
Lorsque VPN n’est pas activé, chaque interface peut allouer les adresses
192.168.x.2-192.168.x.254.
• Activer VPN (facultatif) pour autoriser les clients externes autorisés à se connecter
au réseau local.
Comme VPN L2TP est activé, vous devez saisir le secret partagé que les connexions
client doivent utiliser.
• Réserver certaines adresses internes (192.168.x.x) pour VPN.
Si VPN est sélectionné, la moitié des adresses IP allouées dans la plage DHCP est
réservée pour les connexions VPN. Les adresses 192.168.x.128-192.168.x.254 sont
allouées aux connexions VPN.16 Chapitre 1 Connecter votre réseau à Internet
• Activer le coupe-feu IP pour sécuriser le réseau interne.
Des groupes d’adresses sont ajoutées pour chaque interface de réseau interne, tout
le trafic étant autorisé à partir des plages d’adresses DHCP créées vers toute adresse
de destination.
• Activer la traduction d’adresses de réseau sur le réseau interne et ajouter une règle
de détournement NAT au coupe-feu IP pour diriger le trafic réseau vers l’ordinateur
approprié. Cela protège également le réseau interne des connexions externes non
sollicitées.
• Activer DNS sur le serveur configuré pour mettre les recherches en mémoire pour
améliorer les temps de réponse DNS pour les clients internes.
Vous aurez l’occasion de passer en revue les modifications proposées avant que ces
réglages ne soient activés. Les réglages existants seront écrasés par ceux configurés
dans l’assistant.
Vous pouvez apporter des modifications supplémentaires à la configuration des
services à l’aide d’Admin Serveur. Pour plus d’instructions sur l’un ou l’autre service
réseau, consultez la section correspondante dans ce guide.
Si vous exécutez à nouveau l’Assistant réglages de passerelle, il écrasera tous les réglages
manuels que vous avez définis.
Utilisation de l’Assistant réglages de passerelle
Vous pouvez accéder à l’Assistant réglages de passerelle de deux manières différentes.
Vous pouvez :
• ouvrir /Applications/Server/Assistant réglages de passerelle
ou
• choisir Présentation > Assistant réglages de passerelle dans Admin Serveur
Suivez les instructions de l’assistant et cliquez sur Continuer après chaque page. Lisez
avec attention les informations de sortie finales et assurez-vous que la configuration
vous convient avant de finaliser les réglages.
Avertissement : bien qu’Assistant réglages de passerelle puisse être utilisé pour
configurer des serveurs distants, vous pourriez vous priver accidentellement de
votre accès administratif au serveur distant.Chapitre 1 Connecter votre réseau à Internet 17
Exemples de configurations
La section qui suit contient quelques exemples de configurations réalisées à l’aide
d’Assistant réglages de passerelle. Toutes ces configurations partent du principe que
les informations fictives suivantes sont utilisées :
• Vous disposez d’une adresse IP statique allouée par votre FAI (fournisseur d’accès à
Internet) qui sera utilisée par le serveur.
• Le serveur est un XServe G5 équipé de 2 ports Ethernet intégrés en tant qu’interfaces
réseau, Ethernet 1 (en0) et Ethernet 2 (en1), sauf indication contraire.
• Les adresses IP à utiliser sur votre réseau local interne sont les adresses IP pour réseau
local internes standard : 192.168.x.x
Connexion d’un réseau local câblé à Internet
Vous pouvez utiliser Assistant réglages de passerelle pour connecter un réseau local
(LAN) câblé à Internet. Votre réseau local peut comporter un nombre quelconque
d’ordinateurs connectés entre eux par des concentrateurs et commutateurs Ethernet,
mais doit disposer d’un point de contact avec Internet ; la passerelle.
Au terme de ce processus, tous les ordinateurs du réseau local :
• peuvent faire configurer des adresses IP et des réglages de réseau par DHCP ;
• peuvent accéder à Internet (tant que la connexion de la passerelle à Internet
est présente) ;
• ne sont pas accessibles par les connexions réseau non autorisées provenant
d’Internet ;
• sont accessibles aux clients VPN autorisés par Internet (si cela est configuré) ;
• bénéficient de la mise en mémoire cache des recherches DNS sur la passerelle,
ce qui accélère la résolution DNS.
Pour connecter un réseau local câblé à Internet :
1 Branchez la connexion à Internet dans le port Ethernet 1 (en0) intégré du XServe.
2 Branchez la connexion à votre réseau local dans le port Ethernet 2 (en1) intégré
du XServe.
3 Ouvrez Assistant réglages de passerelle.
Vous pouvez l’ouvrir à partir du dossier /Applications/Server/ ou via le menu
Présentation d’Admin Serveur.
Tapez l’adresse, le nom et le mot de passe de l’administrateur du serveur que
vous souhaitez configurer.
4 Désignez Ethernet intégré 1 comme votre interface WAN (Internet).18 Chapitre 1 Connecter votre réseau à Internet
5 Désignez Ethernet intégré 2 comme votre interface LAN (partage).
Votre interface LAN est généralement celle qui est connectée à votre réseau local.
Tous les ordinateurs sur le réseau local vont partager la connexion Internet du serveur
via l’interface WAN du serveur.
Si votre serveur dispose de plus d’une interface disponible à ce stade (Ethernet 2 ou
Ethernet 3, etc.), choisissez celles à activer.
6 Choisissez de faire ou non de cette passerelle un point d’entrée VPN dans votre LAN.
Si vous choisissez d’activer VPN, vous devez disposer d’un “secret partagé”. Un secret
partagé est une phrase clé que tous les utilisateurs doivent saisir pour établir une
connexion sécurisée avec la passerelle VPN. Il est recommandé d’utiliser une phrase
clé très sûre plutôt que le mot de passe d’un utilisateur ou administrateur sur le
serveur de passerelle.
Pour en savoir plus sur VPN, consultez le chapitre 6, “Service VPN”, à la page 113.
7 Vérifiez et confirmez les modifications.
Options :
Vous pouvez affiner divers réglages de cette configuration élémentaire. Le reste
de la configuration se fait à l’aide d’Admin Serveur.
Par exemple, vous pouvez utiliser Admin Serveur pour configurer l’affectation automatique
de certaines adresses IP à des ordinateurs spécifiques. Vous devez ajouter des mappages
d’adresses statiques dans l’onglet Réglages de la section DHCP. Pour plus de détails,
consultez le chapitre 2, “Service DHCP”.
Vous pouvez en outre modifier les réglages relatifs au coupe-feu IP pour autoriser
certaines connexions d’Internet vers le réseau local. Vous devez modifier les réglages
relatifs au coupe-feu en ouvrant les ports IP souhaités et configurer le renvoi de ports
(en éditant des fichiers UNIX à partir de l’invite de la ligne de commande) pour
désigner l’ordinateur du réseau local qui acceptera le trafic entrant.Chapitre 1 Connecter votre réseau à Internet 19
Connexion d’un réseau local câblé et des clients sans fil à Internet
Vous pouvez utiliser Assistant réglages de passerelle pour connecter un réseau local
câblé et des clients sans fil à Internet. Votre réseau local peut comporter un nombre
quelconque d’ordinateurs connectés entre eux par des concentrateurs et commutateurs
Ethernet, mais doit disposer d’un point de contact avec Internet : la passerelle.
Votre réseau local doit aussi comporter une borne d’accès AirPort pour connecter les
ordinateurs sans fil au reste du réseau câblé. Tous vos clients sans fil doivent pouvoir
se connecter au réseau sans fil de la borne d’accès AirPort pour être reliés au réseau
local câblé.
Au terme de ce processus, les ordinateurs du réseau local et ceux connectés à la borne
d’accès AirPort :
• peuvent faire configurer des adresses IP et des réglages de réseau par DHCP ;
• peuvent accéder à Internet (tant que la connexion de la passerelle à Internet est
présente) ;
• ne sont pas accessibles par les connexions réseau non autorisées provenant de
la connexion câblée vers Internet ;
• sont accessibles aux clients VPN autorisés par Internet (si cela est configuré) ;
• bénéficient de la mise en mémoire cache des recherches DNS sur la passerelle,
ce qui accélère la résolution DNS.
Pour connecter un réseau local câblé et des clients sans fil à Internet :
1 Branchez la connexion à Internet dans le port Ethernet 1 (en0) intégré du XServe.
2 Branchez la connexion à votre réseau local dans le port Ethernet 2 (en1) intégré
du XServe.
3 Connectez le port de la borne d’accès AirPort (le port WAN s’il y en a deux) au réseau câblé.
4 À l’aide d’Utilitaire Admin AirPort (ou d’Assistant réglages AirPort), configurez la borne
d’accès pour se connecter à l’aide d’Ethernet pour obtenir sa propre adresse par DHCP.
5 Dans le panneau Réseau, vérifiez que la case “Distribuer les adresses IP” est désélectionnée.
6 Cliquez sur Mise à jour pour modifier les réglages de la borne d’accès.
7 Ouvrez le Assistant réglages de passerelle.
Vous pouvez l’ouvrir à partir du dossier /Applications/Server/ ou via le menu
Présentation d’Admin Serveur.
Tapez l’adresse, le nom et le mot de passe de l’administrateur du serveur que vous
souhaitez configurer.
8 Désignez Ethernet intégré 1 comme votre interface WAN (Internet).20 Chapitre 1 Connecter votre réseau à Internet
9 Désignez Ethernet intégré 2 comme votre interface LAN (partage).
Votre interface LAN est généralement celle qui est connectée à votre réseau local.
Tous les ordinateurs sur le réseau local vont partager la connexion Internet du serveur
via l’interface WAN du serveur.
Si votre serveur dispose de plus d’une interface disponible à ce stade (Ethernet 2
ou Ethernet 3, etc.), choisissez celles à activer.
10 Choisissez de faire ou non de cette passerelle un point d’entrée VPN dans votre LAN.
Si vous choisissez d’activer VPN, vous devrez disposer d’un “secret partagé”. Un secret
partagé est une phrase clé que tous les utilisateurs doivent fournir pour établir une
connexion sécurisée avec la passerelle VPN. Il est recommandé d’utiliser une phrase clé
très sûre plutôt que le mot de passe d’un utilisateur ou administrateur sur le serveur
de passerelle.
Pour en savoir plus sur VPN, consultez le chapitre 6, “Service VPN”, à la page 113.
11 Vérifiez et confirmez les modifications.
Options :
Vous pouvez affiner divers réglages de cette configuration élémentaire. Le reste de
la configuration se fait à l’aide d’Admin Serveur.
Par exemple, vous pouvez utiliser Admin Serveur pour configurer l’affectation automatique
de certaines adresses IP à des ordinateurs spécifiques. Vous devez ajouter des mappages
d’adresses statiques dans l’onglet Réglages de la section DHCP. Pour plus de détails,
consultez le chapitre 2, “Service DHCP”.
Vous pouvez en outre modifier les réglages relatifs au coupe-feu IP pour autoriser
certaines connexions d’Internet vers le réseau local. Vous devez modifier les réglages
relatifs au coupe-feu en ouvrant les ports IP souhaités et configurer le renvoi de ports
dans le panneau NAT pour désigner l’ordinateur du réseau local qui acceptera le
trafic entrant.Chapitre 1 Connecter votre réseau à Internet 21
Connexion d’un réseau local sans fil à Internet
Connecter vos clients sans fil à Internet par une passerelle Mac OS X Server offre
quelques avantages par rapport à l’utilisation des fonctions intégrées de la borne
d’accès. La passerelle peut fournir un contrôle de coupe-feu IP avancé, l’affectation
DHCP des adresses IP statiques, la mise en mémoire cache DNS et des connexions
VPN entrantes vers le réseau local.
Si vous ne souhaitez pas utiliser ces fonctions avancées ou que vous n’en n’avez pas
besoin, vous pouvez utiliser la borne d’accès AirPort pour connecter vos clients sans fil
à Internet, sans mettre de serveur Mac OS X Server entre les bornes d’accès et Internet.
Pour bénéficier des fonctionnalités de la passerelle, utilisez la borne d’accès comme
un pont entre vos clients sans fil et la passerelle. Chaque client se connecte à la borne
d’accès qui envoie le trafic réseau par la passerelle. Tous vos clients sans fil doivent
pouvoir se connecter au réseau sans fil de la borne d’accès AirPort pour être reliés
à la passerelle.
Au terme de ce processus, les ordinateurs connectés à la borne d’accès AirPort :
• peuvent faire configurer des adresses IP et des réglages de réseau par DHCP ;
• peuvent accéder à Internet (tant que la connexion de la passerelle à Internet
est présente) ;
• ne sont pas accessibles par les connexions réseau non autorisées provenant de
la connexion câblée vers Internet ;
• sont accessibles aux clients VPN autorisés par Internet (si cela est configuré) ;
• bénéficient de la mise en mémoire cache des recherches DNS sur la passerelle,
ce qui accélère la résolution DNS.
Pour connecter un réseau local câblé et des clients sans fil à Internet :
1 Branchez la connexion à Internet dans le port Ethernet 1 (en0) intégré du XServe.
2 Connectez le port de la borne d’accès AirPort (le port WAN, s’il y en a deux) au port
Ethernet intégré 2 (en1) du XServe.
3 À l’aide d’Utilitaire Admin AirPort (ou d’Assistant réglages AirPort), configurez la borne
d’accès pour se connecter à l’aide d’Ethernet pour obtenir sa propre adresse par DHCP.
4 Dans le panneau Réseau, vérifiez que la case “Distribuer les adresses IP” est
désélectionnée.
5 Cliquez sur Mise à jour pour modifier les réglages de la borne d’accès.
6 Ouvrez l’Assistant réglages de passerelle.
Vous pouvez l’ouvrir à partir du dossier /Applications/Server/ ou via le menu
Présentation d’Admin Serveur.
Tapez l’adresse, le nom et le mot de passe de l’administrateur du serveur que vous
souhaitez configurer.22 Chapitre 1 Connecter votre réseau à Internet
7 Désignez Ethernet intégré 1 comme votre interface WAN (Internet).
8 Désignez Ethernet intégré 2 comme votre interface LAN (partage).
Votre interface LAN est généralement celle qui est connectée à votre réseau local.
Tous les ordinateurs sur le réseau local vont partager la connexion Internet du serveur
via l’interface WAN du serveur.
Si votre serveur dispose de plus d’une interface disponible à ce stade (Ethernet 2 ou
Ethernet 3, etc.), choisissez celles à activer.
9 Choisissez de faire ou non de cette passerelle un point d’entrée VPN dans votre LAN.
Si vous choisissez d’activer VPN, vous devrez disposer d’un “secret partagé”. Un secret
partagé est une phrase clé que tous les utilisateurs doivent fournir pour établir une
connexion sécurisée avec la passerelle VPN. Il est recommandé d’utiliser une phrase clé
très sûre plutôt que le mot de passe d’un utilisateur ou administrateur sur le serveur
de passerelle.
Pour en savoir plus sur VPN, consultez le chapitre 6, “Service VPN”, à la page 113.
10 Vérifiez et confirmez les modifications.
Options :
Vous pouvez affiner divers réglages de cette configuration élémentaire. Le reste de
la configuration se fait à l’aide d’Admin Serveur.
Par exemple, vous pouvez utiliser Admin Serveur pour configurer l’affectation automatique
de certaines adresses IP à des ordinateurs spécifiques. Vous devez ajouter des mappages
d’adresses statiques dans l’onglet Réglages de la section DHCP. Pour plus de détails,
consultez le chapitre 2, “Service DHCP”.
Vous pouvez en outre modifier les réglages relatifs au coupe-feu IP pour autoriser
certaines connexions d’Internet vers le réseau local. Vous devez modifier les réglages
relatifs au coupe-feu en ouvrant les ports IP souhaités et configurer le renvoi de ports
dans le panneau NAT pour désigner l’ordinateur du réseau local qui acceptera le
trafic entrant.2
23
2 Service DHCP
Le service DHCP (Dynamic Host Configuration Protocol) vous permet d’administrer les
adresses IP et de les distribuer à des ordinateurs clients à partir de votre serveur. Lors de
la configuration du serveur DHCP, vous affectez un bloc d’adresses IP qui peuvent être
mises à la disposition des clients. Chaque fois qu’un ordinateur client configuré pour
utiliser le service DHCP démarre, il recherche le serveur DHCP sur votre réseau. S’il en
détecte un, l’ordinateur client demande alors une adresse IP. Le serveur DHCP recherche
une adresse IP disponible et l’envoie à l’ordinateur client en indiquant une “période
de bail” (durée pendant laquelle l’ordinateur client pourra utiliser cette adresse) et les
informations relatives à la configuration.
Vous pouvez utiliser le module DHCP d’Admin Serveur pour :
• Configurer et administrer le service DHCP.
• Créer et administrer des sous-réseaux.
• Configurer les options DNS, LDAP et WINS pour des ordinateurs clients.
• Visualiser la durée de bail des adresses DHCP.
Si votre organisation compte plus d’ordinateurs clients que d’adresses IP, vous avez
avantage à utiliser le service DHCP. Les adresses IP sont affectées au cas par cas et
lorsqu’elles ne sont pas nécessaires, elles sont mises à la disposition des autres
clients. Si nécessaire, vous pouvez utiliser une combinaison d’adresses IP statiques
et dynamiques pour votre réseau. Pour plus de détails sur l’affectation statique et
dynamique d’adresses IP, consultez la section suivante.
Les organisations peuvent profiter des fonctions du service DHCP, telles que la
possibilité de définir les options DNS (Domain Name System) et LDAP (Lightweight
Directory Access Protocol) pour des ordinateurs clients sans autre configuration
nécessaire sur l’ordinateur client.
Avant de configurer le service DHCP
Avant d’installer le service DHCP, lisez la présente section pour obtenir des informations
sur la création de sous-réseaux, l’affectation d’adresses IP statiques et dynamiques,
la localisation de votre serveur sur le réseau et la possibilité d’ignorer des adresses
IP réservées.24 Chapitre 2 Service DHCP
Création de sous-réseaux
Les sous-réseaux sont des regroupements d’ordinateurs se trouvant sur le même réseau
afin de simplifier leur administration. Vous pouvez organiser des sous-réseaux à votre
convenance. Par exemple, vous pouvez créer des sous-réseaux pour divers groupes dans
votre organisation ou différents étages d’un immeuble. Une fois que vous avez regroupé
les ordinateurs clients en sous-réseaux, vous pouvez configurer des options pour tous
les ordinateurs d’un sous-réseau en une seule fois plutôt que de définir des options
pour chaque ordinateur client individuellement. Chaque sous-réseau doit disposer
d’un mode de connexion aux autres sous-réseaux. Un périphérique appelé routeur
permet généralement de relier les sous-réseaux.
Affectation dynamique d’adresses IP
Avec l’affectation dynamique, une adresse IP est affectée pour une durée limitée
(la durée de bail), ou jusqu’à ce que l’ordinateur client n’ait plus besoin de l’adresse
IP, selon le cas qui se présente en premier. En utilisant des délais courts, le protocole
DHCP peut réaffecter des adresses IP sur les réseaux ayant plus d’ordinateurs que
d’adresses IP. Les délais sont renouvelés automatiquement si l’adresse n’est pas
utilisée par un autre ordinateur.
Les adresses affectées aux clients d’un réseau VPN (Virtual Private Network) sont
distribuées de la même manière que les adresses DHCP, mais ne proviennent pas de
la même plage d’adresses qu’elles. Si vous prévoyez d’utiliser un réseau VPN, veillez à
laisser quelques adresses DHCP non affectées pour le réseau VPN. Pour en savoir plus
sur le réseau VPN, reportez-vous au chapitre 6, “Service VPN”, à la page 113.
Utilisation d’adresses IP statiques
Les adresses IP statiques sont affectées à un ordinateur ou à un périphérique une seule
fois et ne changent pas. Vous pouvez en affecter à des ordinateurs devant assurer une
présence Internet continue, tels que les serveurs Web. Les autres périphériques qui
doivent être continuellement disponibles pour les utilisateurs du réseau, comme les
imprimantes, peuvent également profiter des adresses IP statiques.
Les adresses IP statiques peuvent être configurées soit en saisissant manuellement
l’adresse IP sur l’ordinateur ou le périphérique qui est affecté à l’adresse, soit en
configurant DHCP pour fournir la même adresse à un ordinateur ou périphérique
spécifique à chaque demande. Les adresses affectées par DHCP permettent des
modifications de la configuration des adresses sur le serveur DHCP plutôt que sur
les différents clients. Les adresses IP statiques configurées manuellement permettent
d’éviter les problèmes que certains services peuvent rencontrer avec les adresses
DHCP et d’éviter le délai nécessaire à l’affectation des adresses DHCP.
N’incluez pas des plages d’adresses IP affectées manuellement dans la plage d’adresses
distribuées par DHCP.Chapitre 2 Service DHCP 25
Il est possible de configurer DHCP pour toujours affecter la même adresse à un
ordinateur, ce qui vous permet de profiter à la fois des avantages des adresses statiques
et des avantages de la configuration réseau centralisée. Pour plus de détails, consultez
la section “Affectation d’adresses IP statiques à l’aide de DHCP” à la page 31.
Localisation du serveur DHCP
Lorsqu’un ordinateur client recherche un serveur DHCP, il diffuse un message. Si votre
serveur DHCP se trouve sur un sous-réseau différent de celui de l’ordinateur client, vous
devez vérifier que les routeurs qui connectent vos sous-réseaux peuvent réexpédier les
diffusions du client et les réponses du serveur DHCP. Tout agent ou routeur relais de
votre réseau pouvant relayer des communications BootP fonctionnera avec le serveur
DHCP. Si vous ne disposez d’aucun moyen pour relayer les communications BootP, vous
devez placer le serveur DHCP sur le même sous-réseau que votre ordinateur client.
Interaction avec d’autres serveurs DHCP
Votre réseau peut comporter d’autres serveurs DHCP, tels que les bornes d’accès AirPort.
Mac OS X Server peut cohabiter avec d’autres serveurs DHCP tant que chacun d’eux utilise
un pool unique d’adresses IP. Toutefois, vous pouvez souhaiter que votre serveur DHCP
fournisse une adresse de serveur LDAP pour la configuration automatique de l’ordinateur
client dans les environnements gérés. Les bornes d’accès AirPort ne peuvent pas fournir
d’adresse de serveur LDAP. Pour utiliser la fonction de configuration automatique,
vous devez donc configurer les bornes d’accès AirPort en mode pont Ethernet et régler
Mac OS X Server pour qu’il fournisse le service DHCP. Si les bornes d’accès AirPort se
trouvent sur des sous-réseaux distincts, vos routeurs doivent être configurés pour
réexpédier les diffusions des clients et les réponses du serveur DHCP comme décrit
précédemment. Si vous souhaitez proposer le service DHCP avec les bornes d’accès
AirPort, vous ne pouvez pas utiliser la fonction de configuration automatique de
l’ordinateur client et devez donc saisir manuellement les adresses du serveur LDAP
sur les stations de travail clientes.
Utilisation de plusieurs serveurs DHCP sur un réseau
Plusieurs serveurs DHCP peuvent se trouver sur le même réseau. Toutefois, il est important
qu’ils soient correctement configurés pour éviter toute interférence entre eux. Chaque
serveur doit disposer d’un fonds unique d’adresses IP à distribuer.
Affectation d’adresses IP réservées
Certaines adresses IP ne peuvent pas être affectées à des hôtes individuels. Il s’agit
d’adresses réservées pour des boucles et pour diffusion. Votre FAI ne peut vous affecter
des adresses de ce type. Si vous essayez de configurer votre serveur DHCP pour utiliser
ce type d’adresses, vous recevrez un avertissement vous indiquant que ces adresses ne
sont pas valides, et il vous faudra saisir des adresses valides.26 Chapitre 2 Service DHCP
Complément d’informations sur le processus DHCP
Mac OS X Server utilise un processus démon appelé “bootpd”, qui est responsable de
l’affectation des adresses du service DHCP. Pour plus d’informations sur bootpd et ses
options de configuration avancées, vous pouvez accéder à la page man bootpd en
tapant la commande suivante dans Terminal :
man bootpd
Configuration initiale du service DHCP
Si vous avez utilisé l’Assistant réglages pour configurer des ports sur votre serveur
au moment de l’installation de Mac OS X Server, certaines données DHCP sont déjà
configurées. Pour terminer la configuration du service DHCP, vous devez suivre les
instructions indiquées dans cette section. Pour chaque étape, vous trouverez un
complément d’information sur les réglages à la section “Gestion du service DHCP” à
la page 27.
Étape 1 : Création de sous-réseaux
Les instructions suivantes expliquent comment créer un pool d’adresses IP partagées
par les ordinateurs clients sur votre réseau. Vous créez une plage d’adresses partagées
pour chaque sous-réseau. Ces adresses sont affectées par le serveur DHCP lorsqu’un
client émet une requête.
Consultez la section “Création de sous-réseaux dans le service DHCP” à la page 27.
Étape 2 : Définition des historiques pour le service DHCP
Vous pouvez consigner l’activité et les erreurs du service DHCP afin de contrôler
les requêtes et identifier les problèmes de votre serveur.
Le service DHCP enregistre des messages de diagnostic dans le fichier historique
du système. Pour éviter que ce fichier ne devienne trop volumineux, vous pouvez
supprimer la plupart des messages en modifiant les réglages de l’historique dans
la fenêtre Consignation des réglages du service DHCP. Pour en savoir plus sur la
configuration des historiques pour le service DHCP, consultez la section “Réglage du
niveau de détail de l’historique du service DHCP” à la page 33.
Étape 3 : Démarrage du service DHCP
Consultez la section “Démarrage et arrêt du service DHCP” à la page 27.Chapitre 2 Service DHCP 27
Gestion du service DHCP
Cette section explique comment configurer et gérer le service DHCP sur Mac OS X Server.
Cela comprend le démarrage du service, la création de sous-réseaux et la définition de
réglages facultatifs tels que LDAP ou DNS pour un sous-réseau.
Démarrage et arrêt du service DHCP
Procédez comme suit pour démarrer ou arrêter le service DHCP. Au moins un sous-réseau
doit être créé et activé.
Pour démarrer ou arrêter le service DHCP :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Vérifiez qu’au moins une interface réseau et sous-réseau est configurée et sélectionnée.
3 Cliquez sur Démarrer le service ou Arrêter le service.
Lorsque le service est activé, le bouton Arrêter le service est disponible.
Création de sous-réseaux dans le service DHCP
Les sous-réseaux sont des regroupements d’ordinateurs clients sur le même réseau,
qui peuvent être organisés par emplacement (différents étages d’un immeuble, par
exemple) ou par utilisation (tous les élèves de 3e, par exemple). Chaque sous-réseau
possède au moins une plage d’adresses IP.
Pour créer un sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Cliquez sur le bouton Ajouter ( + ).
5 Sélectionnez l’onglet Général.
6 Saisissez un nom descriptif pour le nouveau sous-réseau (facultatif).
7 Saisissez une adresse IP de début et de fin pour la plage de ce sous-réseau.
Les adresses doivent être contiguës et ne peuvent empiéter sur les plages d’autres
sous-réseaux.
8 Saisissez le masque de sous-réseau pour la plage d’adresses du réseau.
9 Choisissez l’Interface du réseau dans le menu local.
10 Saisissez l’adresse IP du routeur de ce sous-réseau.
Si le serveur que vous êtes en train de configurer est le routeur du sous-réseau,
saisissez l’adresse IP interne LAN de ce serveur comme adresse du routeur.
11 Définissez la durée du bail en heures, jours, semaines ou mois.28 Chapitre 2 Service DHCP
12 Si vous souhaitez définir des informations DNS, LDAP ou WINS pour ce sous-réseau,
saisissez-les maintenant.
Pour plus d’informations, consultez les sections “Réglage du serveur DNS pour un sousréseau DHCP” à la page 29, “Configuration des options LDAP pour un sous-réseau” à la
page 30 et “Configuration des options WINS pour un sous-réseau” à la page 30.
13 Cliquez sur Enregistrer.
Modification des réglages des sous-réseaux dans le service DHCP
Utilisez Admin Serveur pour modifier les réglages d’un sous-réseau DHCP existant.
Vous pouvez modifier la plage d’adresses IP, le masque de sous-réseau, l’interface
réseau, le routeur ou la durée du bail.
Pour modifier les réglages du sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Sélectionnez un sous-réseau.
5 Cliquez sur le bouton Modifier ( / ).
6 Effectuez les changements souhaités.
Ces changements peuvent inclure l’ajout d’informations sur DNS, LDAP ou WINS.
Vous pouvez également redéfinir des plages d’adresses ou rediriger l’interface réseau
qui répond aux requêtes DHCP.
7 Cliquer sur Enregistrer.
Suppression de sous-réseaux du service DHCP
Vous pouvez supprimer des sous-réseaux et des plages d’adresses IP de sous-réseaux
qui ne seront plus distribuées aux clients.
Pour supprimer des sous-réseaux ou des plages d’adresses :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez un sous-réseau.
4 Cliquez sur le bouton Supprimer ( - ).
5 Cliquez sur Enregistrer pour confirmer la suppression.
Désactivation temporaire des sous-réseaux
Vous pouvez suspendre temporairement un sous-réseau sans perdre ses réglages. Cela
signifie qu’aucune adresse IP de la plage du sous-réseau ne sera distribuée à un client
sur l’interface sélectionnée.Chapitre 2 Service DHCP 29
Pour désactiver un sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Désélectionnez la case “Activer” à côté du sous-réseau que vous souhaitez désactiver.
Modification de la durée du bail des adresses IP d’un sous-réseau
Vous pouvez modifier la durée pendant laquelle les adresses IP d’un sous-réseau sont
disponibles pour les ordinateurs clients.
Pour changer la durée de bail d’une plage d’adresses de sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Sélectionnez une plage de sous-réseaux, puis cliquez sur le bouton Modifier ( / ).
5 Sélectionnez l’onglet Général.
6 Sélectionnez une échelle de temps dans le menu local Durée du bail (heures, jours,
semaines ou mois).
7 Saisissez un nombre dans le champ Durée du bail.
8 Cliquer sur Enregistrer.
Réglage du serveur DNS pour un sous-réseau DHCP
Vous pouvez choisir les serveurs DNS et le nom du domaine par défaut qu’un sous-réseau
doit utiliser. Le service DHCP fournit ces informations aux ordinateurs clients du sous-réseau.
Pour définir des options DNS pour un sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Sélectionnez une sous-réseau, puis cliquez sur le bouton Modifier ( / ).
5 Sélectionnez l’onglet DNS.
6 Saisissez le domaine par défaut du sous-réseau.
7 Saisissez les adresses IP des serveurs de noms principal et secondaire que vous
souhaitez que les clients DHCP utilisent.
8 Cliquer sur Enregistrer.30 Chapitre 2 Service DHCP
Configuration des options LDAP pour un sous-réseau
Vous pouvez utiliser DHCP pour fournir à vos clients des informations sur le serveur LDAP
au lieu d’effectuer une configuration manuelle pour chacun d’eux. L’ordre d’apparition des
serveurs LDAP détermine l’ordre de recherche dans la règle de recherche automatique
Open Directory.
Si vous utilisez actuellement Mac OS X Server comme serveur maître LDAP, les
options LDAP contiennent déjà les informations de configuration nécessaires. Si votre
serveur maître LDAP est une autre machine, vous devez connaître le nom de domaine
ou l’adresse IP de la base de données LDAP que vous souhaitez utiliser. Vous devez
également connaître la base de recherche LDAP.
Pour définir les options LDAP d’un sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Sélectionnez une sous-réseau, puis cliquez sur le bouton Modifier ( / ).
5 Cliquez sur l’onglet LDAP.
6 Saisissez le nom de domaine ou l’adresse IP du serveur LDAP pour ce sous-réseau.
7 Saisissez la base de recherche pour les recherches LDAP.
8 Saisissez le numéro de port LDAP, si vous utilisez un port non standard.
9 Sélectionnez LDAP via SSL, si nécessaire.
10 Cliquer sur Enregistrer.
Configuration des options WINS pour un sous-réseau
Vous pouvez fournir des informations complémentaires aux ordinateurs clients
exécutant Windows dans un sous-réseau en ajoutant les réglages spécifiques de
Windows aux données de configuration du réseau DHCP. Ces réglages spécifiques
de Windows permettent aux clients Windows de parcourir leur Voisinage réseau.
Vous devez connaître le nom de domaine ou l’adresse IP des serveurs principal
et secondaire WINS/NBNS (il s’agit généralement de l’adresse IP du serveur DHCP),
ainsi que le type de nœud NBT (qui est généralement “diffusion”). Le serveur NBDD
et l’identifiant (ID) d’étendue NetBIOS ne sont généralement pas utilisés, mais vous
pouvez en avoir besoin, selon la configuration de vos ordinateurs clients Windows
et de l’infrastructure réseau de Windows.Chapitre 2 Service DHCP 31
Pour définir les options WINS pour un sous-réseau :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Sous-réseaux.
4 Sélectionnez une sous-réseau, puis cliquez sur le bouton Modifier ( / ).
5 Cliquez sur l’onglet WINS.
6 Saisissez le nom de domaine ou l’adresse IP des serveurs principal et secondaire
WINS/NBNS pour ce sous-réseau.
7 Saisissez le nom de domaine ou l’adresse IP du serveur NBDD pour ce sous-réseau.
8 Choisissez le type de nœud NBT dans le menu local.
9 Saisissez l’identifiant (ID) d’étendue NetBIOS.
10 Cliquer sur Enregistrer.
Affectation d’adresses IP statiques à l’aide de DHCP
Vous pouvez affecter les mêmes adresses à des ordinateurs, si vous le souhaitez.
Cela vous permet de conserver la facilité de configuration de DHCP tout en ayant
des serveurs ou des services statiques.
Pour affecter la même adresse IP à un ordinateur, vous devez connaître l’adresse Ethernet
de l’ordinateur (on l’appelle parfois également l’adresse MAC ou l’adresse matérielle).
Chaque interface réseau dispose de sa propre adresse Ethernet.
N’oubliez pas qu’un ordinateur qui passe d’un réseau câblé à un réseau sans fil utilise
deux adresses Ethernet différentes, l’une pour la connexion câblée, l’autre pour la
connexion sans fil.
Pour affecter des adresses IP statiques :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur Cartes statiques.
4 Cliquez sur le bouton Ajouter ( + ).
5 Saisissez l’adresse Ethernet de l’ordinateur qui doit recevoir une adresse statique.
6 Saisissez l’adresse IP que vous souhaitez lui affecter.
7 Saisissez le nom de l’ordinateur.
8 Cliquez sur OK.
9 Cliquer sur Enregistrer.32 Chapitre 2 Service DHCP
Suppression ou modification de mappages d’adresses statiques
Vous pouvez modifier ou supprimer les mappages statiques comme vous le souhaitez.
Pour modifier ou supprimer un mappage d’adresses statiques :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur Cartes statiques.
4 Sélectionnez le mappage à modifier ou supprimer.
5 Cliquez sur le bouton Modifier ( / ) ou Supprimer ( - ).
6 Si vous modifiez le mappage, apportez les modifications souhaitées, puis cliquez sur OK.
7 Cliquer sur Enregistrer.
Contrôle du service DHCP
Vous aurez besoin de contrôler le service DHCP. Vous avez deux possibilités pour contrôler
le service DHCP. D’abord vous pouvez afficher la liste des clients, ensuite vous pouvez
surveiller les fichiers d’historique générés par le service. Vous pouvez utiliser les historiques
du service pour vous aider à résoudre des problèmes de réseau. Les sections suivantes
traitent de ces modes de contrôle du service DHCP.
Affichage de la vue d’ensemble de l’état du service DHCP
La vue d’ensemble de l’état du service DHCP propose un récapitulatif sommaire de ce
dernier. Elle indique si le service est actif, le nombre de clients qu’il comporte et l’heure à
laquelle il a démarré. Il indique également le nombre d’adresses IP affectées de manière
statique depuis vos sous-réseaux, ainsi que la date de la dernière mise à jour de la base
de données clients.
Pour afficher la vue d’ensemble :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Vue d’ensemble.Chapitre 2 Service DHCP 33
Réglage du niveau de détail de l’historique du service DHCP
Vous pouvez choisir le niveau de détail souhaité pour les historiques du service DHCP.
• “Faible (erreurs uniquement)” indiquera les cas où vous devez intervenir
immédiatement (par exemple, si le serveur DHCP ne démarre pas). Ce niveau
correspond au rapport de bootpd en mode “quiet” (silencieux), identifié par
l’indicateur “-q”.
• “Moyen (erreurs et messages)” peut vous avertir lorsque des données sont
incohérentes, mais que le serveur DHCP peut encore fonctionner. Ce niveau
correspond au rapport par défaut de bootpd.
• “Élevé (tous les événements)” enregistre toute l’activité du service DHCP, y compris
les fonctions routines. Ce niveau correspond au rapport de bootpd en mode “verbose”
(maximal), identifié par l’indicateur “-v”.
Pour configurer le niveau de détail de l’historique :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Consignation.
4 Choisissez l’option de consignation souhaitée.
5 Cliquer sur Enregistrer.
Visualisation des entrées d’historique du service DHCP
Si vous avez activé la consignation pour le service DHCP, vous pouvez consulter
l’historique système pour connaître les erreurs DHCP.
L’affichage d’historique est le fichier .log système filtré pour “bootpd”. Vous pouvez
encore restreindre les règles à l’aide du champ de filtrage de texte.
Pour afficher des entrées d’historique DHCP :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Historique.
Visualisation de la liste des clients DHCP
La fenêtre Clients DHCP fournit les informations suivantes pour chaque client :
• l’adresse IP fournie au client ;
• le nombre de jours restant pour la durée du bail tant qu’il n’est pas inférieur
à 24 heures, et ensuite, le nombre d’heures et de minutes ;
• l’identifiant du client DHCP qui correspond en général, mais pas systématiquement,
à l’adresse matérielle ;
• le nom de l’ordinateur ;
• l’identifiant Ethernet.34 Chapitre 2 Service DHCP
Pour afficher la liste des clients DHCP :
1 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
2 Cliquez sur Clients.
Cliquez sur un en-tête de colonne pour trier la liste selon divers critères.
Configurations réseau courantes qui utilisent DHCP
La section qui suit contient des exemples de configurations DHCP pour différentes
utilisations du réseau.
Lorsque vous configurez un réseau privé, vous devez choisir vos adresses IP parmi les
blocs d’adresses que l’IANA (Internet Assigned Numbers Authority) réserve aux réseaux
privés (Intranets) :
• 10.0.0.0 à –10.255.255.255 (préfixe 10/8)
• 172.16.0.0 à –172.31.255.255 (préfixe 172.16/12)
• 192.168.0.0–192.168.255.255 (préfixe 192.168/16)
Utilisation de DHCP pour la fourniture d’adresses IP derrière une
passerelle NAT
Utilisez DHCP pour fournir des adresses IP aux ordinateurs qui se trouvent derrière
une passerelle NAT. Bien que cela ne soit pas absolument nécessaire (la traduction
d’adresses de réseau peut être utilisée avec des adresses IP statiques plutôt qu’avec
DHCP), cela permet une configuration aisée des ordinateurs clients.
Pour plus de détails, consultez la section “Liaison d’un réseau local à Internet via une
adresse IP” à la page 106.
Configuration Groupe de travail
Imaginons que vous ayez un petit groupe de travail qui dispose de son propre groupe
d’adresses DHCP. Vous avez également une imprimante connectée par IP, un serveur
de fichiers et un serveur Open Directory (sur le réseau ou pas) à des fins de gestion
des utilisateurs. Pour utiliser DHCP dans cette configuration, vous devez disposer d’un :
• Coupe-feu opérationnel et configuré qui autorise les connections LDAP et
d’imprimante (impression IP).
Pour plus de détails, consultez le chapitre 4, “Service de coupe-feu IP”.
• Serveur Open Directory ou LDAP opérationnel et configuré sur lequel des utilisateurs
sont définis.
Pour en savoir plus, consultez les guides “Mac OS X Server Administration d'Open Directory
pour la version 10.4 ou ultérieure” et “Mac OS X Server Gestion utilisateur pour la version 10.4
ou ultérieure”.Chapitre 2 Service DHCP 35
La configuration de DHCP, dans cet exemple, implique l’utilisation du mappage
d’adresses IP statiques et des réglages réseau supplémentaires sur les clients.
Vous pourriez configurer cela de la manière suivante :
• Pour une imprimante qui doit recevoir une adresse IP statique, vérifiez que la plage
d’adresses DHCP affectée ne contient pas l’adresse IP statique de l’imprimante. Si
celle-ci peut être configurée pour accepter une adresse via DHCP, ne vous souciez
pas d’un éventuel chevauchement.
Pour plus de détails, consultez la section “Utilisation d’adresses IP statiques” à la page 24.
• Pour un serveur de fichiers qui doit toujours recevoir la même adresse, utilisez le
mappage IP statique de Mac OS X Server pour toujours affecter la même adresse IP
à son adresse Ethernet.
Pour plus de détails, consultez la section “Affectation d’adresses IP statiques à l’aide
de DHCP” à la page 31.
• Pour la configuration de DHCP, activez les options LDAP pour les clients DHCP. Cela
donne automatiquement aux clients les informations de répertoire dont ils ont besoin.
Pour plus de détails, consultez la section “Configuration des options LDAP pour un
sous-réseau” à la page 30.
• Pour la configuration des clients Mac OS X, vérifiez que la méthode de configuration
IPv4 dans la sous-fenêtre Réseau des Préférences Système est réglée sur “DHCP”.
Cette configuration permet aux ordinateurs sur le réseau d’être gérés par un serveur
LDAP ou Open Directory et d’obtenir l’ensemble de leur configuration de mise en
réseau de DHCP. Ils peuvent avoir accès à une adresse IP statique ou aux adresses IP
affectées de manière constante sur le même réseau. Vous bénéficiez en outre de la
configuration centralisée pour tous les ordinateurs clients.
Configuration Laboratoire d’étudiants
La configuration Laboratoire d’étudiants est semblable à la configuration Groupe de
travail, mais ajoute un service supplémentaire qui utilise DHCP : Netboot. En plus de
DHCP pour la configuration de mise en réseau centralisée, Netboot standardise les
environnements de démarrage en faisant démarrer tous les ordinateurs clients à partir
d’une image disque qui se trouve sur un serveur NetBoot central.
Cette configuration est identique à la “Configuration Groupe de travail” à la page 34,
mais avec les exceptions suivantes :
• Il peut y avoir des ressources d’adresses statiques ou pas.
Cela dépend de la composition du laboratoire, bien entendu. Vous pouvez avoir
une imprimante ou un serveur de fichiers de classe, mais si vous utilisez un chariot
mobile que vous déplacez de classe en classe, vous n’allez pas emmener un serveur
et une imprimante avez vous.36 Chapitre 2 Service DHCP
• NetBoot est activé et configuré, ainsi que les réglages de coupe-feu pour le prendre en
charge. Tout client sur le réseau peut être configuré pour démarrer à partir du serveur
NetBoot. De nouveaux ordinateurs peuvent être déployés en définissant l’image
NetBoot comme disque de démarrage de l’ordinateur. Aucune autre configuration n’est
nécessaire et il est aisé de modifier ultérieurement l’usage auquel les ordinateurs sont
destinés car le disque dur peut ne pas être modifié.
Cette configuration permet aux ordinateurs sur le réseau d’être gérés par un serveur
LDAP ou Open Directory et d’obtenir l’ensemble de leur configuration de mise en
réseau de DHCP. L’environnement informatique est également configuré de manière
centralisée pour tous les ordinateurs clients. Les nouveaux clients peuvent être ajoutés
ou remplacés sans efforts.
Configuration Bistrot
La configuration Bistrot ne concerne pas nécessairement un bistrot. Il s’agit d’un type
de configuration destiné à un environnement d’adressage entièrement dynamique,
sans gestion des utilisateurs et sans autre service fourni que l’accès à Internet, l’accès
à un DNS et, éventuellement, l’un ou l’autre service. Elle se caractérise par un grand
nombre d’utilisateurs mobiles de passage qui utilisent l’accès à Internet, puis repartent.
Cette configuration pourrait être utilisée dans des situations réelles, comme, par
exemple, pour un réseau sans fil dans un établissement d’enseignement supérieur
ou un bureau commun destiné aux consultants de passage.
Pour utiliser DHCP dans cette configuration, vous devez disposer d’un :
• Coupe-feu opérationnel et configuré qui autorise uniquement le trafic sortant vers
le Web et les recherches sortantes DNS. Vous pouvez placer ce réseau en dehors de
votre coupe-feu et vérifier que le trafic réseau des adresses IP affectées par DHCP
est parfaitement contrôlé et surveillé.
Pour plus de détails, consultez le chapitre 4, “Service de coupe-feu IP”.
Vous pouvez configurer le service DHCP comme suit :
• Rendez la configuration de mise en réseau automatique. Configurez les clients DHCP
pour recevoir le plus de configuration réseau possible via DHCP.
• Ne donnez pas aux clients DHCP des options qu’ils ne sont pas censés avoir. Ne leur donnez
pas d’informations supplémentaires sur votre organisation via des informations LDAP.
Vous pouvez donner aux clients Windows des options réseau supplémentaires.
Pour plus de détails, consultez la section “Configuration des options WINS pour un
sous-réseau” à la page 30.
Avertissement : vérifiez que les éventuelles informations sensibles qui se trouvent sur
votre réseau local sont bien protégées derrière un coupe-feu supplémentaire sur un
autre réseau si vous hébergez des utilisateurs temporaires non authentifiés.Chapitre 2 Service DHCP 37
• Limitez l’usage des ressources. Un grand nombre d’utilisateurs peut entraîner
l’utilisation de beaucoup de bande passante. Vous pourriez réduire le nombre de
clients DHCP pouvant se connecter simultanément en autorisant uniquement
l’affectation d’un nombre réduit d’adresses.
Pour plus de détails, consultez la section “Création de sous-réseaux dans le service
DHCP” à la page 27.
• Gardez un rythme de réaffectation des adresses élevé. Vous souhaiterez rendre la durée
de bail des adresses aussi courte que possible. De la sorte, comme les utilisateurs
vont et viennent sur le réseau, les adresses peuvent être réaffectées aussi rapidement
que possible.
Pour plus de détails, consultez la section “Création de sous-réseaux dans le service
DHCP” à la page 27.
• Surveillez le trafic. Gardez un œil sur les connexion et les clients DHCP, la connexion
des paquets de règles du coupe-feu ou d’autres outils de surveillance. Les points
d’accès ouverts peuvent constituer un danger s’ils ne sont pas gardés avec vigilance.
Autres sources d’informations
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
administrateur serveur débutant, vous trouverez probablement certaines informations
utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous trouverez tous
les détails techniques sur un protocole particulier dans le document RFC correspondant.
Vous pouvez rechercher des documents RFC par numéro sur le site :
www.ietf.org/rfc.html
Pour des informations détaillées sur le service DHCP, consultez le RFC 2131.
Pour en savoir plus sur bootpd et ses options de configuration avancées, consultez
la page man de bootpd dans le Terminal en tapant :
man bootpd3
39
3 Service DNS
Lorsque vos clients cherchent à se connecter à une ressource réseau, telle qu’un serveur
Web ou un serveur de fichiers, ils utilisent en général son nom de domaine (comme
www.exemple.com) plutôt que son adresse IP (comme 192.168.12.12). Le système DNS
(Domain Name System) est une base de données distribuée mappant des adresses IP
vers des noms de domaines afin que vos clients localisent les ressources par leur nom
plutôt que par leur adresse numérique.
Un serveur DNS met à jour la liste des noms de domaines et des adresses IP associées
à chaque nom. Lorsqu’un ordinateur a besoin de l’adresse IP correspondant à un nom,
il envoie un message au serveur DNS (également appelé serveur de noms). Le serveur
de noms cherche l’adresse IP et la renvoie à l’ordinateur. Si le serveur de noms ne trouve
pas l’adresse IP en local, il envoie des messages à d’autres serveurs de noms sur Internet
pour l’obtenir.
Le processus de configuration et de maintenance d’un serveur DNS est complexe.
C’est pourquoi de nombreux administrateurs font appel à leur fournisseur d’accès à
Internet (FAI) pour les services DNS. Si tel est le cas, il ne vous reste plus qu’à configurer
vos préférences réseau avec l’adresse IP du serveur de noms que votre fournisseur vous
a indiquée.
Si votre fournisseur ne peut pas traiter les demandes DNS pour votre réseau et que
l’une des affirmations suivantes se vérifie, vous devez configurer le service DNS :
• Vous n’avez pas la possibilité d’utiliser le service DNS de votre FAI ou toute autre source.
• Vous envisagez de modifier souvent l’espace de noms et voulez le gérer vous-même.
• Vous disposez d’un serveur de courrier sur votre réseau et rencontrez des problèmes
de coordination avec le fournisseur chargé de votre domaine.
• Vous avez des craintes en matière de sécurité concernant le fait de donner les noms
et les adresses des ordinateurs de votre réseau à une organisation extérieure (votre
fournisseur d’accès à Internet).
Mac OS X Server utilise Berkeley Internet Name Domain (BIND v.9.2.2) pour
l’implémentation des protocoles DNS. BIND est une implémentation open
source utilisée par la majorité des serveurs de noms sur Internet.40 Chapitre 3 Service DNS
Avant de configurer le service DNS
Cette section comporte des informations dont il est recommandé de tenir compte avant
de configurer le service DNS sur votre réseau. Les problèmes qu’implique l’administration
DNS sont aussi complexes que nombreux. Vous ne devez procéder à la configuration du
service DNS sur votre réseau que si vous vous êtes un administrateur DNS expérimenté.
Vous pouvez envisager de créer un alias de messagerie appelé “hostmaster” pour recevoir
le courrier et l’envoyer à la personne qui fait fonctionner le serveur DNS sur votre site.
Cela permet aux utilisateurs et aux autres administrateurs DNS de vous contacter au sujet
de problèmes liés au service DNS.
DNS et BIND
Vous devez maîtriser complètement ce domaine avant de configurer votre propre
serveur DNS. Pour vous documenter sur le DNS, lisez DNS and BIND, 4ème édition,
de Paul Albitz et Cricket Liu (O’Reilly and Associates, 2001).
Remarque : Apple peut vous aider à trouver un conseiller réseau pour implémenter
votre service DNS. Vous pouvez prendre contact avec Apple Professional Services
et Apple Consultants Network sur le Web à l’adresse www.apple.com/fr/services/ ou
www.apple.com/consultants.
Configuration de plusieurs serveurs de noms
Vous devez configurer au moins un serveur de noms principal et un autre secondaire.
De cette manière, le serveur de noms secondaire peut prendre la relève au cas où
le serveur de noms principal s’arrête subitement. Un serveur secondaire obtient des
données du serveur principal en copiant régulièrement toutes les informations sur
le domaine de ce dernier.
Une fois que le serveur de noms obtient le couple nom/adresse d’un hôte dans un
autre domaine (c’est-à-dire en dehors du domaine qu’il dessert), les informations sont
mises en cache afin de garantir que les adresses IP des noms récemment résolus sont
stockées pour une utilisation ultérieure. Les informations DNS sont en général mises
en cache sur votre serveur de noms pour une durée déterminée, désignée par la valeur
time-to-live (TTL). Lorsque la valeur TTL d’un couple nom de domaine/adresse IP est
arrivée à expiration, l’entrée correspondante est supprimée de la mémoire cache du
serveur de noms. Votre serveur redemande alors les informations dont il a besoin.Chapitre 3 Service DNS 41
Configuration initiale du service DNS
Si vous utilisez un serveur de noms DNS externe et avez entré son adresse IP dans
l’Assistant réglages, vous n’avez rien d’autre à faire. Si vous configurez votre propre
serveur DNS, suivez les étapes décrites dans cette section.
Étape 1 : Enregistrement de votre nom de domaine
L’enregistrement d’un nom de domaine est géré par une organisation centralisée
nommée IANA (Internet Assigned Numbers Authority). IANA garantit l’unicité des noms
de domaines à travers Internet. (Consultez la page www.iana.org pour en savoir plus.) Si
vous n’enregistrez pas votre nom de domaine, votre réseau ne pourra pas communiquer
sur Internet.
Une fois le nom de domaine enregistré, vous pouvez créer des sous-domaines si votre
serveur DNS est configuré sur votre réseau pour effectuer le suivi des noms et des
adresses IP des sous-domaines.
Par exemple, si vous enregistrez le nom de domaine “exemple.com”, vous pouvez créer
les sous-domaines “hôte1.exemple.com”, “courrier.exemple.com” ou “www.exemple.com”.
Le serveur d’un sous-domaine peut s’appeler “principal.www.exemple.com” ou
“sauvegarde.www.exemple.com.” Le serveur DNS pour exemple.com assure le suivi des
informations pour ses sous-domaines, telles que les noms d’hôtes (ou d’ordinateurs),
les adresses IP statiques, les alias et les échangeurs de courrier. Si votre FAI gère votre
service DNS, vous devrez l’informer de toutes les modifications apportées à votre
espace de noms, y compris l’ajout de sous-domaines.
La plage d’adresses IP utilisées pour un domaine donné doit être clairement précisée
avant la configuration. Ces adresses sont uniquement utilisées pour un domaine
spécifique (et jamais par un autre domaine ou sous-domaine). La plage d’adresses
doit être communiquée à votre administrateur réseau ou fournisseur d’accès.
Étape 2 : Formation et planification
Si c’est la première fois que vous travaillez avec le DNS, vous devez apprendre et
comprendre les concepts, les outils et les fonctions DNS de Mac OS X Server et
de BIND. Reportez-vous à la section “Autres sources d’informations” à la page 63.
Ensuite, planifiez votre service DNS. Vous pouvez vous poser les questions suivantes
lors de la planification :
• Avez-vous réellement besoin d’un serveur DNS local ? Votre FAI fournit-il le service DNS ?
Pourriez-vous utiliser les noms DNS multi-diffusion à la place ?
• De combien de serveurs aurez-vous besoin pour la charge prévue ? De combien
de serveurs aurez-vous besoin pour les sauvegardes ? Ainsi, vous devrez désigner
un second, voire un troisième ordinateur pour le service DNS de sauvegarde.
• Quelle est votre stratégie de sécurité en cas d’utilisation illicite ?
• À quelle fréquence devez-vous programmer les inspections ou tests périodiques
des enregistrements DNS pour vérifier l’intégrité des données ?42 Chapitre 3 Service DNS
• Combien de services ou de périphériques (comme un site Web intranet ou
une imprimante réseau) auront-ils besoin d’un nom ?
Il existe deux façons de configurer le service DNS sur Mac OS X Server. La première
(recommandée) consiste à configurer le service DNS en utilisant Admin Serveur. Pour
plus d’informations, reportez-vous à la section “Gestion du service DNS” à la page 43
pour les instructions.
La seconde façon de configurer le DNS consiste à modifier le fichier de configuration de
BIND. BIND est le jeu de programmes utilisé par Mac OS X Server qui implémente le DNS.
L’un de ces programmes est le démon des noms ou named. Pour installer et configurer
BIND, vous devez modifier le fichier de configuration et le fichier de zone.
Le fichier de configuration se trouve dans le fichier suivant :
/etc/named.conf
Le nom du fichier de zone est créé à partir du nom de la zone. Ainsi, le fichier de zone
“exemple.com” se trouve dans le fichier suivant :
/var/named/exemple.com.zone
Si vous modifiez named.conf pour configurer BIND, ne modifiez en aucun cas les réglages
relatifs à l’instruction de contrôle inet. Si vous le faites, Admin Serveur ne pourra plus
extraire d’informations d’état pour DNS.
Les réglages inet doivent être les suivants :
controls {
inet 127.0.0.1 port 54 allow {any;}
keys { "rndc-key"; };
};
Étape 3 : Configuration des réglages de base du DNS
Pour plus de détails, consultez la section “Gestion du service DNS” à la page 43.
Décidez si vous allez autoriser la récursion ou les transferts de zone.
Étape 4 : Création d’une zone DNS
Utilisez Admin Serveur pour configurer des zones DNS. Pour obtenir des instructions,
consultez la section “Gestion de zones DNS” à la page 45. Après avoir ajouté une zone
principale, Admin Serveur crée automatiquement un enregistrement NS portant le
même nom que la SOA (Source of Authority). Chaque fois que vous créez une zone,
Mac OS X Server crée une zone de recherche inverse. Les zones de recherche inverse
convertissent les adresses IP en noms de domaine, alors que les recherches normales
convertissent les noms de domaine en adresses IP.Chapitre 3 Service DNS 43
Étape 5 : Ajout d’enregistrements d’ordinateur DNS à la zone
Utilisez Admin Serveur pour ajouter des enregistrements supplémentaires à votre
zone. Créez un enregistrement d’adresse pour tous les ordinateurs ou périphériques
(imprimante, serveur de fichiers, etc.) possédant une adresse IP statique et ayant besoin
d’un nom. Divers enregistrements de zone DNS sont créés à partir des entrées d’ordinateur
DNS. Pour obtenir des instructions, consultez la section “Gestion d’enregistrements
d’ordinateur DNS” à la page 49.
Étape 6 : Configuration d’un enregistrement MX (Mail Exchange) (facultatif)
Si vous proposez un service de courrier sur Internet, vous devez configurer un
enregistrement MX pour votre serveur. Pour plus de détails, consultez la section
“Configuration des enregistrements MX” à la page 57.
Étape 7 : Configuration du coupe-feu IP
Vous allez devoir configurer votre coupe-feu pour vous assurer que votre service DNS
est protégé des attaques et accessible par vos clients.
Pour en savoir plus sur la configuration d’un coupe-feu IP, consultez le chapitre 4,
“Service de coupe-feu IP”.
Étape 8 : Démarrage du service DNS
Mac OS X Server offre une interface simple pour démarrer et arrêter le service DNS.
Pour plus de détails, consultez la section “Démarrage et arrêt du service DNS” à la
page 43.
Gestion du service DNS
Mac OS X Server offre une interface simple pour démarrer et arrêter le service DNS et
visualiser les historiques et les états. Les réglages DNS de base peuvent être configurés à
l’aide d’Admin Serveur. Les fonctions plus avancées nécessitent la configuration du BIND
à partir de la ligne de commande et ne sont pas traitées dans ce manuel.
Démarrage et arrêt du service DNS
Procédez comme suit pour démarrer ou arrêter le service DNS. N’oubliez pas de
redémarrer le service DNS après chaque modification du service DNS effectuée
dans Admin Serveur.
Pour démarrer ou arrêter le service DNS :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Assurez-vous qu’au moins une Zone et sa zone de recherche inverse sont créées
et entièrement configurées.
3 Cliquez sur Démarrer le service ou Arrêter le service.
Le démarrage et l’arrêt du service peuvent prendre un instant.44 Chapitre 3 Service DNS
Activation ou désactivation des transferts de zone
Dans le DNS (Domain Name System), le “transfert de zone” permet de dupliquer les
données de zone sur les serveurs DNS de référence. Les serveurs DNS secondaires
utilisent les transferts de zone pour acquérir leurs données sur les serveurs DNS
principaux. Les transferts de zone doivent être activés pour utiliser les serveurs
DNS secondaires.
Pour activer ou désactiver le transfert de zone :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez ou désélectionnez “Autoriser les transferts de zone”, selon le cas.
Activation ou désactivation de la récursion
La récursion est un procédé permettant de résoudre complètement les noms de
domaine en adresses IP. Les applications des utilisateurs dépendent du serveur DNS
pour l’exécution de cette fonction. Les autres serveurs DNS qui lancent des requêtes
sur le vôtre n’ont pas à effectuer la récursion.
Pour empêcher des utilisateurs malveillants de corrompre les enregistrements de la zone
principale (“corruption de cache” ou “cache poisoning”) ou de favoriser une utilisation
illicite du service DNS, vous pouvez désactiver la récursion. Toutefois, si vous l’arrêtez,
vos propres utilisateurs ne pourront plus utiliser le service DNS pour rechercher des
noms en dehors de vos zones.
Vous ne devez donc désactiver la récursion que si aucun client n’utilise ce serveur DNS
pour la résolution de noms et qu’aucun serveur ne l’utilise pour les réexpédier.
Pour activer ou désactiver la récursion :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez ou désélectionnez Récursion, comme vous le souhaitez.
Sélectionnez Récursion pour l’autoriser. Désélectionnez la récursion pour ne
pas l’autoriser.
Si vous choisissez d’activer la récursion, vous avez la possibilité de la désactiver
pour les adresses IP externes, mais de l’activer pour les adresses IP du réseau LAN,
en modifiant le fichier named.conf de BIND. Pour plus d’informations, consultez
la documentation de BIND.Chapitre 3 Service DNS 45
Gestion de zones DNS
Les zones sont l’élément de base de l’organisation du système de nom de domaine
(DNS). Les zones contiennent des enregistrements et sont définies en fonction de
leur mode d’acquisition de ces enregistrements et de leur mode de réponse aux
requêtes DNS. Il y a, en principe, trois types de zones (les autres ne sont pas couvertes
par ce guide) :
Principale
Une zone principale possède la copie maîtresse des enregistrements de la zone et
fournit les réponses officielles aux requêtes de recherche.
Secondaire
Une zone secondaire est une copie d’une zone principale stockée sur un serveur de
noms secondaire. Chaque secondaire conserve une liste des serveurs principaux qu’elle
contacte pour recevoir les mises à jour des enregistrements de la zone principale. Les
zones secondaires doivent être configurées pour demander la copie des données de
la zone principale. Les zones secondaires utilisent les transferts de zone pour obtenir
ces copies. Les serveurs de noms secondaires peuvent traiter les requêtes de recherche
comme les serveurs principaux. L’utilisation de plusieurs zones secondaires liées à une
seule zone principale vous permet de répartir la charge des requêtes DNS entre plusieurs
ordinateurs et de garantir que les requêtes de recherche reçoivent une réponse lorsque
le serveur de noms principal est hors service.
Les zones secondaires disposent également d’un intervalle d’actualisation. Celui-ci
détermine la fréquence à laquelle les zones secondaires vérifient si des modifications
ont été apportées à la zone principale. Vous pouvez modifier l’intervalle d’actualisation
de la zone en utilisant le fichier de configuration de BIND. Pour plus d’informations,
reportez-vous à la documentation de BIND.
Réexpédition
Une zone de réexpédition transfère toutes les requêtes de recherche destinées à cette
zone vers d’autres serveurs DNS. Les zones de réexpédition n’effectuent pas de transferts
de zone. Bien souvent, les serveurs de zones de réexpédition sont utilisés pour offrir les
services DNS à un réseau privé situé derrière un coupe-feu. Dans ce cas, le serveur DNS
doit avoir accès à Internet et à un autre serveur DNS situé en dehors du coupe-feu. Enfin,
les zones de réexpédition mettent en mémoire cache les réponses aux requêtes qu’elles
transmettent. Cela permet d’améliorer les performances des recherches des clients qui
utilisent la zone de réexpédition.
Admin Serveur ne prend pas en charge la création ni la modification des zones de
réexpédition. Pour créer une zone de réexpédition, vous devez configurer BIND
manuellement à la ligne de commande. Pour plus de détails, reportez-vous à la
documentation de BIND.46 Chapitre 3 Service DNS
Ajout d’une zone principale
Une zone principale possède la copie maîtresse des enregistrements de la zone et fournit
les réponses officielles aux requêtes de recherche. Après avoir ajouté une zone principale,
Admin Serveur crée automatiquement un enregistrement NS portant le même nom que
la SOA (Source of Authority).
Pour ajouter une zone principale :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Cliquez sur le bouton Ajouter ( + ) sous la liste Zones.
5 Saisissez un nom de zone.
Le nom de la zone est le nom de domaine.
6 Saisissez le nom d’hôte de la SOA du domaine.
Si cet ordinateur est le serveur de noms officiel du domaine, saisissez le nom d’hôte
de l’ordinateur. Par exemple, “sdn.exemple.com.”
7 Saisissez l’adresse IP du serveur de la zone.
8 Saisissez l’adresse électronique de l’administrateur de la zone.
9 Saisissez la durée de la validité de la zone.
Il s’agit de la durée de vie de la zone. La durée de vie détermine pendant combien
de temps les informations en réponse aux requêtes peuvent rester en mémoire cache
dans les systèmes DNS distants avant d’interroger à nouveau le serveur faisant autorité.
10 Cliquez sur Enregistrer.Chapitre 3 Service DNS 47
Ajout d’une zone secondaire
Une zone secondaire est une copie d’une zone principale stockée sur un serveur de
noms secondaire. Chaque zone secondaire conserve une liste des serveurs principaux
qu’elle contacte pour recevoir les mises à jour des enregistrements de la zone principale.
Les zones secondaires doivent être configurées pour demander la copie des données de
la zone principale. Les zones secondaires utilisent les transferts de zone pour obtenir ces
copies. Les serveurs de noms secondaires peuvent traiter les requêtes de recherche
comme les serveurs principaux.
Pour ajouter une zone secondaire :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones secondaires.
4 Cliquez sur le bouton Ajouter ( + ) sous la liste Zones.
5 Saisissez un nom de zone.
Il s’agit du nom de domaine complet du serveur secondaire.
6 Cliquez sur le bouton Ajouter ( + ).
7 Saisissez les adresses IP des serveurs principaux de cette zone secondaire.
8 Cliquez sur OK.
9 Cliquer sur Enregistrer.
Duplication d’une zone
Vous pouvez créer une copie d’une zone existante sur le même ordinateur. Vous pourriez
utiliser ceci pour accélérer la configuration de plusieurs zones ou noms de domaine pour
un seul et unique réseau local physique.
Pour dupliquer une zone :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Cliquez sur le bouton Dupliquer sous la liste Zones.
5 Si vous le souhaitez, double-cliquez sur la zone nouvellement dupliquée pour modifier
les informations sur la zone.
6 Cliquer sur Enregistrer.48 Chapitre 3 Service DNS
Modification d’une zone
Cette section décrit la modification d’un type de zone et de ses réglages, mais pas celle
des enregistrements d’une zone. Vous devrez peut-être modifier l’adresse électronique
de l’administrateur, le type ou le nom de domaine d’une zone.
Pour modifier une zone :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Cliquez sur le bouton Modifier ( / ) sous la liste Zones.
5 Modifiez le nom, le type ou l’adresse électronique de l’administrateur de la zone,
selon le cas.
Pour plus d’informations sur les types de zones, reportez-vous à la section “Gestion de
zones DNS” à la page 45.
6 Cliquez sur OK, puis sur Enregistrer.
Suppression d’une zone
Cette section explique comment supprimer une zone existante. Cette action supprime
la zone et tous les enregistrements qui lui sont associés.
Pour supprimer une zone :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Sélectionnez la zone à supprimer.
5 Cliquez sur le bouton Supprimer ( - ) sous la liste Zones.
6 Cliquez sur Enregistrer pour confirmer la suppression.
Utilisation d’un fichier de zone
Vous disposez peut-être d’un fichier de zone BIND provenant d’un serveur DNS d’une
autre plateforme. Plutôt que de saisir toutes les informations dans Admin Serveur
manuellement, vous pouvez utiliser le fichier de zone directement avec Mac OS X Server.
L’utilisation d’un fichier de zone existant requiert des autorisations d’accès root
sur le fichier de configuration BIND (/etc/named.conf), le répertoire de zones de
travail (/var/named/), des connaissances élémentaires de BIND 9 et une maîtrise
de l’application Terminal. À défaut, il est fortement recommandé d’utiliser les outils
DNS d’Admin Serveur.Chapitre 3 Service DNS 49
Pour importer un fichier de zone :
1 Ajoutez la directive de zone au fichier de configuration de BIND, /etc/named.conf
Vous devez disposer de privilèges root pour modifier named.conf.
Pour une zone “xyz.com” décrite dans un fichier de zone “db.xyz.com” dans le répertoire
de zones de travail “/var/named/”, la directive ressemble à peu de choses près à ceci :
zone "xyz.com" IN { // Zone de recherche en avant pour xyz.com
type master; // Il s’agit d’une zone principale
file "db.xyz.com"; // Infos stockées dans /var/named/db.xyz.com
allow-update { none; };
};
2 Vérifiez que le fichier de zone est ajouté au répertoire de zones de travail (/var/named/).
3 Redémarrez le service DNS à l’aide d’Admin Serveur.
Gestion d’enregistrements d’ordinateur DNS
Chaque zone contient un certain nombre d’enregistrements. Ces enregistrements
sont demandés lorsqu’un ordinateur client doit convertir un nom de domaine (comme
www.exemple.com) en numéro IP. Les navigateurs Web, les clients de messagerie et
autres applications réseau se fient aux enregistrements de la zone pour s’adresser
au serveur adéquat. Les enregistrements de la zone principale seront consultés par
d’autres utilisateurs qui cherchent à se connecter à vos services réseau via Internet.
Il existe plusieurs sortes d’enregistrements DNS. Les enregistrements qui peuvent
être configurés par l’interface utilisateur d’Admin Serveur sont :
• Adresse (A) : stocke l’adresse IP associée à un nom de domaine.
• Nom canonique (CNAME) : stocke un alias en connexion avec le “nom réel” d’un serveur.
Par exemple, mail.apple.com pourrait être un alias d’un ordinateur portant le nom
canonique “réel” MailSrv473.apple.com.
• Échangeur de courrier (MX) : contient le nom de domaine de l’ordinateur utilisé pour
le courrier électronique d’une zone.
• Serveur de noms (NS) : contient le serveur de noms de référence pour une zone donnée.
• Pointeur (PTR) : contient le nom de domaine d’une adresse IP donnée (recherche inverse).
• Texte (TXT) : contient une chaîne de texte en réponse à une requête DNS.
• Service (SRV) : stocke des informations sur les services qu’un ordinateur fournit.
• Infos sur le matériel (HINFO) : stocke des informations sur le matériel et les logiciels
d’un ordinateur.
Si vous avez besoin d’accéder à d’autres types d’enregistrements, il vous faudra
modifier manuellement les fichiers de configuration de BIND. Pour plus de détails,
reportez-vous à la documentation de BIND.50 Chapitre 3 Service DNS
Mac OS X Server simplifie la création de tous ces enregistrements en mettant l’accent
sur l’ordinateur ajouté à la zone plutôt que sur les enregistrements proprement dits.
Lorsque vous ajoutez un enregistrement d’ordinateur à une zone, Mac OS X Server crée
tous les enregistrements de zone appropriés qui opèrent la résolution vers une certaine
adresse d’ordinateur.
Avec ce modèle, vous pouvez vous concentrer sur ce que vos ordinateurs font dans votre
domaine plutôt que sur les types d’enregistrement qui s’appliquent à ses fonctions.
Ajout d’un enregistrement d’ordinateur à une zone DNS
Vous devez ajouter des enregistrements pour chaque ordinateur dont la zone principale
DNS est responsable. Vous ne devez pas ajouter d’enregistrements pour les ordinateurs
que cette zone ne contrôle pas. Les enregistrements d’ordinateur sont liés à son adresse
IP. C’est pourquoi il ne peut y avoir qu’un seul ordinateur par adresse IP parce qu’il ne
peut pas y avoir de doublons d’adresses IP dans une même zone.
Pour ajouter un enregistrement d’ordinateur à un enregistrement
d’ordinateur DNS :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Sélectionnez la zone à laquelle cet enregistrement doit être ajouté.
5 Cliquez sur le bouton Modifier ( / ) sous la liste Zones.
6 Sélectionnez l’onglet Ordinateurs.
7 Cliquez sur le bouton Ajouter ( + ) sous la liste Zones.
8 Saisissez l’adresse IP de l’ordinateur.
9 Saisissez le nom d’hôte de l’ordinateur.
Ce champ est la base de l’enregistrement A de l’ordinateur. Les enregistrements de
pointeur de recherche inverse sont créés automatiquement pour l’ordinateur.
Sous le nom d’hôte, vous pouvez voir le nom de domaine complet de l’ordinateur tel
qu’il s’affichera.
10 Cliquez sur le bouton Ajouter ( + ) en regard de la boîte Alias pour ajouter d’autres
noms éventuels pour cet ordinateur.
Ce champ est la base des enregistrements CNAME de l’ordinateur. Les enregistrements
de pointeur de recherche inverse sont créés automatiquement pour l’ordinateur.
Ajoutez autant d’alias que vous le souhaitez.Chapitre 3 Service DNS 51
11 Si l’ordinateur est un serveur de messagerie pour la zone, sélectionnez la case indiquée.
Ce champ est la base de l’enregistrement MX de l’ordinateur.
Si vous cochez cette case, définissez un numéro d’ordre pour le serveur de messagerie.
Les serveurs de messagerie livreurs tentent d’abord de livrer leur courrier aux serveurs
de messagerie portant les plus petits numéros. Pour plus d’informations, consultez la
section “Configuration des enregistrements MX” à la page 57.
12 Saisissez toutes les informations sur le matériel et les logiciels de l’ordinateur dans
les champs appropriés.
Ce champ est la base de l’enregistrement HINFO de l’ordinateur.
13 Saisissez tout commentaire sur l’ordinateur dans le champ Commentaires.
Ce champ est la base de l’enregistrement TXT de l’ordinateur.
Vous pouvez stocker pratiquement toute chaîne de texte ASCII sur 7 bits dans le
champ Commentaires (jusqu’à 255 caractères ASCII). Par exemple, vous pouvez saisir
l’emplacement physique de l’ordinateur (par exemple, Serveur 1er étage, armoire B)
ou le nom du propriétaire de l’ordinateur (par exemple, Ordinateur de John) ou toute
autre information sur l’ordinateur que vous souhaitez consigner.
14 Cliquez sur OK, puis sur Enregistrer.
Modification d’un enregistrement d’ordinateur dans une zone DNS
Si vous modifiez fréquemment l’espace de noms du domaine, il vous faudra mettre
à jour les enregistrements DNS après chaque modification de l’espace de noms. Une
mise à niveau du matériel ou tout ajout à un nom de domaine peuvent également
nécessiter la mise à jour des enregistrements DNS.
Vous pouvez dupliquer un enregistrement, puis le modifier pour gagner du temps
lors de la configuration.
Pour modifier un enregistrement :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Sélectionnez la zone qui contient l’enregistrement d’ordinateur à modifier.
5 Cliquez sur le bouton Modifier ( / ) sous la liste Zones.
6 Sélectionnez l’onglet Ordinateurs.
7 Sélectionnez l’enregistrement à modifier.
8 Cliquez sur le bouton Modifier ( / ) sous la liste Ordinateurs.
9 Apportez les modifications nécessaires à l’enregistrement.
10 Cliquez sur OK.52 Chapitre 3 Service DNS
Suppression d’un enregistrement d’ordinateur d’une zone DNS
Vous devez supprimer les enregistrements lorsqu’un ordinateur n’est plus associé
à un nom de domaine ou à une adresse utilisable.
Pour supprimer un enregistrement :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Sélectionnez la zone dans laquelle cet enregistrement va être supprimé.
5 Cliquez sur le bouton Modifier ( / ) sous la liste Zones.
6 Sélectionnez l’onglet Ordinateurs.
7 Sélectionnez l’enregistrement à supprimer.
8 Cliquez sur le bouton Supprimer ( - ) sous la liste Enregistrements.
9 Cliquez sur Enregistrer pour confirmer la suppression.
Contrôle du DNS
Il est conseillé de contrôler l’état du DNS pour régler les problèmes de résolution de
noms, vérifier la fréquence d’utilisation du service DNS ou encore vérifier que le service
DNS n’est pas utilisé de façon malveillante ou illicite. Cette section traite des tâches de
contrôle courantes du service DNS.
Affichage de l’état du service DNS
Vous pouvez consulter la fenêtre État du DNS pour voir :
• Si le service est actif.
• La version de BIND (le logiciel sous-jacent du DNS) utilisée.
• L’heure de démarrage et d’arrêt du service.
• Le nombre de zones affectées.
• Si la consignation est activée ou non.
Pour afficher l’état du service DNS :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Vue d’ensemble pour consulter des informations générales
sur le service DNS.Chapitre 3 Service DNS 53
Affichage des entrées d’historique DNS
Le service DNS crée des entrées dans l’historique système pour les messages d’erreur et
d’alerte. L’affichage historique est named.log. Vous pouvez encore restreindre les règles
à l’aide du champ de filtrage de texte.
Pour afficher des entrées d’historique DNS :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Historique.
3 Utilisez le champ de filtrage pour réduire encore les entrées d’historique affichées.
Modification du niveau de détail de l’historique DNS
Vous pouvez changer le niveau de détail de l’historique du service DNS. Vous pouvez
utiliser soit un historique très détaillé pour le débogage, soit un historique moins détaillé
n’affichant que les avertissements critiques.
Pour modifier le niveau de détail de l’historique :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Consignation.
4 Choisissez le niveau de détail voulu dans le menu local Niv. d’historique.
Les niveaux d’historique disponibles sont :
• Critique (le moins détaillé)
• Erreur
• Avertissement
• Note
• Informations
• Déboguer (le plus détaillé)
Modification de l’emplacement du fichier d’historique DNS
Vous pouvez changer l’emplacement de l’historique du service DNS. Il est conseillé
de le placer à un autre emplacement que le chemin par défaut.
Pour modifier le niveau de détail de l’historique :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Consignation.
4 Saisissez le nouveau chemin du fichier d’historique du service DNS, ou sélectionnez-le
en utilisant le bouton Parcourir.
Si aucun chemin n’est saisi, l’emplacement par défaut est /Bibliothèque/Logs/named.log.54 Chapitre 3 Service DNS
Sécurisation du serveur DNS
Les serveurs DNS sont non seulement sollicités par d’autres serveurs Internet légitimes,
mais sont également la cible d’utilisateurs malveillants (couramment appelés “pirates”).
Les serveurs DNS sont exposés à des attaques de différentes sortes. En prenant des
précautions supplémentaires, vous pouvez prévenir les problèmes et l’immobilisation
engendrés par ces utilisateurs malveillants. Il existe plusieurs sortes de détournements
de la sécurité associées au service DNS :
• DNS Spoofing
• Exploration de données
• Profilage du service DNS
• Déni de service (en anglais “Denial of Service” ou “DoS”)
• “Service Piggybacking”
DNS Spoofing
Le “DNS spoofing” consiste à ajouter de fausses données dans le cache du serveur DNS.
Cela permet aux pirates d’effectuer les opérations suivantes :
• Rediriger les requêtes d’un nom de domaine réel vers d’autres adresses IP.
Par exemple, un enregistrement A falsifié pour une banque peut diriger le navigateur
d’un utilisateur vers une autre adresse IP contrôlée par le pirate. Sur le site dupliqué,
l’utilisateur révélera son numéro de compte et son mot de passe au pirate.
De même, un enregistrement de courrier falsifié peut permettre à un pirate d’intercepter
les messages envoyés depuis et vers un domaine. Si le pirate réexpédie ces messages vers
le bon serveur de courrier après les avoir copiés, cela peut passer inaperçu indéfiniment.
• Entraver la résolution des noms de domaine et l’accès à Internet.
Il s’agit de l’attaque DNS par spoofing la plus bénigne. Elle provoque un
dysfonctionnement du serveur DNS à peine perceptible.
La méthode la plus efficace pour se prémunir contre ces attaques est la vigilance. Cela
comprend la mise à jour des logiciels et le contrôle régulier des enregistrements DNS.
Des exploits ont été trouvés dans la version actuelle de BIND. Ces exploits ont donc été
corrigés et une mise à jour de sécurité est disponible pour Mac OS X Server. Appliquez
tous les correctifs de ce type. Des contrôles réguliers de vos enregistrements DNS
peuvent également être utiles pour prévenir ces attaques.Chapitre 3 Service DNS 55
Exploration de données
L’exploration de données (en anglais “server mining”) est une pratique qui consiste à
obtenir une copie de la totalité d’une zone principale en demandant un transfert de
zone. Dans ce cas, le pirate se fait passer pour une zone secondaire d’une autre zone
principale et demande une copie de tous les enregistrements de votre zone principale.
Avec une copie de votre zone principale, le pirate peut voir le type de services qu’offre
le domaine, ainsi que l’adresse IP des serveurs qui fournissent ces services. Il peut alors
intenter des attaques spécifiques en fonction de ces services. C’est une reconnaissance
avant une autre attaque.
Pour contrer ce type d’attaque, vous devez indiquer les adresses IP qui sont autorisées
à demander des transferts de zone (vos serveurs de zone secondaire) et rejeter toutes
les autres. Les transferts de zone s’effectuent avec TCP sur le port 53. La méthode de
limitation des transferts de zone bloque toutes les demandes de transfert sauf celles
provenant de vos serveurs DNS secondaires.
Pour indiquer les adresses IP autorisées à demander un transfert de zone :
m
Créez un filtre coupe-feu qui autorise uniquement les adresses IP situées à l’intérieur
de votre coupe-feu à accéder au port TCP 53.
Suivez les instructions de la section “Création d’une règle de coupe-feu IP avancée”
au chapitre 4, “Service de coupe-feu IP”. Utilisez les réglages suivants :
• autoriser le paquet ;
• port 53 ;
• protocole TCP ;
• l’IP source correspond à l’adresse IP de votre serveur DNS secondaire ;
• l’IP destinataire correspond à l’adresse IP de votre serveur DNS principal.
Profilage du service DNS
Une autre technique de reconnaissance couramment employée par les utilisateurs
malveillants consiste à profiler (ou personnaliser) votre service DNS. Le pirate commence
par effectuer une requête de la version de BIND. Le serveur lui indique la version de BIND
en cours d’exécution. Le pirate compare ensuite la réponse aux exploits et failles connus
de cette version de BIND.
Pour vous prémunir contre cette attaque, vous pouvez configurer BIND pour qu’il
réponde en utilisant de fausses informations.56 Chapitre 3 Service DNS
Pour fausser la réponse de la version de BIND :
1 Lancez un éditeur de texte à ligne de commande (tel que vi, emacs ou pico).
2 Ouvrez named.conf pour le modifier.
3 Ajoutez le texte suivant dans les crochets “options” du fichier de configuration.
version "[votre texte, par exemple ’non communiqué !’]" ;
4 Enregistrez le fichier de configuration.
Déni de service (en anglais “Denial of Service” ou “DoS”)
Ce type d’attaque est très courant et très facile à lancer. Un pirate envoie un nombre
si important de demandes et de requêtes de service que le serveur doit utiliser toute
sa puissance de traitement et la bande passante réseau pour essayer d’y répondre.
Le pirate bloque ainsi l’utilisation normale du service en le saturant.
Il est difficile de prévenir ce type d’attaque avant son apparition. Un contrôle permanent
du service DNS et de la charge du serveur peut permettre à l’administrateur de détecter
l’attaque rapidement et d’en limiter ainsi les effets néfastes.
Le moyen le plus aisé de se prémunir contre cette attaque est de bloquer l’adresse
IP responsable avec votre coupe-feu. Consultez la section “Création d’une règle de
coupe-feu IP avancée” à la page 78. Malheureusement, cela signifie que l’attaque
est déjà en cours, que les requêtes du pirate sont prises en compte et que l’activité
a déjà été consignée.
“Service Piggybacking”
Cette attaque est rarement l’œuvre de pirates, mais plutôt d’utilisateurs Internet
ordinaires. Ils estiment que leur temps de réponse DNS par leur propre fournisseur
d’accès à Internet est trop lent. Ils apprennent cette astuce auprès d’autres utilisateurs.
Les utilisateurs d’Internet vont configurer leur ordinateur pour qu’il interroge un autre
serveur DNS plutôt que celui de leur FAI. En conséquence, beaucoup plus d’utilisateurs
que prévu accéderont au serveur DNS.
Vous pouvez vous prémunir contre cela en limitant ou en désactivant la récursion
DNS. Si vous prévoyez d’offrir le service DNS aux utilisateurs de votre LAN, ils auront
besoin de la récursion pour résoudre les noms de domaine, mais il est préférable de
ne pas offrir ce service à n’importe quel utilisateur d’Internet.
Pour bloquer totalement la récursion, consultez la section “Activation ou désactivation
de la récursion” à la page 44.Chapitre 3 Service DNS 57
La meilleure solution est d’autoriser la récursion pour les requêtes provenant des
adresses IP de votre plage, mais de refuser la récursion aux adresses externes. BIND
vous permet de spécifier cette option dans le fichier de configuration named.conf.
Modifiez votre fichier named.conf en ajoutant :
options {
...
allow-recursion{
127.0.0.0/8;
[votre plage d’adresses IP internes, telle que 192.168.1.0/27];
};
};
Pour plus d’informations, reportez-vous à la documentation de BIND.
Tâches courantes d’administration du réseau utilisant
le service DNS
Les sections suivantes décrivent certaines tâches courantes d’administration du réseau
nécessitant le service DNS.
Configuration des enregistrements MX
Si vous envisagez de proposer un service de courrier sur votre réseau, vous devez
configurer le service DNS afin que le courrier entrant soit envoyé à l’hôte de courrier
approprié. Lors de la configuration du service de courrier, vous déterminez une série
d’hôtes nommés échangeurs de courrier ou hôtes MX avec des priorités variables. L’hôte
possédant la plus haute priorité recevra le courrier en premier. S’il n’est pas disponible,
celui avec une priorité un peu plus basse reçoit le courrier, etc.
Par exemple, supposons que le nom d’hôte du serveur de courrier soit “fiable” dans
le domaine “exemple.com”. Sans enregistrement MX, les adresses électroniques des
utilisateurs incluraient le nom du serveur de courrier, par exemple :
nom@fiable.exemple.com
Si vous voulez modifier le serveur de courrier ou rediriger le courrier, vous devez
informer les expéditeurs potentiels du changement d’adresse de vos utilisateurs.
Vous avez également la possibilité de créer un enregistrement MX pour chaque
domaine pris en charge par votre serveur de courrier, puis d’acheminer le courrier
vers l’ordinateur approprié. 58 Chapitre 3 Service DNS
Lorsque vous établissez un enregistrement MX, vous devez inclure une liste de tous
les ordinateurs susceptibles de recevoir du courrier pour un domaine. Ainsi, si le serveur
est occupé ou hors service, le courrier sera envoyé à un autre ordinateur. Un numéro
de priorité (numéro d’ordre) est affecté à chaque ordinateur de la liste. L’ordinateur dont
le numéro est le plus petit est essayé en premier. Si cet ordinateur n’est pas disponible, le
système consulte le numéro suivant, etc. Lorsqu’un ordinateur est disponible, il récupère
le courrier et l’envoie au serveur de courrier principal une fois que celui-ci est accessible
pour qu’il se charge de la distribution du courrier. Voici un exemple de liste :
exemple.com
10 fiable.exemple.com
20 sauvegarde.exemple.com
30 dernier-ressort.exemple.com
Les enregistrements MX sont également utilisés pour le courrier sortant. Lorsque votre
serveur envoie du courrier, il examine les enregistrements MX pour savoir si la destination
est locale ou située sur Internet. Le même processus se répète ensuite en sens inverse.
Si le serveur principal de destination n’est pas disponible, votre serveur de courrier essaie
de contacter tous les ordinateurs de la liste MX de destination, jusqu’à ce que l’un d’entre
eux accepte le courrier.
Remarque : si vous ne saisissez pas correctement les informations MX dans votre
serveur DNS, le service de courrier ne fonctionnera pas.
Configuration du DNS pour le service de courrier
Configurer le DNS pour le service de courrier consiste à créer des enregistrements Mail
Exchange (MX) dans DNS pour vos serveurs de courrier. Si vous utilisez le service DNS
de votre fournisseur d’accès à Internet (FAI), vous devez prendre contact avec ce dernier
pour qu’il active vos enregistrements MX. N’effectuez les étapes suivantes que si vous
fournissez votre propre service DNS.
Vous devrez peut-être configurer plusieurs serveurs pour la redondance. Si tel est le cas,
vous devrez créer un enregistrement MX pour chaque serveur auxiliaire.
Pour activer des enregistrements MX pour votre serveur de messagerie :
1 Dans Admin Serveur, choisissez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Sélectionnez la zone à laquelle cet enregistrement doit être ajouté.
5 Cliquez sur le bouton Modifier ( / ) sous la liste Zones.
6 Sélectionnez l’onglet Ordinateurs.
7 Cliquez sur le bouton Ajouter ( + ) sous la liste Ordinateurs.
8 Saisissez l’adresse IP de l’ordinateur.Chapitre 3 Service DNS 59
9 Saisissez le nom d’hôte de l’ordinateur.
Ce champ est la base de l’enregistrement CNAME et le premier enregistrement A
de l’ordinateur. Les enregistrements de pointeur de recherche inverse sont créés
automatiquement pour l’ordinateur.
Sous le nom d’hôte, vous verrez quel sera le nom de domaine complet de l’ordinateur.
10 Cliquez sur le bouton Ajouter ( + ) en regard de la boîte Alias pour ajouter d’autres
noms éventuels pour cet ordinateur.
Ce champ est la base des enregistrements A supplémentaires de l’ordinateur.
Les enregistrements de pointeur de recherche inverse sont créés automatiquement
pour l’ordinateur.
Ajoutez autant d’alias que vous le souhaitez.
11 Sélectionnez la case de serveur de messagerie libellée “Cet ordinateur est un serveur
de courrier pour la zone”.
Ce champ est la base de l’enregistrement MX de l’ordinateur.
12 Saisissez un numéro d’ordre de serveur de courrier.
Les serveurs de messagerie livreurs tentent d’abord de livrer leur courrier aux serveurs
de messagerie portant les plus petits numéros.
13 Saisissez toutes les informations sur le matériel et les logiciels de l’ordinateur dans
les boîtes appropriées.
Ce champ est la base de l’enregistrement HINFO de l’ordinateur.
14 Saisissez tout commentaire sur l’ordinateur dans la boîte Commentaires.
Ce champ est la base de l’enregistrement TXT de l’ordinateur.
Vous pouvez stocker pratiquement toute chaîne de texte dans le champ Commentaires.
Par exemple, vous pouvez saisir l’emplacement physique de l’ordinateur (par exemple,
Serveur 1er étage, armoire B) ou le nom du propriétaire de l’ordinateur (par exemple,
Ordinateur de John) ou toute autre information sur l’ordinateur que vous souhaitez
consigner.
15 Cliquez sur OK.
16 Répétez les étapes 7 à 15 pour chaque serveur de messagerie en vérifiant que chacun
a un numéro d’ordre distinct.
17 Cliquer sur Enregistrer.60 Chapitre 3 Service DNS
Configuration d’un espace de noms derrière une passerelle NAT
Si vous vous trouvez derrière une passerelle de traduction d’adresses réseau (en anglais,
Network Address Translation ou NAT), vous disposez d’un jeu spécial d’adresses IP qui
ne sont utilisables qu’au sein de l’environnement NAT. Si vous deviez affecter un nom de
domaine à ces adresses en dehors de la passerelle NAT, aucun nom de domaine ne serait
résolu sur le bon ordinateur. Reportez-vous au chapitre 5, “Service NAT”, à la page 99 pour
plus d’informations sur la traduction d’adresses de réseau.
Vous pouvez toutefois faire fonctionner un service DNS derrière la passerelle en affectant
des noms d’hôte aux adresses IP de la traduction d’adresses de réseau. Ainsi, si vous vous
trouvez derrière la passerelle NAT, vous pouvez saisir des noms de domaine au lieu des
adresses IP pour accéder aux serveurs, aux services et aux stations de travail. Votre serveur
DNS doit également disposer d’une zone de réexpédition pour envoyer les requêtes DNS
à l’extérieur de la passerelle NAT, afin de permettre la résolution des noms en dehors de
la zone couverte par le routeur. Les réglages réseau de vos clients doivent mentionner le
serveur DNS situé derrière la passerelle NAT. Le processus de configuration de l’un de ces
réseaux est identique à celui d’un réseau privé. Pour plus de détails, consultez la section
“Liaison d’un réseau local à Internet via une adresse IP” à la page 106.
Si vous choisissez de le faire, les noms saisis par les utilisateurs se trouvant en dehors de la
passerelle NAT ne seront pas résolus en adresses derrière celui-ci. Vous devez paramétrer
les enregistrements DNS situés en dehors de la zone couverte par la passerelle NAT pour
qu’ils soient dirigés vers la passerelle NAT, et utiliser la réexpédition vers le port NAT pour
accéder aux ordinateurs situés derrière la passerelle NAT. Pour plus d’informations sur la
réexpédition de port, reportez-vous à la section “Configuration de la réexpédition de port”
à la page 103.
La fonction DNS multi-diffusion de Mac OS X vous permet d’utiliser les noms d’hôte
de votre sous-réseau local se terminant par l’extension “.local” sans avoir à activer le
DNS. Tous les services ou périphériques qui gèrent le DNS multi-diffusion permettent
d’utiliser un espace de noms défini par l’utilisateur sur le sous-réseau local sans avoir
besoin d’installer et de configurer le DNS.
Répartition de la charge du réseau (ou permutation circulaire)
BIND permet de répartir la charge simplement en utilisant une méthode de permutation
d’adresses appelée permutation circulaire. Vous établissez un pool d’adresses IP pour
plusieurs hôtes possédant le même contenu et BIND fait tourner l’ordre des adresses
pour répondre aux requêtes. Cette permutation circulaire ne permet pas de contrôler la
charge du serveur et la puissance de traitement. Elle permet simplement de faire tourner
l’ordre d’une liste d’adresses pour un nom d’hôte donné.Chapitre 3 Service DNS 61
Vous activez la permutation circulaire en ajoutant plusieurs entrées d’adresses IP dans votre
fichier de données de zones pour un nom d’hôte donné. Par exemple, imaginons que vous
vouliez répartir le trafic du serveur Web entre trois serveurs de votre réseau possédant
le même contenu. Supposons que ces serveurs possèdent les adresses IP 192.168.12.12,
192.168.12.13 et 192.168.12.14. Vous ajouteriez trois enregistrements d’ordinateur avec trois
adresses IP, toutes avec le même nom de domaine.
Lorsque le service DNS rencontre plusieurs entrées pour un hôte, son comportement
par défaut consiste à répondre aux requêtes en envoyant cette liste dans un ordre
cyclique. La première requête obtient les adresses dans l’ordre A, B, C. La requête
suivante les obtient dans l’ordre B, C, A, celle d’après dans l’ordre C, A, B, etc. Il est
recommandé d’affecter à la zone une valeur TTL peu élevé pour réduire les effets
de la mise en mémoire cache locale.
Configuration d’un réseau TCP/IP privé
Si votre réseau local dispose d’une connexion à Internet, vous devez configurer votre
serveur et vos ordinateurs clients avec des adresses IP et d’autres informations propres à
Internet. Ces adresses IP vous sont attribuées par votre fournisseur d’accès à Internet (FAI).
S’il est peu probable que votre réseau local soit un jour connecté à Internet et si vous
souhaitez recourir au protocole TCP/IP pour transmettre des informations sur votre
réseau, vous pouvez configurer un réseau TCP/IP “privé”. Lorsque vous configurez un
réseau privé, vous devez choisir vos adresses IP parmi les blocs d’adresses que l’IANA
(Internet Assigned Numbers Authority) réserve aux réseaux privés (Intranets) :
• 10.0.0.0 à –10.255.255.255 (préfixe 10/8)
• 172.16.0.0 à –172.31.255.255 (préfixe 172.16/12)
• 192.168.0.0–192.168.255.255 (préfixe 192.168/16)
Important : si vous pensez devoir vous connecter à l’avenir à Internet, vous devez vous
enregistrer avec un registre Internet et utiliser les adresses IP fournies par le registre
lors de la configuration de votre réseau privé. Sinon, vous devrez reconfigurer chaque
ordinateur en réseau au moment de vous connecter à Internet.
Lorsque vous configurez un réseau TCP/IP privé, vous pouvez également fournir le
service DNS. Si vous configurez le protocole TCP/IP et le service DNS sur votre réseau
local, vos utilisateurs pourront accéder facilement aux fichiers, au Web, au courrier et
aux autres services de votre réseau.62 Chapitre 3 Service DNS
Hébergement de plusieurs services Internet à une seule adresse IP
Vous pouvez avoir un serveur qui fournit tous vos services Internet (courrier électronique,
Web). Tous ces services peuvent en effet fonctionner sur un seul ordinateur avec une
même adresse IP. Par exemple, vous voulez que le nom de domaine www.exemple.com
soit résolu vers la même adresse IP que ftp.exemple.com ou courrier.exemple.com. Bien
qu’il semble s’agir de plusieurs serveurs à toute personne accédant aux services, il ne
s’agit en réalité que d’un seul serveur à une seule et unique adresse IP.
La configuration des enregistrements DNS pour ce service est simple. Vous devez
seulement ajouter des alias à l’enregistrement DNS d’ordinateur. Configurer les noms
DNS pour ces services n’active et ne configure pas les services ; il ne s’agit que de
fournir des noms faciles à mémoriser pour les différents services offerts. Cela peut
faciliter la configuration du logiciel client pour chaque service.
Par exemple, pour chaque service que vous voulez afficher :
• créez mail.exemple.com pour la saisie dans les clients de messagerie ;
vérifiez que vous avez sélectionné la case de serveur de messagerie dans le panneau
Ordinateur ;
• créez www.exemple.com pour la saisie dans les navigateurs Web ;
• créez afp.exemple.com pour Apple File Sharing dans le Finder ;
• créez ftp.exemple.com pour la saisie dans les clients FTP.
Pour suivre l’évolution de vos besoins, vous pouvez ajouter d’autres ordinateurs au
réseau afin de prendre en charge ces services. Ensuite, tout ce que vous avez à faire, c’est
d’enlever l’alias de l’enregistrement DNS de l’ordinateur et de créer un enregistrement
pour le nouvel ordinateur ; les réglages de votre client peuvent rester inchangés.
Hébergement de plusieurs domaines sur le même serveur
Vous pouvez avoir un serveur qui fournit tous vos services Internet (courrier électronique,
Web) pour plusieurs noms de domaine différents. Par exemple, vous avez peut-être
besoin que le nom de domaine www.exemple.com soit résolu vers la même adresse IP
que www.exemple.org. Bien qu’il semble s’agir de plusieurs serveurs à toute personne
accédant au domaine, il ne s’agit en réalité que d’un seul serveur à une seule et unique
adresse IP.
La configuration des enregistrements DNS pour ce service est simple. Il vous suffit
d’ajouter des alias des autres noms de domaine dans le panneau des enregistrements
DNS d’ordinateur du serveur principal. Configurer les noms DNS pour ces services n’active
et ne configure pas les services pour ces domaines. C’est utilisé en conjonction avec
l’hébergement de domaines virtuels dans les services de courrier électronique et Web.Chapitre 3 Service DNS 63
Autres sources d’informations
Pour plus d’informations sur DNS et BIND, consultez :
• DNS and BIND, 4ème édition, de Paul Albitz et Cricket Liu (O’Reilly and Associates, 2001)
• le site Web de l’International Software Consortium aux adresses :
www.isc.org et www.isc.org/products/BIND/
• le DNS Resources Directory à l’adresse :
www.dns.net/dnsrd/
Les documents RFC
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
administrateur serveur débutant, vous trouverez probablement certaines informations
utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous trouverez tous
les détails techniques sur un protocole particulier dans le document RFC correspondant.
Vous pouvez rechercher les documents RFC par numéro sur le site Web
www.ietf.org/rfc.html.
• A, PTR, CNAME, MX -Pour plus d’informations, consultez le document RFC 1035.
• AAAA- Pour plus d’informations, consultez le document RFC 1886.4
65
4 Service de coupe-feu IP
Le service de coupe-feu est un logiciel qui protège les applications de réseau exécutées
sur votre Mac OS X Server. L’activation du service de coupe-feu est similaire à la
construction d’un mur afin de limiter l’accès à votre serveur. Le service de coupe-feu IP
examine les paquets IP entrants et les refuse ou les accepte en fonction des règles que
vous avez créées. Vous pouvez limiter l’accès à un service IP quelconque fonctionnant
sur le serveur et personnaliser les règles pour tous les clients entrants ou pour une plage
d’adresses IP clientes.
L’illustration ci-dessous montre un exemple de service coupe-feu.
Les services tels que Web et FTP sont identifiés sur votre serveur par un numéro de
port TCP (Transmission Control Protocol) ou UDP (User Datagram Protocol). Lorsqu’un
ordinateur essaie de se connecter à un service, le service de coupe-feu examine la liste
des règles pour y rechercher un numéro de port correspondant.
Y a-t-il une règle
pour le port 80 ?
Recherchez la règle
Tout port dont la
plage est la plus
petite possible mais
incluant néanmoins
l'adresse
10.221.41.33.
Un ordinateur, dont
l’adresse IP est
10.221.41.33, essaie de
se connecter au serveur
via Internet (port 80).
Le serveur lance une
recherche dans les
règles existantes.
Y a-t-il une règle
contenant
l'adresse IP
10.221.41.33 ?
Oui
La connexion
est refusée.
Oui
Que précise
cette règle ?
La connexion
est établie.
Autoriser
Non
Refuser66 Chapitre 4 Service de coupe-feu IP
Lorsqu’un paquet arrive à une interface réseau et le coupe-feu est activé, le paquet est
comparé à chaque règle, en commençant par la règle portant le plus numéro le moins
élevé, c’est-à-dire la priorité la plus élevée. Lorsqu’une règle correspond au paquet,
l’action spécifiée dans la règle (comme, par exemple, autoriser ou refuser) est exécutée.
Ensuite, en fonction de l’action, des règles supplémentaires peuvent être contrôlées.
Les règles que vous créez sont appliquées aux paquets TCP et, éventuellement, aux
paquets UDP. Vous pouvez par ailleurs configurer des règles afin de limiter le protocole
ICMP (Internet Control Message Protocol) ou le protocole IGMP (Internet Group
Management Protocol) en créant des règles avancées.
Important : la première fois que vous démarrez le service de coupe-feu, seuls les ports
essentiels pour l’administration à distance du serveur sont ouverts, y compris Secure Shell
(22), et plusieurs autres. Des ports supplémentaires sont ouverts de manière dynamique
pour autoriser des réponses spécifiques à des requêtes initiées par le serveur. Si vous
souhaitez autoriser l’accès à distance à d’autres services sur votre ordinateur, vous devez
ouvrir des ports supplémentaires. Vous pouvez le faire à l’aide de la section Services du
panneau Réglages.
Si vous prévoyez de partager des données sur Internet et que vous n’avez pas de routeur
ou de coupe-feu spécifique pour protéger vos données contre les accès non autorisés,
vous avez intérêt à utiliser le service de coupe-feu. Ce service fonctionne bien dans le
cadre des petites et moyennes entreprises, des écoles et des petits bureaux ou bureaux
à domicile.
Les organisations de taille importante disposant d’un coupe-feu peuvent utiliser le
service de coupe-feu pour contrôler leurs serveurs de manière plus précise. Par exemple,
des groupes de travail individuels au sein d’une entreprise ou des écoles faisant partie
d’un réseau scolaire, peuvent utiliser le service de coupe-feu pour contrôler l’accès à
leurs serveurs.
Le coupe-feu IP assure également un filtrage dynamique des paquets qui détermine
si un paquet entrant constitue une réponse légitime à une requête sortante ou fait
partie d’une session en cours, autorisant de cette manière des paquets qui auraient
normalement été refusés.
Pratiques élémentaires en matière de coupe-feu
Par défaut, Mac OS X Server utilise un modèle simple pour établir un coupe-feu à la
fois sûr et pratique. Si un coupe-feu est trop restrictif, le réseau qui se trouve derrière lui
risque d’être isolé. Si un coupe-feu est trop permissif, il ne protège pas des intrusions ce
qui se trouve derrière lui. Suivre les trois aspects du modèle élémentaire autorise une
flexibilité et un usage maximal avec un minimum de risques.Chapitre 4 Service de coupe-feu IP 67
Autorisation de l’activité IP essentielle
On entend par activité IP essentielle les activités réseau nécessaires pour l’utilisation
d’IP et le fonctionnement au sein d’un environnement IP. Ces activités couvrent des
opérations comme, par exemple, le retour de boucle, et sont exprimées sous la forme
de règles de haute priorité (portant des numéros peu élevés) qui sont visibles dans le
panneau Avancé des réglages relatifs au coupe-feu. Elles sont configurées automatiquement.
Autorisation de l’activité spécifique à un service
L’activité spécifique à un service fait référence aux paquets réseau destinés à certains
ports spécifiques à un service, comme, par exemple, au service Web ou au service de
courrier électronique. En autorisant le trafic vers des ports associés à des services précis
et configurés, vous autorisez l’accès au travers du coupe-feu service par service. Ces
activités sont exprimées sous la forme de règles de priorité moyenne et correspondent
à des cases à cocher dans le panneau Service des réglages relatifs au coupe-feu. Vous
pouvez apporter ces modifications vous-même en fonction de vos réglages et de vos
groupes d’adresses.
Refus de tous les paquets qui ne sont pas déjà autorisés
Voici ce que l’on fait avec le reste pour finir. Si un paquet ou le trafic vers un port n’est
pas sollicité, le paquet est rejeté et n’est pas autorisé à atteindre sa destination. Cela
est exprimé sous la forme de règles de basse priorité (portant des numéros élevés) qui
sont visibles dans le panneau Service des réglages relatifs au coupe-feu. Un ensemble
élémentaire de règles de refus pour le coupe-feu est créé par défaut.68 Chapitre 4 Service de coupe-feu IP
Démarrage du coupe-feu
Bien que le coupe-feu soit traité comme un service par l’application Admin Serveur,
il n’est pas implémenté par un processus fonctionnant comme les autres services. Il
s’agit simplement d’un ensemble de comportements au niveau du noyau, contrôlés
par les outils ipfw et sysctl. Pour démarrer et arrêter le coupe-feu, l’application Admin
Serveur définit un commutateur à l’aide de l’outil sysctl. Lorsque l’ordinateur démarre,
un élément d’ouverture au démarrage nommé IPFilter contrôle le drapeau “IPFILTER”
dans le fichier /etc/hostconfig. S’il est défini, l’outil sysctl est utilisé pour activer le
coupe-feu comme suit :
sysctl -w net.inet.ip.fw.enable=1
À défaut, il désactive le coupe-feu comme suit :
sysctl -w net.inet.ip.fw.enable=0
Notez que les règles chargées dans le coupe-feu y restent quel que soit ce réglage.
Elles sont simplement ignorées lorsque le coupe-feu est désactivé.
Comme la plupart des éléments d’ouverture au démarrage, l’élément d’ouverture au
démarrage IPFilter démarre dans un ordre prédéterminé et seulement une fois que certains
éléments d’ouverture au démarrage ont fini de démarrer. Dans Mac OS X Server 10.4,
la fenêtre de connexion est présentée alors que des éléments d’ouverture au démarrage
sont toujours en cours d’exécution. Il est donc possible de se connecter alors que le
coupe-feu n’est pas encore configuré d’après ses réglages. L’élément de démarrage qui
configure le coupe-feu termine en général son travail quelques minutes après la fin du
démarrage du système.
Comprendre les règles de coupe-feu
Lorsque vous démarrez le service de coupe-feu, la configuration par défaut refuse
l’accès à tous les paquets entrants provenant d’ordinateurs distants, à l’exception des
ports nécessaires à la configuration à distance. Ceci garantit une sécurité élevée. Des
règles dynamiques sont également en place, de sorte que les réponses aux requêtes
sortantes initiées par votre ordinateur sont également autorisées. Vous pouvez alors
ajouter de nouvelles règles IP pour permettre aux clients ayant besoin d’utiliser des
services d’accéder au serveur.
Pour connaître le mode de fonctionnement des règles IP, lisez la section suivante. Pour
apprendre à créer des règles IP, consultez la section “Gestion du service de coupe-feu”
à la page 74.Chapitre 4 Service de coupe-feu IP 69
Une règle de coupe-feu, qu’est-ce que c’est ?
Une règle de coupe-feu, c’est un ensemble de caractéristiques d’un paquet IP ainsi
qu’une action à exécuter pour chaque paquet qui répond aux caractéristiques. Ces
caractéristiques peuvent comporter l’adresse de départ ou de destination, le port de
départ ou de destination, le protocole ou l’interface réseau. Les adresses peuvent être
exprimées sous la forme d’une adresse IP unique ou d’une plage d’adresses. Un port de
service peut être exprimé sous la forme d’une valeur unique, d’une liste de valeurs ou
d’une plage de valeurs. L’adresse IP et le masque de sous-réseau ensemble déterminent
la plage d’adresses IP à laquelle s’applique la règle, qui peut être configuré de façon à
s’appliquer à toutes les adresses.
Adresse IP
Les adresses IP sont composées de quatre segments de valeurs comprises entre 0 et 255
(l’étendue d’un numéro de 8 bits), séparés par des points (par exemple, 192.168.12.12). Les
segments des adresses IP vont de général à spécifique (par exemple, le premier segment
pourra appartenir à tous les ordinateurs de l’ensemble d’une entreprise, tandis que le
dernier segment à un ordinateur spécifique situé à un étage donné d’un bâtiment).
Masque de sous-réseau
Un masque de sous-réseau indique quels sont les segments de l’adresse IP spécifiée qui
peuvent varier sur un réseau donné et dans quelle mesure. Le masque de sous-réseau
est donné en notation CIDR (Classless Inter Domain Routing). Elle comprend l’adresse
IP suivie d’une barre oblique (/) et d’un numéro compris entre 1 et 32, appelé préfixe IP.
Un préfixe IP identifie le nombre de bits significatifs utilisés pour identifier un réseau.
Par exemple, 192.168.2.1 /16 signifie que les 16 premiers bits (les deux premiers numéros
séparés par un point) servent à représenter le réseau (toutes les machines du réseau
commencent donc par 192.168) et les 16 bits restants (les deux derniers numéros séparés
par un point) servent à identifier les hôtes (chaque machine possède un groupe de
numéros unique).
Les masques de sous-réseaux peuvent être indiqués dans une autre notation :
l’adresse IP suivie d’un deux-points (:) et du masque de réseau. Un masque de réseau
est un groupe de 4 nombres de 0-255 séparés par des points qui sont les équivalents
décimaux des bits significatifs de la notation CIDR.70 Chapitre 4 Service de coupe-feu IP
Les adresses comportant des masques de sous-réseaux en notation CIDR
correspondent aux masques de sous-réseaux en notation d’adresse.
CIDR Correspond au masque réseau
Nombre d’adresses
dans la plage
/1 128.0.0.0 4.29x109
/2 192.0.0.0 2.14x109
/3 224.0.0.0 1.07x109
/4 240.0.0.0 5.36x108
/5 248.0.0.0 1.34x108
/6 252.0.0.0 6.71x107
/7 254.0.0.0 3.35x107
/8 255.0.0.0 1.67x107
/9 255.128.0.0 8.38x106
/10 255.192.0.0 4.19x106
/11 255.224.0.0 2.09x106
/12 255.240.0.0 1.04x106
/13 255.248.0.0 5.24x105
/14 255.252.0.0 2.62x105
/15 255.254.0.0 1.31x105
/16 255.255.0.0 65536
/17 255.255.128.0 32768
/18 255.255.192.0 16384
/19 255.255.224.0 8192
/20 255.255.240.0 4096
/21 255.255.248.0 2048
/22 255.255.252.0 1024
/23 255.255.254.0 512
/24 255.255.255.0 256
/25 255.255.255.128 128
/26 255.255.255.192 64
/27 255.255.255.224 32
/28 255.255.255.240 16
/29 255.255.255.248 8
/30 255.255.255.252 4
/31 255.255.255.254 2
/32 255.255.255.255 1Chapitre 4 Service de coupe-feu IP 71
Utilisation de plages d’adresses
Lorsque vous créez un groupe d’adresses à l’aide d’Admin Serveur, vous saisissez une
adresse IP et un masque de sous-réseau au format CIDR. Les trois types de notation
d’adresses IP sont autorisés :
• Une adresse unique : 192.168.2.1
• Une plage exprimée à l’aide de la notation CIDR : 192.168.2.1/24
• Une plage exprimée à l’aide de la notation de masque de réseau :
192.168.2.1:255.255.255.0
Admin Serveur affiche la plage d’adresses obtenue que vous pouvez changer en
modifiant le masque de sous-réseau. Lorsque vous indiquez une plage de valeurs
possibles pour un segment d’adresse quelconque, ce dernier est appelé caractère
générique. Le tableau suivant donne des exemples de plages d’adresses créées
pour atteindre des objectifs spécifiques.
Mécanisme et ordre de priorité des règles
Les règles du panneau Réglages > Services agissent conjointement avec les règles
affichées dans le panneau Avancé. Généralement, les règles étendues du panneau
Avancé bloquent l’accès à tous les ports. Il s’agit de règles de basse priorité (portant
des numéros élevés) qui prennent effet après les règles du panneau Général. Les règles
créées avec le panneau Général ouvrent l’accès à des services spécifiques et ont une
priorité plus élevée. Elles sont prioritaires sur celles créées dans le panneau Avancé.
Si vous créez plusieurs règles dans le panneau Avancé, l’ordre des règles est déterminé
par le numéro de règle, c’est-à-dire l’ordre de la règle, qui figure dans le panneau Avancé.
L’ordre des règles dans le panneau Avancé peut être modifié en faisant glisser la règle
dans la liste.
Pour la plupart des utilisations normales, l’ouverture d’accès aux services désignés dans
la fenêtre Avancé est suffisant. Si nécessaire, vous pouvez ajouter d’autres règles à l’aide
de la fenêtre Avancé, en les créant et en les classant selon vos besoins.
Objectif
Exemple
Adresse IP
À saisir dans le
champ d’adresse :
Plage d’adresses
affectée
Créer une règle qui spécifie
une adresse IP unique.
10.221.41.33 10.221.41.33 ou
10.221.41.33/32
10.221.41.33
(adresse unique)
Créer une règle qui laisse
le quatrième segment comme
caractère générique.
10.221.41.33 10.221.41.33/24 10.221.41.0 à
10.221.41.255
Créer une règle qui laisse une
partie du troisième segment
et tout le quatrième segment
comme caractère générique.
10.221.41.33 10.221.41.33/22 10.221.40.0 à
10.221.43.255
Créer une règle qui s’applique à
toutes les adresses entrantes.
Sélectionnez
“N’importe quel”
Toutes les adresses IP72 Chapitre 4 Service de coupe-feu IP
Adresses IP multiples
Un serveur peut gérer plusieurs adresses IP simultanées, mais le service de coupe-feu
n’applique qu’un seul ensemble de règles à toutes les adresses IP du serveur. Si vous
créez plusieurs alias d’adresses IP, les règles que vous créez s’appliquent à toutes ces
adresses IP.
Configuration initiale du service de coupe-feu
Une fois que vous avez décidé quelles sont les règles à créer, suivez les étapes d’ensemble
ci-après pour configurer le service de coupe-feu. Pour obtenir de l’aide supplémentaire
sur l’exécution de l’une ou l’autre de ces étapes, consultez la section “Gestion du service
de coupe-feu” à la page 74 et les autres rubriques mentionnées au cours de ces étapes.
Étape 1 : Formation et planification
Si c’est la première fois que vous travaillez avec le coupe-feu IP, vous devez apprendre
et comprendre les concepts, les outils et les fonctions de coupe-feu de Mac OS X Server
et de BIND. Pour plus de détails, consultez la section “Comprendre les règles de coupe-feu”
à la page 68.
Planifiez ensuite votre service de coupe-feu IP en prévoyant les services auxquels vous
voulez fournir un accès. Les services de courrier, Web et FTP nécessitent généralement
l’accès à partir d’ordinateurs sur Internet. Les services de fichiers et d’impression seront
très probablement limités à votre sous-réseau local.
Après avoir décidé quels services vous souhaitiez protéger à l’aide du service de
coupe-feu, vous devez déterminer les adresses IP que vous autorisez à accéder à
votre serveur et celles auxquelles vous en refusez l’accès. Ensuite, vous pouvez créer
les règles appropriées.
Étape 2 : Démarrage du service de coupe-feu
Dans Admin Serveur, sélectionnez Coupe-feu et cliquez sur Démarrer le service.
Par défaut, cela bloque tous les ports entrants, à l’exception de ceux utilisés pour
configurer le serveur à distance. Si vous configurez le serveur localement, désactivez
l’accès externe immédiatement.
Important : si vous ajoutez ou modifiez une règle après avoir démarré le service de
coupe-feu, cette nouvelle règle a un effet sur les connexions déjà établies avec le serveur.
Par exemple, si vous refusez tout accès à votre serveur FTP après le démarrage du service
de coupe-feu, les ordinateurs déjà connectés à votre serveur FTP sont déconnectés.Chapitre 4 Service de coupe-feu IP 73
Étape 3 : Créez un groupe d’adresses IP auxquelles les règles vont s’appliquer
Par défaut, un groupe d’adresses IP est créé pour toutes les adresses IP entrantes.
Les règles appliquées à ce groupe traitent tout le trafic entrant du réseau.
Pour plus de détails, consultez la section “Création d’un groupe d’adresses” à la page 74
Étape 4 : Activez les règles du service pour chaque groupe d’adresses
Dans le panneau Services, vous pouvez activer les règles en tant que numéros IP
de destination en fonction des groupes d’adresses.
Pour plus d’informations sur l’activation de règles de service, consultez la section
“Ouverture du coupe-feu pour les services standard” à la page 76.
Étape 5 : Créez des règles avancées (facultatif)
Lisez “Comprendre les règles de coupe-feu” à la page 68 pour apprendre comment
les règles IP fonctionnent. Utilisez les règles avancées pour configurer plus avant tous
les autres services, renforcer la sécurité de votre réseau et affiner le trafic à travers
le coupe-feu.
Par défaut, tous les UDP sont bloqués, à l’exception de ceux en réponse à une requête
sortante. Il est conseillé de n’appliquer les règles aux ports UDP qu’avec parcimonie car
refuser certaines réponses UDP peut empêcher le fonctionnement normal du réseau.
Si vous appliquez des règles aux ports UDP, ne sélectionnez pas l’option “Consigner
tous les paquets acceptés” dans les fenêtres de configuration de règle d’Admin Serveur.
Étant donné que l’UDP est un protocole “sans connexion”, tous les paquets envoyés vers
un port UDP seront consignés si vous sélectionnez cette option.
Pour en savoir plus sur la création d’une règle, consultez la section “Création d’une
règle de coupe-feu IP avancée” à la page 78.
Étape 6 : Enregistrement des modifications du service de coupe-feu
Après avoir configuré vos règles et déterminé les services à autoriser, enregistrez vos
modifications afin que les nouveaux réglages prennent effet.
Important : si vous ajoutez ou modifiez une règle après avoir démarré le service de
coupe-feu, cette nouvelle règle affectera les connexions déjà établies avec le serveur. Par
exemple, si vous refusez tout accès à votre serveur FTP après le démarrage du service de
coupe-feu, les ordinateurs déjà connectés à votre serveur FTP seront déconnectés.74 Chapitre 4 Service de coupe-feu IP
Gestion du service de coupe-feu
Cette section explique étape par étape comment démarrer, arrêter et configurer
des groupes d’adresses et des règles de coupe-feu.
Gestion de coupe-feu Panther Server 10.3 avec Admin Serveur
de Tiger Server 10.4
Panther Server 10.3 ne gère pas l’ajout de règles aux règles de port standard ni
l’arrangement des règles par glisser-déposer.
Si vous administrez un coupe-feu Panther 10.3 Server avec un Admin Serveur de Tiger
Server 10.4, vous ne pourrez pas modifier les règles de port standard ni réarranger
les règles. Vous n’aurez pas accès à ces aspects d’Admin Serveur lorsque vous serez
connecté à un serveur Panther 10.3.
Démarrage et arrêt du service de coupe-feu
Par défaut, le service de coupe-feu bloque toutes les connexions TCP entrantes et refuse
tous les paquets UDP, à l’exception de ceux en réponse à des requêtes sortantes du
serveur. Avant d’activer le service de coupe-feu, assurez-vous que vous avez configuré des
règles pour autoriser l’accès aux adresses IP sélectionnées. Faute de quoi, aucune adresse
ne pourra accéder à votre serveur.
Important : si vous ajoutez ou modifiez une règle après avoir démarré le service de
coupe-feu, cette nouvelle règle affectera les connexions déjà établies avec le serveur.
Par exemple, si vous refusez tout accès à votre serveur FTP après le démarrage du service
de coupe-feu, les ordinateurs déjà connectés à votre serveur FTP sont déconnectés.
Pour démarrer ou arrêter le service de coupe-feu :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Démarrer le coupe-feu.
Une fois que le service a démarré, le bouton Arrêter le service devient disponible.
Création d’un groupe d’adresses
Vous pouvez définir des groupes d’adresses IP pour vos règles de coupe-feu.
Ces groupes servent à organiser et à cibler les règles. Le groupe d’adresses “tout”
correspond à toutes les adresses. Deux autres groupes d’adresses IP sont présents
par défaut. Il sont prévus pour la plage complète du réseau “10-...” d’adresses privées
et la plage complète du réseau “192.168-...” d’adresses privées.
Les adresses peuvent être répertoriées sous la forme d’adresses individuelles (192.168.2.2),
d’adresses IP avec notation CIDR (192.168.2.0/24) ou d’adresses IP avec notation de
masque de réseau (192.168.2.0:255.255.255.0).Chapitre 4 Service de coupe-feu IP 75
Pour créer un groupe d’adresses :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur le bouton Ajouter ( + ) à droite de la sous-fenêtre Groupe d’adresses.
5 Saisissez le nom du groupe.
6 Saisissez les adresses et le masque de sous-réseau auxquels vous voulez que les règles
s’appliquent.
Utilisez les boutons Ajouter ( + ) et Supprimer ( - ).
Utilisez le mot “tout” pour indiquer n’importe quelle adresse IP.
7 Cliquez sur OK.
8 Cliquer sur Enregistrer.
Modification ou suppression d’un groupe d’adresses
Vous pouvez modifier vos groupes d’adresses pour changer la plage d’adresses IP
prise en compte. Le groupe d’adresses par défaut correspond à toutes les adresses.
Vous pouvez supprimer des groupes d’adresses de votre liste de règles de coupe-feu.
Les règles associées à ces adresses sont également supprimées.
Les adresses peuvent être répertoriées sous la forme d’adresses individuelles
(192.168.2.2) ou sous la forme d’une adresse IP et d’un masque de réseau au format
CIDR (192.168.2.0/24).
Pour modifier ou supprimer un groupe d’adresses :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez le nom du groupe dans la fenêtre Groupe d’adresses.
5 Cliquez sur le bouton Modifier ( / ) à droite de la sous-fenêtre Groupe d’adresses pour
le modifier.
Cliquez sur le bouton Supprimer ( - ) à droite de la sous-fenêtre Groupe d’adresses pour
le supprimer.
6 Modifiez le nom du groupe ou les adresses comme vous le souhaitez, puis cliquez sur OK.
7 Cliquer sur Enregistrer.76 Chapitre 4 Service de coupe-feu IP
Duplication d’un groupe d’adresses
Vous pouvez dupliquer des groupes d’adresses de votre liste de règles de coupe-feu.
Cela peut permettre d’accélérer la configuration de groupes d’adresses similaires.
Pour dupliquer un groupe d’adresses :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez le nom du groupe dans la fenêtre Groupe d’adresses.
5 Cliquez sur le bouton Dupliquer à droite de la sous-fenêtre Groupe d’adresses.
Ouverture du coupe-feu pour les services standard
Par défaut, le service de coupe-feu bloque les connexions TCP entrantes sur les ports
qui ne sont pas essentiels à l’administration à distance du serveur et autorise toutes les
connexions UDP. De plus, par défaut, les règles dynamiques qui autorisent des réponses
spécifiques à des requêtes sortantes sont en place. Avant d’activer le service de coupefeu, assurez-vous d’avoir configuré des règles autorisant l’accès à partir des adresses IP
que vous avez choisies, sinon aucune d’entre elles ne sera acceptée par votre serveur.
L’ouverture du coupe-feu pour les services standard est simple et ne nécessite aucune
configuration avancée ou compliquée. Les services standard comprennent (mais ne se
limitent pas à ceux-ci) :
• accès SSH ;
• service Web ;
• service de fichiers Apple ;
• service de fichiers Windows ;
• service FTP
• partage d’imprimante ;
• DNS/DNS multi-diffusion ;
• réponse Écho ICMP (pings entrants) ;
• IGMP (Internet Gateway Multicast Protocol) ;
• VPN PPTP ;
• VPN L2TP ;
• diffusion média QTSS ;
• partage de musique iTunes.
Important : si vous ajoutez ou modifiez une règle après avoir démarré le service de
coupe-feu, cette nouvelle règle aura un effet sur les connexions déjà établies avec le
serveur. Par exemple, si vous refusez tout accès à votre serveur FTP après le démarrage
du service de coupe-feu, les ordinateurs déjà connectés à votre serveur FTP sont
déconnectés.Chapitre 4 Service de coupe-feu IP 77
Pour ouvrir le coupe-feu pour les services standard :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez un groupe d’adresses dans le menu local Modifier les services pour.
5 Choisissez d’autoriser soit tout le trafic pour le groupe d’adresses, soit le trafic sur
des points désignés.
6 Cochez la case Autoriser pour tous les services à autoriser sur le groupe d’adresses.
Si vous ne voyez pas le service dont vous avez besoin, vous pouvez ajouter un port
et une description à la liste des services.
Si vous souhaitez créer une règle personnalisée, consultez la section “Création d’une
règle de coupe-feu IP avancée” à la page 78.
7 Cliquez sur Enregistrer.
Ajout de ports personnalisés à la liste des services
Vous pouvez ajouter des ports personnalisés à la liste des services. Cela vous permet
d’ouvrir des ports spécifiques à vos groupes d’adresses sans devoir créer une règle
IP avancée.
Pour ajouter des ports personnalisés à la liste des services :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur le bouton Ajouter ( + ) sous la liste des services.
5 Saisissez un nom de règle pour le service.
6 Saisissez un port unique (par exemple, 22) ou une plage de ports (par exemple, 650-750).
7 Choisissez un protocole.
Si vous avez un protocole autre que TCP ou UDP, vous devez utiliser le panneau Avancé
pour créer une règle personnalisée.
8 Cliquez sur OK.
9 Cliquer sur Enregistrer.78 Chapitre 4 Service de coupe-feu IP
Modification ou suppression d’éléments dans la liste des services
Vous pouvez supprimer ou modifier les ports de la liste des services. Cela vous permet
de personnaliser votre choix de services pour faciliter la configuration.
Pour modifier la liste des services :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez le service que vous souhaitez modifier.
5 Cliquez sur le bouton Modifier ( / ) sous la liste des services pour le modifier.
Cliquez sur le bouton Supprimer ( - ) sous la liste des services pour le supprimer.
6 Modifiez le nom, le port ou le protocole comme vous le souhaitez, puis cliquez sur OK.
7 Cliquer sur Enregistrer.
Création d’une règle de coupe-feu IP avancée
Vous pouvez utiliser la sous-fenêtre Réglages avancés pour configurer des règles
très spécifiques pour le coupe-feu IP. Les règles de coupe-feu IP contiennent la source
et la destination des adresses IP avec des masques de sous-réseau. Elles spécifient
également ce qu’il faut faire avec le trafic réseau reçu. Vous pouvez appliquer une règle
à toutes les adresses IP, à une adresse en particulier ou à une plage d’adresses IP.
Les adresses peuvent être répertoriées sous la forme d’adresses individuelles (192.168.2.2)
ou de plages définies par une adresse IP et un masque de réseau au format CIDR
(192.168.2.0/24).
Pour créer une règle de coupe-feu IP avancée :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Règles avancées.
4 Cliquez sur le bouton Ajouter ( + ).
Vous pouvez également sélectionner une règle similaire à celle que vous voulez créer
et cliquer sur Dupliquer puis Modifier.
5 Choisissez si cette règle doit autoriser ou refuser l’accès en sélectionnant l’option
correspondante dans le menu local Action.
Si vous choisissez Autre, saisissez l’action souhaitée (par exemple, historique).
6 Choisissez un protocole dans le menu local Protocole.
Si vous choisissez Autre, saisissez le protocole souhaité (par exemple, icmp, esp, ipencap).Chapitre 4 Service de coupe-feu IP 79
7 Choisissez un service dans le menu local Service.
Pour sélectionner un port de service non standard, choisissez Autre.
8 Si vous le souhaitez, choisissez de consigner les paquets qui correspondent à la règle.
9 Choisissez un groupe d’adresses dans le menu local comme source du trafic filtré.
Si vous ne souhaitez pas utiliser un groupe d’adresses existant, saisissez la plage
d’adresses IP source (avec notation CIDR) que vous souhaitez filtrer.
Si vous voulez que le filtre s’applique à toutes les adresses, choisissez N’importe quel
dans le menu local.
10 Si vous avez sélectionné un port de service non standard, saisissez le numéro du
port source.
11 Choisissez un groupe d’adresses dans le menu local comme destination du trafic filtré.
Si vous ne souhaitez pas utiliser un groupe d’adresses existant, saisissez la plage
d’adresses IP de destination (avec notation CIDR).
Si vous voulez que le filtre s’applique à toutes les adresses, choisissez N’importe quel
dans le menu local.
12 Si vous avez sélectionné un port de service non standard, saisissez le numéro du port
de destination.
13 Choisissez l’interface réseau à laquelle s’applique cette règle.
“Intérieur” fait référence à l’interface WAN désignée.
“Extérieur” fait référence à l’interface LAN désignée.
Si vous avez sélectionné Autre, saisissez le nom de l’interface (en0, en1, fw1, etc.)
14 Cliquez sur OK.
15 Cliquez sur Enregistrer pour appliquer la règle.
Modification ou suppression de règles de coupe-feu IP avancées
Vous pouvez modifier ou supprimer des règles de coupe-feu IP avancées. Si vous
souhaitez simplement désactiver une règle dans la perspective de la réutiliser,
désélectionnez la règle plutôt que de la supprimer.
Si vous modifiez une règle après avoir activé le service de coupe-feu, vos modifications
auront un effet sur les connexions établies avec le serveur. Par exemple, si des ordinateurs
sont connectés à votre serveur Web et que vous modifiez la règle pour refuser tout accès
au serveur, les ordinateurs connectés seront déconnectés.80 Chapitre 4 Service de coupe-feu IP
Pour modifier une règle de coupe-feu IP avancée :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Règles avancées.
4 Sélectionnez la règle que vous souhaitez modifier.
5 Cliquez sur le bouton Modifier ( / ) sous la liste des services pour la modifier.
Cliquez sur le bouton Supprimer ( - ) sous la liste des services pour la supprimer.
Si vous supprimez une règle, vous avez terminé.
6 Modifiez la règle comme vous le souhaitez, puis cliquez sur OK.
7 Cliquer sur Enregistrer.
Modification de l’ordre des règles de coupe-feu IP avancées
L’ordre des règles de coupe-feu IP avancées est déterminé par leur ordre dans l’onglet
Règles avancées.
Pour modifier l’ordre des règles :
m
Faites glisser les règles dans l’ordre désiré.
Activation du mode furtif
Vous pouvez masquer l’existence de votre coupe-feu en choisissant de ne pas envoyer
de notification d’échec de connexion aux connexions bloquées par le coupe-feu. Cela a
pour effet de masquer les ports fermés de votre serveur. Par exemple, si un intrus tente
de se connecter à votre serveur, même si le port est bloqué, il saura qu’il y a un serveur
et cherchera d’autres manières de pénétrer sur votre réseau. Si le mode furtif est activé,
plutôt que d’être rejeté, il ne recevra même pas d’indication qu’une tentative de connexion
a eu lieu.
Pour activer le mode furtif :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Règles avancées.
4 Sélectionnez “Activer pour TCP” ou “Activer pour UDP”, comme vous le souhaitez.
5 Cliquer sur Enregistrer.Chapitre 4 Service de coupe-feu IP 81
Initialisation d’un serveur injoignable
Certaines erreurs dans la configuration d’un coupe-feu peuvent rendre un serveur
injoignable pour l’administration à distance. Dans ce cas, remettez le coupe-feu
dans son état par défaut afin qu’Admin Serveur puisse administrer le serveur.
Cette procédure de reprise doit être effectuée par un administrateur qui dispose d’un
accès physique au serveur. Cette procédure nécessite l’utilisation de l’interface de ligne
de commande et des connaissances en la matière.
Pour initialiser un coupe-feu :
1 Déconnectez le serveur de l’Internet externe.
2 Redémarrez le serveur en mode mono-utilisateur en maintenant les touches
Commande + s pendant le démarrage.
3 Supprimez ou renommez le fichier de groupe d’adresses.
Il se trouve dans /etc/ipfilter/ip_address_groups.conf.
4 Supprimez ou renommez le fichier de configuration ipfw.
Il se trouve dans /etc/ipfilter/ipfw.conf.
5 Purgez de force les règles de coupe-feu en saisissant :
ipfw -f flush
6 Modifiez /etc/hostconfig et définissez IPFILTER=-YES-.
7 Terminez le démarrage de Mac OS X Server jusqu’à la fenêtre de connexion en tapant :
exit
L’ordinateur va démarrer avec les règles de coupe-feu par défaut et avec le coupe-feu
activé. Vous pourrez utiliser Admin Serveur pour affiner la configuration du coupe-feu.
8 Connectez-vous à l’aide du compte de l’administrateur local de votre serveur pour
confirmer que le coupe-feu est remis dans sa configuration par défaut.
9 Reconnectez votre hôte à Internet.
Contrôle du service de coupe-feu
Les coupe-feu sont la première ligne de défense d’un réseau contre les utilisateurs
d’ordinateur malveillants (couramment appelés “pirates”). Pour préserver la sécurité de
vos ordinateurs et de vos utilisateurs, vous devez contrôler l’activité des coupe-feu et
prévenir les éventuelles menaces. Cette section explique comment consigner et surveiller
votre coupe-feu.82 Chapitre 4 Service de coupe-feu IP
Comprendre le panneau Règles actives
Le panneau Règles actives affiche les nombres de paquets et d’octets associés à
chaque règle. Lorsque l’on apporte une modification à la configuration du coupe-feu
à l’aide d’Admin Serveur, les anciennes règles de coupe-feu sont purgées, de nouvelles
sont générées et enregistrées dans un fichier et la commande ipfw(1) est invoquée
pour mettre les règles en service. Lors de la purge, les nombres de paquets et d’octets
associés aux différentes règles sont effacés.
Le panneau Règles actives reflète l’état du coupe-feu à un moment donné. Lorsque
vous regardez ce panneau, notez que des règles dynamiques peuvent être affichées
en même temps que des règles statiques. Ces règles dynamiques apparaissent et
disparaissent en quelques secondes en réponse à l’activité du réseau. Elles sont le
résultat des règles dynamiques (de règles qui contiennent une clause “keep-state”).
Le panneau Règles actives affiche le numéro de règle de la règle dynamique qui a
été déclenchée pour créer la règle dynamique.
Affichage de la vue d’ensemble de l’état du coupe-feu
La vue d’ensemble de l’état affiche un récapitulatif sommaire du service de coupe-feu.
Elle affiche le nombre de règles actives, si le service est en cours d’exécution et
combien de paquets ont été traités par le coupe-feu.
Pour afficher la vue d’ensemble :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Vue d’ensemble.
Affichage des règles de règles de coupe-feu actives
Le panneau Règles actives affiche un récapitulatif sommaire des règles de coupe-feu.
Il affiche les informations suivantes :
• les règles au format du code ipfw ;
• la priorité des différentes règles ;
• le nombre des paquets des différentes règles ;
• le nombre total d’octets traités par les différentes règles.
Pour afficher la vue d’ensemble :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Règles actives.Chapitre 4 Service de coupe-feu IP 83
Configuration des historiques du service de coupe-feu
Vous pouvez consigner uniquement les paquets dont l’accès est refusé par les règles
que vous avez définies, uniquement les paquets autorisés par ces mêmes règles, ou
les deux à la fois. Les deux options de consignation peuvent générer un grand nombre
d’entrées d’historique, mais il y a des moyens de limiter le volume :
• Ne consignez que les paquets autorisés ou que les paquets refusés, plutôt que tous
les paquets.
• Ne consignez les paquets que le temps qu’il faut.
• Limitez le nombre total de paquets à l’aide du panneau Réglages de consignation.
• Ajoutez une règle de comptage dans le panneau Réglages avancés pour compter le
nombre de paquets qui répondent aux caractéristiques que vous souhaitez compter.
Vous pouvez choisir de consigner les paquets autorisés, les paquets refusés et un nombre
déterminé de paquets.
Pour configurer des historiques :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez les options de consignation voulues.
5 Cliquez sur Enregistrer pour démarrer la consignation.
Affichage de l’historique du coupe-feu
Chaque règle que vous créez dans Admin Serveur correspond à une ou plusieurs règles
du logiciel de coupe-feu sous-jacent. Les entrées d’historique font apparaître la règle
appliquée, les adresses IP du client et du serveur et d’autres types d’informations.
L’historique affiche le contenu du fichier /var/log/ipfw.log. Vous pouvez encore restreindre
les règles à l’aide du champ de filtrage de texte.
Pour consulter l’historique du service de coupe-feu :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Historique.84 Chapitre 4 Service de coupe-feu IP
Voici quelques exemples d’entrées d’historique de coupe-feu et la manière
de les interpréter.
Exemple d’historique nº 1
Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP
10.221.41.33:2190 192.168.12.12:80 in via en0
Cette entrée indique que le service de coupe-feu a utilisé la règle 65000 pour refuser
(unreach) que le client distant de l’adresse 10.221.41.33:2190 n’accède au serveur
192.168.12.12 sur le port Web 80 via le port Ethernet 0.
Exemple d’historique nº 2
Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP
10.221.41.33:721 192.168.12.12:515 in via en0
Cette entrée indique que le service de coupe-feu a utilisé la règle 100 pour autoriser le
client distant 10.221.41.33:721 à accéder au serveur 192.168.12.12 sur le port d’impression
LPR 515 via le port Ethernet 0.
Exemple d’historique nº 3
Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP
192.168.12.12:49152 192.168.12.12:660 out via lo0
Cette entrée affiche la règle de détournement NAT appliquée à un paquet sortant.
Dans le cas présent, elle détourne la règle vers le port de service 660, le port que
le démon NAT utilise.
Affichage des paquets refusés
L’examen des paquets refusés peut vous aider à identifier les problèmes du service
de coupe-feu et à les résoudre.
Pour afficher les paquets refusés :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Assurez-vous que la case “Consigner tous les paquets refusés” est cochée.
5 Affichez les entrées d’historique dans Admin Serveur en cliquant sur le bouton Historique.
6 Tapez le mot “unreach” dans la boîte de filtrage de texte.Chapitre 4 Service de coupe-feu IP 85
Affichage des paquets consignés par des règles de coupe-feu
L’examen des paquets filtrés par les règles de coupe-feu peut vous aider à identifier
des problèmes liés au service de coupe-feu et à les résoudre.
Pour afficher les paquets filtrés :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Assurez-vous que la case “Consigner tous les paquets autorisés” est cochée.
Consultez la section “Modification ou suppression de règles de coupe-feu IP avancées”
à la page 79 si vous n’avez pas activé la consignation pour une règle particulière.
5 Affichez les entrées d’historique dans Admin Serveur en cliquant sur le bouton Historique.
6 Tapez le mot “Accept” dans le champ de filtrage de texte.
Dépannage de règles de coupe-feu IP avancées
Le panneau Avancé de configuration du coupe-feu accepte toute entrée tant que
vous configurez une règle correctement. Les erreurs éventuelles ne sont détectées qu’à
l’enregistrement des règles et lorsque Admin Serveur applique toutes les règles à l’aide de
la commande ipfw. La première règle contenant une erreur de syntaxe provoque l’arrêt de
l’opération et l’ajout d’un message d’erreur à l’historique. Cette erreur n’indique pas quelle
règle est incorrecte, mais toutes les règles valides qui précèdent la règle incorrecte sont
chargées dans le coupe-feu. Voici la technique permettant de déterminer quelle règle
est incorrecte.
Pour déterminer quelle règle est incorrecte :
1 Notez le message qui figure dans l’historique.
2 Attendez quelques minutes que Admin Serveur affiche les règles actives dans la section
Vue d’ensemble.
3 Comparez la liste de règles actives dans la section Vue d’ensemble avec la liste de règles
de la section Réglages.
4 Inspectez le contenu du fichier /etc/ipfilter/ipfw.conf.apple pour voir lesquelles
Admin Serveur a tenté de charger dans le coupe-feu.
La première de ce fichier qui n’apparaît pas dans le panneau Vue d’ensemble est
presqu’à coup sûr la règle incorrecte. Celle-ci peut également être suivie d’autres
règles incorrectes.
5 Si la règle correspond à une règle du panneau Avancé, vous pouvez la désactiver
ou la corriger.
Les règles désactivées apparaissent dans le fichier /etc/ipfilter/ipfw.conf.apple
précédées par un caractère de commentaire afin qu’elles ne soient pas traitées
par l’outil ipfw.86 Chapitre 4 Service de coupe-feu IP
Exemples pratiques
Les règles de coupe-feu IP que vous créez opèrent ensemble de façon à assurer la
sécurité de votre réseau. Les exemples ci-après montrent comment utiliser des règles
pour atteindre certains objectifs spécifiques.
Utilisation d’un coupe-feu IP avec la traduction d’adresses de réseau
Le coupe-feu IP doit être activé pour utiliser la traduction d’adresses de réseau (en
anglais, Network Address Translation ou NAT). L’activation de la traduction d’adresses
de réseau crée automatiquement une règle de détournement de la configuration de
coupe-feu. Bien que l’application Admin Serveur de Tiger Server permette d’activer et
de désactiver le service de traduction d’adresses de réseau, ou service NAT, et le service
de coupe-feu séparément, pour que le service NAT fonctionne, le service NAT et le
service de coupe-feu doivent tous deux être activés. Une composante essentielle de la
traduction d’adresses de réseau est la règle de détournement de paquets utilisée dans
le coupe-feu.
La règle de coupe-feu IP créée indique au coupe-feu comment il doit router le trafic
réseau provenant du réseau derrière la passerelle de NAT. Lorsque vous avez un réseau
local derrière une passerelle de NAT, vous devez créer le groupe d’adresses qui correspond
au réseau local ou, en tout cas, ne pas le perdre de vue.
La manière la plus simple de configurer un coupe-feu IP pour qu’il fonctionne avec
la traduction d’adresses de réseau consiste à utiliser Assistant réglages de passerelle. Ce
dernier va configurer automatiquement les groupes d’adresses IP dans le coupe-feu et
créer la bonne règle de détournement de paquets. Si vous configurez un réseau avec
traduction d’adresses de réseau au travers d’une passerelle pour la première fois, Apple
vous recommande d’utiliser Assistant réglages de passerelle.
Si vous ne souhaitez pas utiliser Assistant réglages de passerelle ou que vous disposez
de réglages de passerelle que vous ne souhaitez pas écraser, vous pouvez configurer
la traduction d’adresses de réseau et le coupe-feu IP manuellement.
Pour obtenir des instructions détaillées sur la configuration d’un réseau local avec
traduction d’adresses de réseau, consultez la section “Liaison d’un réseau local à
Internet via une adresse IP” à la page 106.
Avertissement : le coupe-feu IP doit être activé pour que la traduction d’adresses
de réseau fonctionne.Chapitre 4 Service de coupe-feu IP 87
Blocage de l’accès Web à des utilisateurs Internet
Cette section vous montre, à l’aide d’un exemple, comment autoriser l’accès au service
Web de votre serveur aux utilisateurs de votre sous-réseau, tout en interdisant son accès
au grand public sur Internet.
Dans cet exemple, votre réseau local possède la plage d’adresses IP privées 10.0.1.1
à 10.0.1.254. Le service Web de votre serveur se trouve à l’adresse 10.0.2.1 sur le port
en2 du serveur.
À l’aide d’une règle avancée :
1 Dans Admin Serveur, créez un groupe d’adresses nommé “Réseau local” avec la plage
d’adresses 10.0.1.1/24
Il couvre toutes les adresses dans la plage de sous-réseau 10.0.1.x.
Pour obtenir des instructions, consultez la section “Création d’un groupe d’adresses”
à la page 74.
2 Créez une règle avancée avec les réglages suivants :
• Action : Autoriser
• Protocole : TCP
• Service : Web
• Groupe d’adresses source : LAN
• Adresse de destination : Autre 10.0.2.1
• Interface : en2
Pour obtenir des instructions, consultez la section “Création d’une règle de coupe-feu IP
avancée” à la page 78.
À l’aide des règles standard :
1 Dans Admin Serveur, créez un groupe d’adresses nommé “Serveur Web” avec la plage
d’adresses 10.0.2.1.
Pour obtenir des instructions, consultez la section “Création d’un groupe d’adresses”
à la page 74.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez le groupe d’adresses “Serveur Web” dans le menu local “Modifier les
services pour”.
5 Autorisez le trafic pour le groupe “Serveur Web” sur le port du service Web désigné.
Sélectionnez Autoriser le service Web.
6 Cliquer sur Enregistrer.88 Chapitre 4 Service de coupe-feu IP
Consignation de l’accès à Internet par les utilisateurs
du réseau local
Cette section vous montre, à l’aide d’un exemple, comment autoriser l’accès au service
Web d’autres serveurs aux utilisateurs de votre réseau local et consigner leur accès au
grand public sur Internet.
Dans cet exemple, votre réseau local possède la plage d’adresses IP privées 10.0.1.1
à 10.0.1.254.
1 Dans le panneau Coupe-feu IP d’Admin Serveur, cliquez sur Réglages.
2 Sélectionnez l’onglet Général.
3 Sélectionnez le groupe d’adresses “tout” dans le menu local Modifier les services pour.
4 Autorisez le trafic pour le groupe “Serveur Web” sur le port du service Web désigné.
Sélectionnez Autoriser le service Web.
5 Cliquer sur Enregistrer.
6 Cliquez sur l’onglet Général.
7 Sélectionnez Consigner tous les paquets acceptés.
Affichez les historiques dans le panneau Historique.
Blocage du courrier indésirable
Cette section vous montre, à l’aide d’un exemple, comment rejeter le courrier d’un
expéditeur de courrier indésirable possédant l’adresse IP 17.128.100.0, tout en acceptant
tous les autres messages électroniques Internet.
Important : configurez dans les règles que vous créez des plages d’adresses très
spécifiques pour bloquer le courrier SMTP entrant. Par exemple, si vous définissez
une règle sur le port 25 pour refuser le courrier provenant de n’importe quelle
adresse, vous empêchez la distribution du courrier de vos utilisateurs.
Pour cela :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez le groupe d’adresses “tout” dans le menu local.
5 Activez “Courrier SMTP”.
6 Sélectionnez l’onglet Général.
7 Cliquez sur le bouton Ajouter ( + ) pour créer une plage d’adresses.
8 Nommez le groupe d’adresses.
9 Saisissez 17.128.100.0 dans la plage d’adresses pour indiquer l’adresse de l’expéditeur
du courrier indésirable.Chapitre 4 Service de coupe-feu IP 89
10 Cliquez sur OK.
11 Sélectionnez le groupe d’adresses créé.
12 Désélectionnez “Courrier SMTP” dans l’onglet Services pour désactiver le transfert
de courrier.
13 Cliquer sur Enregistrer.
Client autorisé à accéder au serveur de fichiers Apple
Cette section vous montre, sous forme d’exemple, comment autoriser un client
possédant l’adresse IP 10.221.41.33 à accéder au serveur de fichiers Apple.
Pour cela :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez le groupe d’adresses “tout”.
5 Désactivez “Service de fichiers Apple” dans le panneau Service.
6 Sélectionnez l’onglet Général.
7 Cliquez sur le bouton Ajouter ( + ) pour créer une plage d’adresses.
8 Nommez le groupe d’adresses.
9 Saisissez 10.221.41.33 dans la plage d’adresses pour indiquer l’adresse du client.
10 Cliquez sur OK.
11 Sélectionnez l’onglet Général.
12 Sélectionnez le groupe d’adresses créé.
13 Sélectionnez “Service de fichiers Apple” dans le panneau Service pour autoriser
l’accès aux fichiers.
14 Cliquez sur Enregistrer.90 Chapitre 4 Service de coupe-feu IP
Tâches courantes d’administration réseau utilisant
le service de coupe-feu
Votre coupe-feu est la première ligne de défense contre les intrus non autorisés sur
votre réseau, les utilisateurs malveillants et les attaques de virus contre les réseaux.
De bien des façons, ces attaques peuvent endommager vos données ou utiliser les
ressources de votre réseau. Cette section présente quelques-unes des utilisations
courantes du service de coupe-feu dans l’administration réseau.
Prévention des attaques par déni de service (DoS)
Lorsque le serveur reçoit une requête de connexion TCP d’un client pour lequel l’accès
est refusé, il renvoie par défaut une réponse spécifiant que la connexion a été refusée.
Cela empêche le client refusé de renvoyer sans cesse sa demande. Un utilisateur
malveillant peut toutefois générer une série de requêtes de connexion TCP à partir
de l’adresse IP d’un client refusé et forcer le serveur à lui répondre continuellement,
bloquant ainsi toutes les autres connexions au serveur. C’est un des types d’attaque
par déni de service.
Pour prévenir les attaques par déni de service ping :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Réglages.
4 Sélectionnez le groupe d’adresses “tout”.
5 Désélectionnez la case “Réponse (ping) à l’écho ICMP”.
6 Cliquer sur Enregistrer.
Important : les attaques par déni de service (en anglais Denial of Service ou DoS) sont
plutôt rares. N’effectuez ces réglages que si vous estimez que votre serveur peut être
la cible d’une attaque. Si vous refusez les réponses à l’écho ICMP, les services utilisant
le ping pour localiser les services réseau seront incapables de détecter votre serveur.
Contrôle ou autorisation de l’utilisation du réseau en peer-to-peer
Les administrateurs réseau ont parfois besoin de contrôler l’utilisation des applications
de partage de fichiers peer-to-peer (P2P). Ces applications pourraient en effet utiliser la
bande passante et les ressources du réseau de façon inappropriée ou disproportionnée.
Le partage de fichiers en P2P peut également exposer une entreprise à des risques en
termes de sécurité ou de propriété intellectuelle.
Vous pouvez couper la mise en réseau P2P en bloquant tout le trafic entrant et sortant
sur le numéro de port utilisé par l’application P2P. Il vous faudra déterminer le port utilisé
pour chaque réseau P2P dont il est question. Par défaut, le coupe-feu de Mac OS X Server
bloque tous les ports non spécifiquement ouverts.Chapitre 4 Service de coupe-feu IP 91
Vous pouvez limiter l’utilisation du réseau en P2P aux adresses IP situées derrière
le coupe-feu. Pour ce faire, vous devez ouvrir le port P2P pour votre interface LAN,
mais continuer de bloquer le port sur l’interface connectée à Internet (interface WAN).
Pour apprendre à créer une règle de coupe-feu, consultez la section “Création d’une
règle de coupe-feu IP avancée” à la page 78.
Contrôle ou activation de l’utilisation des jeux en réseau
Les administrateurs réseau ont parfois besoin de contrôler l’utilisation des jeux en réseau.
Ces jeux pourraient en effet utiliser la bande passante et les ressources du réseau de façon
inappropriée ou disproportionnée.
Vous pouvez couper les jeux en réseau en bloquant tout le trafic entrant et sortant
sur le numéro de port utilisé par le jeu. Il vous faudra déterminer le port utilisé pour
chaque jeu en réseau dont il est question. Par défaut, le coupe-feu de Mac OS X Server
bloque tous les ports non spécifiquement ouverts.
Vous pouvez choisir de limiter l’utilisation des jeux en réseau aux adresses IP situées
derrière le coupe-feu. Pour ce faire, vous devez ouvrir le port approprié sur votre
interface LAN, mais continuer de bloquer le port sur l’interface connectée à Internet
(interface WAN). Certains jeux ont besoin d’une connexion à un service de jeux, ce
qui ne fonctionnera peut-être plus. Pour apprendre à créer une règle de coupe-feu,
consultez la section “Création d’une règle de coupe-feu IP avancée” à la page 78.
Vous pouvez ouvrir le coupe-feu pour certains jeux en réseau afin que ceux-ci puissent
se connecter aux autres joueurs et services de jeux se trouvant en dehors du coupe-feu.
Pour cela, vous devez ouvrir le port adéquat sur vos interfaces LAN et WAN. Certains
jeux nécessitent l’ouverture de plusieurs ports. Consultez la documentation du jeu pour
plus de détails sur la mise en réseau. Pour apprendre à créer une règle de coupe-feu,
consultez la section “Création d’une règle de coupe-feu IP avancée” à la page 78.92 Chapitre 4 Service de coupe-feu IP
Références de ports
Les tableaux suivants répertorient les numéros de ports TCP et UDP généralement
utilisés par les ordinateurs Mac OS X et Mac OS X Server. Ces ports peuvent être utilisés
lors de la configuration de vos règles. Consultez le site Web suivant pour obtenir la liste
des documents RFC référencés dans les tableaux.
www.faqs.org/rfcs
Port TCP Utilisé pour Référence
7 écho RFC 792
20 Données FTP RFC 959
21 Contrôle FTP RFC 959
22 SSH (secure shell)
Configuration de répliques
Open Directory
23 Telnet RFC 854
25 SMTP (courrier) RFC 821
53 DNS RFC 1034
79 Finger RFC 1288
80 HTTP (Web) RFC 2068
88 Centre de distribution
de clés Kerberos 5
RFC 1510
106 Serveur de mots de passe
Open Directory (avec 3659)
110 POP3 (courrier) RFC 1081
111 Appel de procédure
à distance (RPC)
RFC 1057
113 AUTH RFC 931
115 sftp
119 NNTP (nouvelles) RFC 977
123 Synchronisation du serveur
horloge de réseau (NTP)
RFC 1305
137 Noms Windows
138 Explorateur Windows
139 Service de fichiers et
d’impression Windows
(SMB/CIFS)
RFC 100
143 IMAP (accès au courrier) RFC 2060
201-208 AppleTalkChapitre 4 Service de coupe-feu IP 93
311 SSL Admin Serveur,
administration Web à distance IP
AppleShare, Contrôle de serveur,
Admin Serveur (servermgrd),
Gestionnaire de groupe de
travail (DirectoryService)
389 LDAP (annuaires)
Recherche LDAP Sherlock 2
RFC 2251
407 Timbuktu
427 SLP (localisation de services)
443 SSL (HTTPS)
445 Microsoft Domain Server
497 Dantz Retrospect
514 shell, syslog
515 LPR (désynchronisation
de l’impression)
RFC 1179
532 netnews
548 AFP (Apple File Service ou
Service de fichiers Apple)
554 RTSP, protocole de diffusion
en temps réel (QTSS)
RFC 2326
591 Accès Web de FileMaker
600–1023 Services RPC pour Mac OS X
(par exemple, NetInfo)
625 Accès au répertoire distant
626 Administration IMAP (service
de courrier Mac OS X et courrier
AppleShare IP 6.x)
631 IPP (partage d’imprimantes)
636 LDAP SSL
660 Réglages de serveur,
Gestionnaire de serveur
687 Utilisateurs et groupes
partagés AppleShare IP, Contrôle
de serveur, Admin Serveur
(servermgrd)
749 Administration de Kerberos et
de changepw à l’aide de l’outil
de ligne de commande kadmind
985 Port statique NetInfo
993 IMAP sur SSL (courrier)
Port TCP Utilisé pour Référence94 Chapitre 4 Service de coupe-feu IP
995 POP3 sur SSL (courrier)
1085 Web Objects
1099, 8043 RMI à distance et accès RMI/IIOP
à JBoss
1220 Admin QTSS
1694 Basculement IP
1723 VPN PPTP RFC 2637
2049 NFS
2236 Gestionnaire Macintosh
2399 Couche d’accès aux données
de FileMaker
3004 iSync
3031 Program Linking, Remote
AppleEvents
3283 ARD 2.0
3306 MySQL
3632 Compilateur distribuée
de XCode
3659 Serveur de mots de passe
Open Directory (avec 106)
3689 Partage de musique iTunes
4111 XGrid
5003 Liaison de noms et transport
FileMaker
5100 Partage d’appareils photo
et de numériseurs
5190 iChat et transfert
de fichiers iChat
5222 Serveur iChat
5223 SSL du serveur iChat
5269 Serveur iChat - serveur à serveur
5298 iChat - sous-réseau local
5432 Base de données ARD 2.0
5900 VNC ARD 2.0
7070 RTSP, protocole de diffusion
en temps réel (QTSS)
7777 Serveur iChat - proxy de
transfert de fichiers
8000–8999 Service Web
Port TCP Utilisé pour RéférenceChapitre 4 Service de coupe-feu IP 95
8000-8001 Diffusion en continu MP3 QTSS
8005 Arrêt à distance de Tomcat
8043, 1099 RMI à distance et accès RMI/IIOP
à JBoss
8080, 8443, 9006 Tomcat autonome et JBoss
8080 Alternative du service Web
(valeur par défaut d’Apache 2)
9007 Accès au serveur Web à distance
au port AIP
16080 Service Web avec redirection
de la mémoire cache des
performances
42000-42999 Flux radio iTunes
7 écho
53 DNS
67 Serveur DHCP (BootP),
serveur NetBoot
68 Client DHCP
69 Protocole de transfert
de fichiers TFTP
111 Appel de procédure
à distance (RPC)
123 Protocole de synchronisation
d’horloge (NTP)
RFC 1305
137 Service WINS (Windows
Name Service)
138 Windows Datagram Service
(NETBIOS)
161 Protocole SNMP (Simple
Network Management Protocol)
192 Administration d’AirPort
427 SLP (localisation de services)
497 Retrospect
500 VPN ISAKMP/IKE
513 who
514 Syslog
554 RTSP, protocole de diffusion
en temps réel (QTSS)
600–1023 Services RPC pour Mac OS X
(par exemple, NetInfo)
Port TCP Utilisé pour Référence96 Chapitre 4 Service de coupe-feu IP
626 Prise en charge des numéros
de série
985 NetInfo (lors de la création
d’un domaine partagé à l’aide
de Configuration de domaine
NetInfo)
1701 VPN L2TP
3283 ARD 1.2
5353 DNS multi-diffusion
(mDNSResponder)
2049 Service NFS (Network
File System)
3031 Lien entre les applications
3283 Assistant réseau Apple,
Remote Desktop Apple
4500 IKE NAT Traversal
5060 Initiation iChat
5297, 5678 iChat - local
5353 DNS multi-diffusion
(mDNSResponder)
6970 -6999 Diffusion en continu RTP QTSS
7070 Protocole RTSP alternatif (QTSS)
16384-16403 RTP et RTCP audio/vidéo iChat
Port TCP Utilisé pour RéférenceChapitre 4 Service de coupe-feu IP 97
Autres sources d’informations
Pour plus d’informations sur ipfw :
Vous trouverez plus d’informations sur ipfw, l’outil qui contrôle le service de coupefeu IP, en accédant à sa page man. Cette dernière explique comment accéder à ses
fonctionnalités et comment les mettre en place. Pour accéder à la page man, utilisez
l’application Terminal pour taper :
man ipfw
Les documents RFC
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou
service et présentent de manière détaillée comment le protocole doit se comporter.
Si vous êtes administrateur serveur débutant, vous trouverez probablement certaines
informations utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous
trouverez tous les détails techniques sur un protocole particulier dans le document RFC
correspondant. La section RFC du site Web suivant contient plusieurs numéros RFC
pour divers protocoles :
www.ietf.org/rfc.html
L’IANA (Internet Assigned Number Authority) maintient la liste des “ports célèbres”,
c’est-à-dire des ports TCP et UDP qui ont été affectés par l’organisation pour les divers
protocoles. Vous trouverez cette liste sur le site :
www.iana.org/assignments/port-numbers
Vous trouverez également de la documentation sur les adresses de multidiffusion
importantes dans le document RFC le plus récent sur l’affectation de numéros,
actuellement RFC 1700.5
99
5 Service NAT
La traduction d’adresses de réseau (NAT) est parfois appelée masquage d’adresses IP.
La traduction d’adresses de réseau est utilisée pour autoriser l’accès à Internet à plusieurs
ordinateurs avec une seule adresse IP publique ou externe affectée. Il vous permet de
créer un réseau privé qui accède à Internet via un routeur ou une passerelle NAT.
Le routeur NAT reçoit tout le trafic provenant de votre réseau privé et mémorise
les adresses internes qui ont effectué les requêtes. Lorsque le routeur NAT reçoit la
réponse à la requête, il la fait suivre à l’ordinateur à partir duquel elle a été émise.
Le trafic provenant d’Internet n’atteint donc aucun ordinateur situé derrière le routeur
NAT, sauf si l’option de réexpédition de port est activée.
Utilisation de la traduction d’adresses de réseau avec
d’autres services réseau
L’activation de la traduction d’adresses de réseau sur Mac OS X Server nécessite souvent
un contrôle détaillé de DHCP, qui est donc configuré séparément dans Admin Serveur.
Pour en savoir plus sur DHCP, reportez-vous au chapitre 2, “Service DHCP”, à la page 23.
L’activation de NAT crée aussi automatiquement une règle de détournement de la
configuration de coupe-feu. L’application Admin Serveur de Mac OS X Server permet
d’activer et de désactiver le service NAT et le service de coupe-feu séparément. Mais,
pour que le service NAT fonctionne, le service NAT et le service de coupe-feu doivent
tous deux être activés. Cela est dû au fait qu’une composante essentielle de la traduction
d’adresses de réseau est la règle de détournement de paquets. Cette règle est ajoutée
au coupe-feu lors de l’activation du service NAT, mais le service de coupe-feu doit être
activé pour que la règle de détournement de paquets, ou toute autre règle de coupefeu, puisse faire effet.
Avertissement : le coupe-feu IP doit être activé pour que la traduction d’adresses
de réseau fonctionne.100 Chapitre 5 Service NAT
Vue d’ensemble de la configuration d’un réseau local
avec traduction des adresses de réseau
Pour configurer un segment de réseau en tant que réseau local avec traduction des
adresses de réseau, il est nécessaire de réaliser plusieurs étapes. Chacune d’entre elles
est nécessaire pour obtenir un réseau privé opérationnel derrière une passerelle NAT.
Vous trouverez un exemple de configuration détaillé à la section “Liaison d’un réseau
local à Internet via une adresse IP” à la page 106. La section qui suit fournit une vue
d’ensemble élémentaire du processus de configuration.
Étape 1 : Choisissez votre passerelle NAT et ses fonctions d’interface
Il doit s’agir d’un ordinateur Mac OS X Server avec (au moins) deux interfaces réseau :
une pour la connexion à Internet (le port WAN) et une autre pour la connexion au
segment de réseau privé (le port LAN).
Étape 2 : Décidez comment les clients du réseau local avec traduction
d’adresses de réseau doivent obtenir leurs adresses IP
Vous pouvez leur affecter vos propres adresses IP statiques au sein des plages
approuvées pour les réseaux locaux privés ou faire affecter les adresses à votre
place par la fonctionnalité DHCP de Mac OS X Server.
Étape 3 : Configurez les réglages de réseau de la passerelle
Affectez votre adresse IP publique au port WAN et l’adresse de la passerelle interne
au port LAN.
Étape 4 : Configurez les réglages relatifs à la traduction d’adresses de réseau
Consultez la section “Configuration du service NAT” à la page 101.
Étape 5 : Configurez les réglages relatifs à la réexpédition de port
Consultez la section “Configuration de la réexpédition de port” à la page 103.
Étape 6 : Démarrez le service NAT
Consultez la section “Démarrage et arrêt du service NAT” à la page 101.
Étape 7 : Démarrez le service de coupe-feu
Pour que le service NAT fonctionne, le service NAT et le service de coupe-feu doivent
tous deux être activés. Pour plus de détails, consultez la section “Démarrage et arrêt du
service de coupe-feu” à la page 74.
Étape 8 : Configurez et démarrez le service DHCP, si nécessaire
Si les adresses des clients vont être affectées de manière dynamique, configurez DHCP
et démarrez-le maintenant. Pour plus de détails, consultez le chapitre 2, “Service DHCP”.Chapitre 5 Service NAT 101
Démarrage et arrêt du service NAT
Admin Serveur vous permet de démarrer et d’arrêter le service NAT sur votre interface
réseau par défaut. Démarrer le service NAT ne démarre pas automatiquement DHCP
sur l’interface NAT. L’adressage du réseau local doit donc être traité séparément.
Démarrer le service NAT n’équivaut pas à configurer un segment de réseau en tant
que réseau local avec traduction des adresses de réseau.
Pour démarrer le service NAT :
1 Dans Admin Serveur, sélectionnez NAT dans la fenêtre Ordinateurs et services.
2 Cliquez sur Démarrer le service.
Une fois le service lancé, l’option Arrêter le service devient disponible.
Configuration du service NAT
Admin Serveur vous permet d’indiquer l’interface réseau connectée à Internet
ou à un autre réseau externe.
Configurer le service NAT n’équivaut pas à configurer un segment de réseau en tant que
réseau local avec traduction des adresses de réseau.
Pour configurer le service NAT :
1 Dans Admin Serveur, sélectionnez NAT dans la fenêtre Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez “Transfert d’adresses IP et traduction d’adresse réseau”.
4 Choisissez l’interface réseau souhaitée dans le menu local “Connexion réseau
à partager”.
Cette interface doit correspondre à celle qui est connectée à Internet ou à un
réseau externe.
5 Cliquer sur Enregistrer.102 Chapitre 5 Service NAT
Création d’une passerelle sans traduction d’adresses
de réseau
Il arrive parfois que l’on doive utiliser un ordinateur en tant que passerelle entre différents
segments de réseau, mais sans devoir traduire leurs adresses IP de la plage publique à la
plage privée et inversement. On appelle cela le “transfert d’adresses IP”. Mac OS X Server
gère le transfert d’adresses IP au travers de la section NAT d’Admin Serveur.
Pour cette configuration, plusieurs configurations réseau sont possibles. Par exemple,
un autre serveur peut traduire les adresses IP privées en adresses publiques à l’aide de
la traduction d’adresses de réseau, mais votre passerelle Mac OS X Server peut router
des informations entre différents sous-réseaux d’adresses privées. De la même manière,
vous pouvez activer un coupe-feu entre les différents segments de votre propre réseau
local. Toute condition qui vous amène à router du trafic réseau au travers du serveur
sans masquer les adresses IP est une condition qui nécessite l’utilisation du transfert
d’adresses IP.
Les étapes de la création d’une passerelle pour le transfert d’adresses sont les mêmes
que pour la création d’un réseau local avec traduction des adresses de réseau. Cela
signifie que les ports réseau doivent être configurés sur leurs propres réglages et que
le service de coupe-feu doit être activé pour que la passerelle fonctionne.
Pour configurer une passerelle sans service NAT :
1 Dans Admin Serveur, sélectionnez NAT dans la fenêtre Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez “Transfert d’adresses IP uniquement”.
4 Cliquer sur Enregistrer.Chapitre 5 Service NAT 103
Configuration de la réexpédition de port
Vous pouvez diriger le trafic entrant dans votre réseau NAT vers une adresse IP
spécifique derrière la passerelle NAT. Cela vous permet de configurer des ordinateurs,
sur le réseau interne, qui gèrent certaines connexions entrantes sans exposer les
autres ordinateurs aux connexions extérieures. Par exemple, vous pouvez configurer
un serveur Web derrière la traduction d’adresses de réseau et réexpédier toutes les
demandes de connexion TCP entrantes sur le port 80 vers le serveur Web désigné.
Vous ne pouvez pas réexpédier le même port vers plusieurs ordinateurs, mais vous
pouvez réexpédier certains ports vers un ordinateur et d’autres vers un autre.
Activer la réexpédition de port nécessite l’utilisation de Terminal et une certaine
maîtrise de cette application ainsi qu’un accès administratif à des privilèges root via
sudo. Vous allez devoir modifier une plist et le contenu de cette plist va être utilisé
pour générer /etc/nat/natd.conf.apple, le fichier qui est transféré au démon NAT
au démarrage de ce dernier. Ne tentez pas de modifier /etc/nat/natd.conf.apple
directement. Si vous choisissez d’utiliser un éditeur de plist plutôt qu’un éditeur de
texte pour ligne de commande, vous allez devoir adapter les instructions suivantes.
Pour réexpédier le trafic du port :
1 Si le fichier /etc/natd.plist n’existe pas, faites une copie de la plist par défaut
du démon NAT.
sudo cp /etc/nat/natd.plist.default /etc/natd.plist
2 À l’aide d’un éditeur de Terminal, ajoutez un nouveau bloc de texte XML à /etc/
natd.plist avant les deux dernières lignes qui clôturent le fichier ( et )
Ajoutez ce bloc et remplacez les réglages en italique par les réglages souhaités :
redirect_port
proto
TCP ou UDP
targetIP
adresse IP du LAN
targetPortRange
plage d’adresses IP du LAN
aliasIP
adresse IP du WAN
aliasPortRange
plage de ports du WAN
104 Chapitre 5 Service NAT
3 Enregistrez vos modifications.
Les modifications apportées au fichier, à l’exception des réglages qu’Admin Serveur
peut modifier et des commentaires, seront respectées par les outils de configuration
du serveur (Admin Serveur, Assistant réglages de passerelle et serveradmin).
4 Configurez le service NAT dans Admin Serveur comme vous le souhaitez.
Pour plus de détails, consultez la section “Configuration du service NAT” à la page 101.
5 Cliquer sur Enregistrer.
Exemples de réexpédition du trafic du port
Vous pouvez réexpédier un port unique ou un nombre quelconque de ports vers une
adresse IP donnée. Les ports côté WAN ne doivent pas être identiques aux ports côté
LAN, mais ils doivent correspondre. Par exemple, si vous réexpédiez 10 ports consécutifs
côté WAN, vous devez les réexpédier vers 10 ports consécutifs côté LAN, mais il ne doit
pas s’agir des 10 mêmes ports.
Réexpédition d’un seul port
Cet exemple montre les réglages permettant de réexpédier les connexions au port
TCP 80 (service Web) à l’adresse WAN 17.128.128.128 vers le port TCP 80 (service Web)
à l’adresse de réseau local privé 192.168.1.1. Le bloc de texte à ajouter au fichier /etc/
natd.plist file est le suivant :
redirect_port
proto
TCP
targetIP
192.168.1.1
targetPortRange
80
aliasIP
17.128.128.128
aliasPortRange
80
Chapitre 5 Service NAT 105
Réexpédition de plusieurs ports
Cet exemple montre les réglages permettant de réexpédier les connexions aux ports
TCP 600-1023 (NetInfo, plage complète) à l’adresse WAN 17.128.128.128 vers les ports
correspondants à l’adresse de réseau local privé 192.168.1.1. Le bloc de texte à ajouter
au fichier /etc/natd.plist file est le suivant :
redirect_port
proto
TCP
targetIP
192.168.1.1
targetPortRange
600-1023
aliasIP
17.128.128.128
aliasPortRange
600-1023
proto
UDP
targetIP
192.168.1.1
targetPortRange
600-1023
aliasIP
17.128.128.128
aliasPortRange
60-1023
Contrôle du service NAT
Vous souhaitez peut-être surveiller votre service NAT à des fins de dépannage et de
sécurisation. La présente section décrit la vue d’ensemble de l’état NAT et la surveillance
de l’activité de détournement NAT.
Affichage de la vue d’ensemble de l’état NAT
La vue d’ensemble de l’état du NAT vous permet de savoir si le service fonctionne
et combien de liens de protocoles sont actifs.
Pour afficher la vue d’ensemble :
1 Dans Admin Serveur, choisissez Service NAT dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Vue d’ensemble.106 Chapitre 5 Service NAT
Tâches d’administration réseau courantes qui utilisent
la traduction d’adresses de réseau
La section qui suit décrit certaines tâches d’administration de réseau courantes qui
utilisent le service NAT.
Liaison d’un réseau local à Internet via une adresse IP
La manière la plus simple de lier un réseau local traduction des adresses de réseau
à Internet consiste à utiliser Assistant réglages de passerelle. Ce dernier va configurer
automatiquement les groupes d’adresses IP dans le coupe-feu et créer la bonne règle
de détournement de paquets. Si vous configurez un réseau avec traduction d’adresses
de réseau au travers d’une passerelle pour la première fois, il est recommandé d’utiliser
Assistant réglages de passerelle. Consultez la section “Connecter votre réseau à Internet”
à la page 15 pour en savoir plus sur Assistant réglages de passerelle.
Si vous ne souhaitez pas utiliser Assistant réglages de passerelle ou que vous disposez
de réglages de passerelle que vous ne souhaitez pas écraser, vous pouvez configurer
la traduction d’adresses de réseau et le coupe-feu IP manuellement. Pour ce faire,
vous aurez besoin d’un serveur Mac OS X Server équipé de deux interfaces réseau,
une pour la connexion à Internet et une autre pour la connexion à votre réseau privé.
Cet exemple suppose l’existence de la configuration suivante :
• Noms d’interface et fonctions Ethernet : Ethernet intégré (connecté à Internet),
logement Ethernet PCI 1 (connecté au réseau interne)
• Adresse IP Internet ou publique : 17.254.0.3 (à titre d’exemple uniquement,
votre numéro IP sera fourni par votre FAI)
• Adresse IP DNS Internet ou publique : 17.254.1.6 (à titre d’exemple uniquement,
votre numéro IP sera fourni par votre FAI)
• Plage d’adresses IP et masque de réseau du réseau privé : 192.168.0.2-192.168.0.254
(aussi exprimé sous la forme 192.168.0.0/24 ou 192.168.0.0:255.255.255.0)
• Adresse IP du réseau privé du serveur : 192.168.0.1
• Réglages en matière d’adresses IP des clients du réseau local : configurez IPv4 pour
l’utilisation de DHCP.
Bien que cela ne soit pas absolument nécessaire (la traduction d’adresses de réseau
peut être utilisée avec des adresses IP statiques plutôt qu’avec DHCP), cela permet
une configuration aisée des ordinateurs clients.Chapitre 5 Service NAT 107
Pour configurer votre réseau local avec traduction des adresses de réseau :
1 Ouvrez la sous-fenêtre Réseau de Préférences Système sur le serveur de passerelle.
2 Dans l’écran Configuration des ports réseau actif, vérifiez que l’interface “Ethernet intégré”
se trouve en tête de la liste des interfaces.
Si ce n’est pas le cas, faites-la glisser en tête de la liste. Cela définit la passerelle par défaut
dans la table de routage. La première interface de la liste est toujours configurée pour
être hors d’Internet ou du WAN.
3 Vérifiez que l’adresse IP et les réglages pour “Ethernet intégré” sont les réglages relatifs
à l’adresse publique fournie par votre FAI. Dans notre exemple, ce serait :
• Adresse IP : 17.254.0.3
• Masque de réseau : 255.255.252.0
• DNS : 17.254.1.6
4 Vérifiez que l’adresse IP et les réglages pour “Logement Ethernet PCI 1” sont les réglages
relatifs à votre adresse locale. Dans notre exemple, ce serait :
• Adresse IP : 192.168.0.1
• Masque de réseau : 255.255.255.0
• DNS : 17.254.1.6
5 Cliquez sur Appliquer les modifications, si nécessaire.
6 Ouvrez Admin Serveur.
7 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
8 Dans Admin Serveur, créez un groupe d’adresses avec les paramètres de configuration
suivants pour le réseau local interne :
• Nom de sous-réseau :
• Adresse IP de début : 192.168.0.2
• Adresse IP de fin : 192.168.0.254
• Masque de sous-réseau : 255.255.255.0
• Interface réseau : en1
• Routeur : 192.168.0.1
• Délai de bail :
• DNS : 17.254.1.6
Pour des instructions détaillées sur la configuration de DHCP, consultez la section
“Création de sous-réseaux” à la page 24.
9 Activez le service DHCP.
10 Dans Admin Serveur, choisissez NAT dans la liste Ordinateurs et services.
11 Configurez la traduction d’adresses de réseau à l’aide des réglages suivants :
• Connexion réseau à partager : Ethernet intégré
12 Cliquez sur Enregistrer, si nécessaire.
13 Activez le service NAT.108 Chapitre 5 Service NAT
14 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
15 Activez le coupe-feu.
16 Créez des règles de coupe-feu pour autoriser l’accès à et à partir de votre réseau privé.
Par exemple, créez un groupe d’adresses IP nommé “Réseau local privé” pour
les adresses 192.168.0.0/24.
Pour obtenir des instructions détaillées, consultez la section “Création d’un groupe
d’adresses” à la page 74.
17 Activez tous les services auxquels vous souhaitez que le réseau local privé accède
(Web, SSH, partage de fichiers, etc.) à l’aide du groupe “Réseau local privé”.
Pour obtenir des instructions détaillées, consultez la section “Ouverture du coupe-feu
pour les services standard” à la page 76.
18 Activez tous les services auxquels vous souhaitez qu’Internet accède sur votre réseau
local privé (Web, SSH, partage de fichiers, etc.) à l’aide du groupe d’adresses “tout”.
Pour obtenir des instructions détaillées, consultez la section “Ouverture du coupe-feu
pour les services standard” à la page 76.
19 Cliquer sur Enregistrer.
Configuration d’un tournoi de jeux en réseau
La configuration d’un tournoi de jeux en réseau est essentiellement la même que
“Liaison d’un réseau local à Internet via une adresse IP” Considérations spéciales :
• Faites particulièrement attention à ouvrir les ports nécessaires pour jouer un jeu
sur Internet.
• Si le jeu ne doit être joué qu’au sein du réseau local, il n’est pas nécessaire d’ouvrir
le coupe-feu aux ports de jeu.
• Si vous avez des ordinateurs qui entrent dans le réseau local puis le quittent, il est
préférable d’utiliser DHCP pour la configuration des adresses des clients.Chapitre 5 Service NAT 109
Configuration de serveurs virtuels
Un serveur virtuel est un serveur de passerelle qui envoie des services derrière un mur
NAT à des serveurs réels port par port. Par exemple, imaginons que vous avez une
passerelle NAT à l’adresse 17.100.0.1 (domaine.exemple.com) qui pourrait être configurée
pour réexpédier le trafic Web (port 80) vers 10.0.0.5 (port 80) derrière le coupe-feu et les
demandes pour le trafic ssh (port 22) pourraient envoyer les paquets à 10.0.0.15 (port 22).
Dans l’exemple ci-avant, en réalité le contenu Web n’est pas fourni par la passerelle NAT,
mais par le serveur à l’adresse 10.0.0.5, mais cela est invisible pour les clients qui visitent
le site Web.
Vers Internet, vous n’avez qu’un seul serveur, mais derrière la barrière constituée par la
traduction d’adresses de réseau, vous pouvez en avoir autant que vous le souhaitez. Cela
peut être utilisé pour l’équilibrage de la charge en tant que schéma organisationnel pour
la topographie du réseau. Les serveurs virtuels permettent également de réacheminer
aisément du trafic réseau vers d’autres ordinateurs sur le réseau local simplement en
reconfigurant la passerelle.
Les serveurs virtuels requièrent la configuration de trois services : NAT, DNS et coupe-feu IP.
Le service NAT doit être configuré avec la réexpédition de port du port virtuel souhaité.
L’enregistrement DNS pour le serveur doit accepter quelques alias de services courants
et les résoudre tous vers la même adresse IP. En fin, le coupe-feu doit autoriser le trafic
sur certains ports dans le réseau local avec traduction des adresses de réseau.
Dans cet exemple, nous allons configurer une passerelle NAT et faire pointer deux noms
de domaine et services vers d’autres ordinateurs derrière le coupe-feu de la passerelle.
Cet exemple suppose l’existence de la configuration suivante :
• Noms d’interface et fonctions Ethernet : Ethernet intégré (connecté à Internet),
logement Ethernet PCI 1 (connecté au réseau interne)
• Adresse IP Internet ou publique : 17.100.0.1 (à titre d’exemple uniquement,
votre numéro IP sera fourni par votre FAI)
• Plage d’adresses IP et masque de réseau du réseau privé : 192.168.0.0-192.168.0.255
(aussi exprimé sous la forme 192.168.0.0/24 ou 192.168.0.0:255.255.255.0)
• Adresse IP du réseau privé du serveur de la passerelle : 192.168.0.1
• Adresse IP du réseau privé du serveur Web : 192.168.0.2
• Adresse IP du réseau privé du serveur de courrier : 192.168.0.3
• Réglages en matière d’adresses IP du serveur Web et de messagerie : configurez IPv4
pour l’utilisation de DHCP.
Bien que cela ne soit pas absolument nécessaire (la traduction d’adresses de réseau
peut être utilisée avec des adresses IP statiques plutôt qu’avec DHCP), cela permet
une configuration aisée des ordinateurs clients.110 Chapitre 5 Service NAT
Pour configurer vos serveurs virtuels :
1 Ouvrez Admin Serveur.
2 Dans Admin Serveur, choisissez DHCP dans la liste Ordinateurs et services.
3 Dans Admin Serveur, créez un groupe d’adresses avec les paramètres de configuration
suivants pour le réseau local interne :
• Nom de sous-réseau :
• Adresse IP de début : 192.168.0.2
• Adresse IP de fin : 192.168.0.254
• Masque de sous-réseau : 255.255.255.0
• Interface réseau : en1
• Routeur : 192.168.0.1
• Délai de bail :
• DNS :
• Mappage statique (Web) : mappée sur 192.168.0.2
• Mappage statique (messagerie) :
mappée sur 192.168.0.3
Pour des instructions détaillées sur la configuration de DHCP, consultez les sections
“Création de sous-réseaux” à la page 24 et “Affectation d’adresses IP statiques à l’aide
de DHCP” à la page 31.
4 Activez le service DHCP.
5 Dans Admin Serveur, choisissez NAT dans la liste Ordinateurs et services.
6 Configurez la traduction d’adresses de réseau à l’aide des réglages suivants :
• Connexion réseau à partager : Ethernet intégré
• Réexpédition de port : port TCP 80 (Web) vers 192.168.0.2
• Réexpédition de port : port TCP 25 (messagerie) vers 192.168.0.3
7 Cliquer sur Enregistrer.
8 Activez le service NAT.
9 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
10 Activez le coupe-feu.
11 Créez des règles de coupe-feu pour autoriser l’accès à votre réseau privé.
Pour obtenir des instructions détaillées, consultez la section “Création d’un groupe
d’adresses” à la page 74.
12 Activez les deux services auxquels vous souhaitez qu’Internet accède sur votre réseau
local privé (Web et messagerie SMTP) à l’aide du groupe d’adresses “tout”.
Pour obtenir des instructions détaillées, consultez la section “Ouverture du coupe-feu
pour les services standard” à la page 76.
13 Cliquer sur Enregistrer.
14 Ajoutez deux alias à l’enregistrement DNS de votre serveur de passerelle.Chapitre 5 Service NAT 111
Prenez contact avec votre fournisseur DNS (généralement le FAI) et demandez-lui
d’ajouter un enregistrement “A” du nom de “www.exemple.com” pointant vers l’adresse
IP 17.100.0.1. Demandez également un enregistrement MX du nom de “mail.exemple.com”
pointant vers la même adresse IP. Ces enregistrements viennent en plus des
enregistrements A et CNAME pour votre domaine.
Maintenant, tout le trafic Web vers www.exemple.com va être réexpédié vers le serveur
Internet à l’adresse 192.168.0.2 et le trafic de messagerie entrant vers mail.exemple.com
va être réexpédié vers le serveur interne à l’adresse 192.168.0.3.
Si vous souhaitez modifier les serveurs qui se trouvent derrière la traduction d’adresses
de réseau (pour une mise à niveau matérielle, par exemple), il vous suffit de modifier
adressage IP statique DHCP pour pointer vers les adresses Ethernet des nouveaux
serveurs. Les adresses IP internes existantes vont être affectées aux nouveaux serveurs
désignés pour le Web et la messagerie et la passerelle réexpédiera le trafic vers les
nouveaux serveurs sans interruption.
Autres sources d’informations
Pour plus d’informations sur natd :
Vous trouverez plus d’informations sur natd, le démon qui contrôle le service NAT,
en accédant à sa page man. Cette dernière explique comment accéder à ses
fonctionnalités et comment les implémenter. Pour accéder à la page man, utilisez
l’application Terminal pour taper :
man natd
Documents RFC
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
administrateur serveur débutant, vous trouverez probablement certaines informations
utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous trouverez tous
les détails techniques sur un protocole particulier dans le document RFC correspondant.
Vous pouvez rechercher des documents RFC par numéro sur le site :
www.ietf.org/rfc.html
Pour des descriptions de la traduction d’adresses de réseau, consultez :
• RFC 1631
• RFC 3022.6
113
6 Service VPN
Un réseau privé virtuel (VPN) correspond à deux ou plusieurs ordinateurs ou réseaux
(nœuds) connectés par un lien privé de données cryptées. Ce lien simule une connexion
locale, comme si l’ordinateur distant était relié au réseau local (LAN).
Les VPN permettent aux utilisateurs travaillant depuis leur domicile ou en dehors du
réseau LAN de s’y connecter en toute sécurité à l’aide de n’importe quelle connexion
réseau, comme Internet. Du point de vue de l’utilisateur, la connexion VPN apparaît
comme un lien privé dédié.
La technologie VPN permet également aux filiales d’une organisation de se connecter
à Internet, tout en conservant des communications sécurisées. La connexion VPN via
Internet joue le rôle d’un lien WAN (Wide Area Network) entre les sites.
Les VPN présentent aussi de nombreux avantages pour les organisations dont les
ressources d’ordinateurs sont physiquement séparées. Par exemple, chaque utilisateur
ou nœud distant utilise les ressources réseau de son fournisseur d’accès à Internet (FAI)
au lieu d’être relié directement, par câble, à l’emplacement principal. Les VPN permettent
également aux utilisateurs de portables vérifiés d’accéder aux ressources d’ordinateurs
privés (serveurs de fichiers, etc.) depuis n’importe quelle connexion Internet. Enfin, le VPN
peut permettre de relier plusieurs réseaux LAN entre eux sur de grandes distances en
utilisant l’infrastructure Internet existante.
Ce chapitre explique la méthode d’authentification VPN, les protocoles de transport
et les modes de configuration, de gestion et de contrôle du service VPN. Il ne contient
pas d’instructions sur la configuration des clients VPN devant utiliser votre serveur VPN.114 Chapitre 6 Service VPN
VPN et sécurité
Les VPN assurent la confidentialité et l’inaltérabilité des données grâce à une
authentification stricte de l’identité et au transport de données cryptées entre
les nœuds. La section suivante contient des informations sur toutes les méthodes
de transport et d’authentification gérées.
Protocoles de transport
Vous avez la possibilité d’activer l’un ou l’autre, ou les deux protocoles de transport
crypté. Chacune d’elles possède ses propres avantages et ses exigences.
Protocole L2TP/IPSec (Layer Two Tunnelling Protocol, Secure Internet Protocol)
Le protocole L2TP/IPSec utilise un cryptage de sécurité IP (IPSec) fort pour la “tunnelisation”
des données depuis et vers les nœuds réseau. Il est repose sur le protocole L2F de Cisco.
IPSec requiert des certificats de sécurité émis par une autorité de certification telle que
Verisign, ou un secret partagé prédéfini entre les nœuds connectés. Le secret partagé doit
être saisi sur le serveur et sur un client. Il ne s’agit pas d’un mot de passe d’authentification
et il ne génère pas des clés de cryptage afin d’établir des tunnels sécurisés entre les nœuds.
Il s’agit d’un jeton qui permet aux systèmes de gestion de clés de se faire confiance
mutuellement.
L2TP est le protocole VPN préféré de Mac OS X Server à cause de son cryptage
du transport supérieur et la possibilité de l’authentifier via Kerberos.
Protocole PPTP (Point to Point Tunneling)
PPTP est un protocole VPN courant ainsi que le protocole VPN standard de Windows.
PPTP offre un bon cryptage (à condition que les mots de passe utilisés soient des mots
de passe forts) et gère un certain nombre de schémas d’authentification. Il utilise le
mot de passe fourni par l’utilisateur pour produire une clé de cryptage. Vous pouvez
également autoriser un cryptage de sécurité 40 bits (faible) en plus du cryptage par
défaut 128 bits (plus fort) si vos clients VPN en ont besoin.
PPTP est nécessaire si vous disposez de vieux clients Windows ou de Mac OS X 10.2.x.
Méthode d’authentification
Le VPN L2TP de Mac OS X Server utilise soit Kerberos 5 soit Challenge Handshake
Authentication Protocol version 2 de Microsoft (MS-CHAPv2) pour l’authentification. Le
VPN PPTP de Mac OS X Server utilise MS-CHAPv2 uniquement pour l’authentification.
Kerberos est un protocole d’authentification sécurisé qui dépend d’un serveur de
distribution de clés Kerberos en tant que “tiers de confiance” pour authentifier un
client auprès d’un serveur. L’authentification MS-CHAPv2 ne nécessite pas la même
infrastructure d’authentification que Kerberos. Elle encode les mots de passe lorsqu’ils
sont envoyés sur le réseau et les stocke sous une forme brouillée sur le serveur pour
garantir un bon niveau de sécurité lors de la transmission réseau. Il s’agit également
du système d’authentification standard de Windows pour les VPN.Chapitre 6 Service VPN 115
Le VPN PPTP de Mac OS X Server peut utiliser des méthodes d’authentification
supplémentaires. Chacune d’elles possède ses propres avantages et ses exigences.
Il n’est pas possible de choisir une autre méthode d’authentification pour PPTP à l’aide
d’Admin Serveur. Si vous voulez configurer un système d’authentification différent de
celui défini par défaut (pour utiliser par exemple le système d’authentification SecurID
de RSA Security), il vous faudra modifier manuellement le fichier de configuration du
VPN. Ce fichier de configuration se trouve dans :
/Bibliothèque/Préférences/SystemConfiguration/com.apple.RemoteAccessServers.plist
Pour plus de détails, consultez la section “Authentification SecurID avec un serveur
VPN” à la page 122.
Avant de configurer le service VPN
Avant de configurer le service VPN (Virtual Private Network), vous devez choisir le
protocole de transport à utiliser. Le tableau ci-dessous présente les protocoles gérés
par les différentes plate-formes.
Si vous utilisez le protocole L2TP, vous devez posséder un certificat de sécurité (émis
par une autorité de certification ou auto-signé) ou un secret partagé prédéfini entre les
nœuds connectés. Si vous optez pour le secret partagé, sachez qu’il doit également être
sécurisé (au moins 8, mais idéalement 12 caractères alphanumériques avec ponctuation
et sans espaces ou plus) et gardé secret par les utilisateurs.
Si vous utilisez le protocole PPTP, vous devez vous assurer que tous vos clients gèrent
les connexions PPTP 128 bits, pour une sécurité optimale du transport. Sachez qu’en
activant une sécurité de transport 40 bits, vous vous exposez à des risques importants
en matière de sécurité.
Si vous avez des...
vous pouvez utiliser
L2TP/IPSec. vous pouvez utiliser PPTP.
clients Mac OS X 10.4 et 10.3.x X X
clients Mac OS X 10.2.x X
clients Windows X (sous Windows XP) X
clients Linux ou Unix X X116 Chapitre 6 Service VPN
Configuration d’autres services réseau pour VPN
L’activation de VPN sur Mac OS X Server nécessite un contrôle détaillé de DHCP. DHCP est
configuré séparément dans Admin Serveur. Les adresses IP affectées aux clients VPN ne
peuvent pas chevaucher les adresses affectées aux clients DHCP locaux. Pour en savoir
plus sur DHCP, reportez-vous au chapitre 2, “Service DHCP”, à la page 23.
L’activation de VPN nécessite également la configuration du coupe-feu IP. Le coupe-feu
doit pouvoir acheminer du trafic réseau provenant d’adresses IP externes au travers du
coupe-feu vers le réseau local. Cela peut se faire de la manière aussi ouverte ou fermée
que vous le jugez nécessaire. Par exemple, si les clients VPN viennent d’une large plage
d’adresses IP (vous avez un grand nombre d’utilisateurs et certains se connectent par
plusieurs FAI différents), vous devrez peut-être ouvrir le groupe d’adresses de coupe-feu
“tout” aux connexions VPN. Si vous souhaitez restreindre l’accès à une petite plage
d’adresses IP, y compris des adresses IP statiques, vous pouvez créer un groupe d’adresses
qui reflète cette plus petite plage et n’activer que le trafic VPN provenant de cette liste.
Gestion du service VPN
Cette section décrit les tâches associées à la gestion du service VPN. Ces tâches incluent
le démarrage, l’arrêt et la configuration du service.
Démarrage ou arrêt du service VPN
Vous utilisez Admin Serveur pour démarrer ou arrêter le service VPN.
Pour démarrer ou arrêter le service VPN :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Assurez-vous qu’au moins un protocole de transport est activé et configuré.
3 Cliquez sur Démarrer le service ou Arrêter le service.
Lorsque le service est activé, le bouton Arrêter le service est disponible.
Activation et configuration du protocole de transport L2TP
Utilisez Admin Serveur pour désigner L2TP comme protocole de transport. En activant
ce protocole, vous devez également configurer les réglages des connexions. Vous devez
définir un secret partagé IPSec (sauf si vous n’utilisez pas de certificat de sécurité signé),
la plage d’affectation d’adresses IP à fournir à vos clients et le groupe destiné à recevoir
les privilèges VPN (si nécessaire). Si les protocoles L2TP et PPTP sont utilisés ensemble,
chaque protocole doit disposer d’une plage d’adresses distincte et ces plages ne peuvent
pas se chevaucher.Chapitre 6 Service VPN 117
Pour activer le protocole L2TP :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet L2TP.
4 Sélectionnez “Activer L2TP via IPsec”.
5 Définissez la première adresse IP de la plage d’affectation.
6 Définissez la dernière adresse IP de la plage d’affectation.
7 Choisissez un type d’authentification PPP.
Si votre ordinateur est lié à un serveur d’authentification Kerberos, choisissez Kerberos
sinon choisissez MS-CHAPv2.
8 Tapez le secret partagé ou sélectionnez le certificat à utiliser.
9 Cliquez sur Enregistrer.
Activation et configuration du protocole de transport PPTP
Utilisez Admin Serveur pour désigner PPTP comme protocole de transport. En activant
ce protocole, vous devez également configurer les réglages des connexions. Vous
devez indiquer la longueur de la clé de cryptage (40 bits en plus de 128 bits), la plage
d’affectation des adresses IP à donner à vos clients et le groupe destiné à recevoir les
privilèges VPN (si nécessaire). Si les protocoles L2TP et PPTP sont utilisés ensemble,
chaque protocole doit disposer d’une plage d’adresses distincte et ces plages ne
peuvent pas se chevaucher.
Pour activer le protocole PPTP :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet PPTP.
4 Sélectionnez “Activer PPTP”.
5 Si vous le souhaitez, sélectionnez “Autoriser les clés de cryptage 40 bits” pour autoriser
ces clés à être utilisées en plus des clés 128 bits.
Avertissement : les clés de cryptage 40 bits sont bien moins sûres, mais il peut être
nécessaire de les autoriser pour certaines applications clients VPN.
6 Définissez l’adresse de départ et les adresses IP de la plage d’affectation.
7 Cliquer sur Enregistrer.118 Chapitre 6 Service VPN
Configuration de réglages réseau supplémentaires pour
les clients VPN
Lorsqu’un utilisateur se connecte à votre serveur via le service VPN, il reçoit une adresse
IP tirée de votre plage d’adresses affectées. Cette plage n’est pas desservie par un serveur
DHCP, vous allez donc devoir configurer des réglages réseau supplémentaires. Ces
réglages incluent le masque de réseau, l’adresse du DNS et les domaines de recherche.
Pour configurer des réglages réseau supplémentaires :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Informations sur les clients.
4 Saisissez l’adresse IP du serveur DNS.
5 Saisissez si nécessaire les domaines de recherche.
6 Cliquer sur Enregistrer.
Configuration des définitions de routage réseau VPN
Les définitions de routage réseau permettent de choisir entre le routage des données
provenant des clients VPN vers un groupe d’adresses au travers du tunnel VPN (“privé”)
et le routage par la connexion FAI de l’utilisateur VPN (“publique”). Vous pouvez par
exemple décider que tout le trafic destiné à la plage d’adresses IP du réseau LAN passe
par le tunnel sécurisé avant d’arriver au LAN, mais que le trafic en direction des autres
adresses soit acheminé via la connexion Internet normale, non sécurisée, de l’utilisateur.
Cela peut vous aider à mieux contrôler le trafic du tunnel VPN.
Notes importantes sur les définitions de routage réseau VPN :
• Si aucune définition de routage n’a été ajoutée, par défaut, tout le trafic est routé
au travers de la connexion VPN.
• Si des définitions de routage ont été ajoutées, la connexion VPN n’est plus
définie comme route par défaut et tout le trafic destiné à des adresses qui ne sont
pas spécifiquement déclarées en tant que route privée ne transitera pas par la
connexion VPN.
• Toutes les recherches DNS transitent à présent par la connexion VPN, quelles que
soient les routes définies.
• Les définitions ne sont pas classées dans l’ordre ; elles appliquent uniquement
la description qui correspond le mieux au paquet acheminé.Chapitre 6 Service VPN 119
Exemple
Imaginons que les adresses IP de votre réseau local sont toutes des adresses 17.x.x.x.
Si vous ne faites pas de définitions de routage, le trafic réseau de tout client VPN (les
requêtes d’URL du navigateur Web, les tâches d’impression de file d’attente d’impression
LPR, la navigation sur les serveurs de fichiers) est routé de son ordinateur au travers du
tunnel VPN au réseau local 17.x.x.x.
Vous décidez maintenant de ne plus gérer tout le trafic vers des sites Web ou des serveurs
de fichiers qui ne se trouvent pas sur réseau. Vous pouvez définir le trafic qui sera envoyé
au réseau 17.x.x.x et celui qui transitera par la connexion Internet normale du client. Pour
limiter le trafic que le tunnel gère, vous devez saisir une définition de routage désignant
le trafic vers le réseau 17.x.x.x comme étant privé, ce qui le fera transiter par le tunnel.
Dans la table de la définition de routage, tapez :
17.0.0.0 255.0.0.0 Privé
Tout le trafic vers le réseau local est maintenant envoyé par la connexion VPN et, par
défaut, toutes les autres adresses qui ne figurent pas dans la table des définitions sont
envoyées par la connexion Internet non cryptée des utilisateurs.
Vous vous rendez compte maintenant qu’il y a certaines adresses IP dans la plage 17.x.x.x
auxquelles vous ne souhaitez pas que l’on accède par la connexion VPN. Vous voulez que
le trafic transite par la connexion Internet de l’utilisateur plutôt que par le tunnel. Les
adresses peuvent être devant le coupe-feu et ne pas être accessibles à partir du réseau
17.x.x.x. Par exemple, utilisons les adresses de la plage 17.100.100.x. Tapez une définition
de routage supplémentaire comme suit :
17.100.100.0 255.255.255.0 Public
Comme la définition d’adresse est plus spécifique que 17.x.x.x, cette règle prime sur
la règle plus large, plus générale et le trafic destiné à toute adresse dans la plage
17.100.100.x est envoyé par la connexion Internet de l’utilisateur VPN.
En résumé, si vous ajoutez des routes, les routes que vous spécifiez comme étant
privées transitent par la connexion VPN alors que celles que vous déclarez publiques
ne transitent pas par la connexion VPN. Toutes celles qui ne sont pas spécifiées ne
transitent pas non plus par la connexion VPN.120 Chapitre 6 Service VPN
Pour créer les définitions de routage :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Informations sur les clients.
4 Cliquez sur le bouton Ajouter sous la liste des définitions de routage.
5 Saisissez la plage d’adresses de destination des paquets à router en spécifiant :
a une adresse de base (par exemple, 192.168.0.0) ;
b un masque de réseau (par exemple, 255.255.0.0).
6 Sélectionnez la destination de routage dans le menu local.
a Privé signifie un acheminement via le tunnel VPN.
b Public signifie utiliser l’interface normale, sans tunnel.
7 Cliquez sur OK.
8 Cliquer sur Enregistrer.
Limitation de l’accès VPN à certains utilisateurs ou groupes
Par défaut, tous les utilisateurs sur le serveur ou dans le répertoire maître ont accès au
VPN une fois qu’il est activé. Vous pouvez limiter l’accès au VPN à certains utilisateurs
pour des raisons de sécurité ou pour simplifier l’administration. Vous pouvez également
limiter l’accès au VPN à l’aide des listes de contrôle d’accès de Mac OS X Server.
Les listes de contrôle d’accès (an anglais Access Control Lists ou ACL) sont une méthode
permettant de définir individuellement l’accès aux services de certains utilisateurs ou
groupes. Par exemple, vous pouvez utiliser une liste de contrôle d’accès pour n’autoriser
l’accès à un serveur de fichiers ou à une connexion de shell qu’un seul utilisateur, sans
autoriser tous les utilisateurs du serveur à y accéder.
Pour limiter l’accès VPN par connexion à l’aide de listes de contrôle d’accès :
1 Dans Admin Serveur, sélectionnez le serveur sur lequel le service VPN fonctionne
et l’utilisateur ou le groupe qui doit recevoir l’accès VPN.
2 Cliquer sur Accès.
3 Désélectionnez “Utiliser le même accès pour tous les services”.
4 Sélectionnez “Autoriser uniquement les utilisateurs et groupes ci-dessous”.
5 Cliquez sur le bouton Ajouter ( + ) pour afficher le tiroir Utilisateurs et groupes.
6 Faites glisser l’utilisateur ou le groupe souhaité dans la liste d’accès.
7 Cliquer sur Enregistrer.Chapitre 6 Service VPN 121
Limitation de l’accès VPN à certains adresses IP entrantes
Par défaut, le coupe-feu IP bloque toutes les connexions VPN entrantes. Vous pouvez
limiter l’accès au VPN à certaines adresses pour des raisons de sécurité ou pour simplifier
l’administration. Vous pouvez également limiter l’accès au VPN en configurant le coupefeu IP de Mac OS X Server.
Pour limiter l’accès VPN par adresse IP :
1 Dans Admin Serveur, choisissez Coupe-feu dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Règles avancées.
4 Cliquez sur le bouton Ajouter ( + ).
5 Sélectionnez “Autoriser” l’accès dans le menu local Action.
6 Choisissez un protocole dans le menu local Protocole.
Si vous avez choisi L2TP comme accès VPN, choisissez UDP.
Si vous avez choisi PPTP comme accès VPN, choisissez TDP.
7 Choisissez un type de service VPN dans le menu local : L2TP ou PPTP.
Le port de destination approprié est ajouté automatiquement.
8 Si vous le souhaitez, choisissez de consigner les paquets qui répondent à cette règle
de filtrage.
9 Saisissez la plage d’adresses IP source (avec notation CIDR) à laquelle vous souhaitez
donner accès au VPN et laissez Autre sélectionné dans le menu local.
Il s’agit des adresses IP pouvant se connecter au service VPN.
10 Dans le menu local, choisissez le groupe d’adresses qui a le serveur VPN comme
destination du trafic filtré.
Si vous ne souhaitez pas utiliser un groupe d’adresses existant, saisissez la plage
d’adresses IP de destination (avec notation CIDR).
11 Choisissez l’interface réseau “In” pour lui appliquer cette règle.
“Intérieur” fait référence à l’interface WAN désignée.
12 Cliquez sur OK.
13 Cliquez sur Enregistrer pour appliquer le filtre immédiatement.122 Chapitre 6 Service VPN
Instructions de configuration supplémentaires
La section qui suit contient des instructions pour quelques scénarios facultatifs
supplémentaires. Ils nécessitent l’intégration à un système de service de répertoires
existant ou des services d’authentification de tierce partie.
Activer l’accès VPN PPTP pour les utilisateurs dans un domaine LDAP
Dans Mac OS X 10.4, vous pouvez utiliser un outil à ligne de commande pour activer
les connexions VPN PPTP pour les utilisateurs qui sont dans un domaine LDAP.
Cela résout la situation dans laquelle les utilisateurs peuvent établir une connexion VPN
via PPTP avec un serveur Mac OS X Server qui, une fois établie, n’est utilisée par aucun
trafic réseau. Cela concerne Mac OS X Server 10.3 et 10.4.
1 Exécutez l’outil /usr/sbin/vpnaddkeyagentuser en tant que root avec le nom du
nœud LDAP (le répertoire dans lequel les utilisateurs se trouvent) comme argument.
Par exemple, si le serveur sur lequel le service VPN fonctionne est également le maître LDAP,
tapez la commande suivante dans Terminal :
sudo /usr/sbin/vpnaddkeyagentuser /LDAPv3/127.0.0.1
Si le serveur sur lequel le service VPN fonctionne n’est pas le maître LDAP et que le
répertoire LDAP se trouve sur un autre ordinateur, utilisez l’adresse IP du serveur LDAP
dans la commande. Par exemple, si le serveur LDAP est à l’adresse 17.221.67.87, tapez
la commande suivante dans Terminal :
sudo /usr/sbin/vpnaddkeyagentuser /LDAPv3/17.221.67.87
2 L’outil vous invite à tapez le nom d’utilisateur et le mot de passe.
a Si le serveur VPN est le maître LDAP, tapez le nom et le mot de passe de l’administrateur
du serveur.
b Si le répertoire LDAP se trouve sur un autre serveur, tapez le nom et le mot de passe
de l’administrateur du serveur qui héberge le répertoire LDAP (ou le nom et le mot
de passe de l’administrateur qui est utilisé pour ajouter des utilisateurs au répertoire
LDAP dans Gestionnaire de groupe de travail). L’outil va ajouter un utilisateur au
répertoire LDAP et configurer des éléments de configuration supplémentaires
dans le serveur VPN afin qu’il gère le protocole PPTP.
3 Configurez PPTP dans le panneau Réglages du service VPN d’Admin Serveur.
4 Démarrez le service VPN.
Authentification SecurID avec un serveur VPN
RSA Security permet une authentification forte grâce à leur offre de produits. Ils utilisent
des jetons matériels et logiciels pour vérifier l’identité d’utilisateurs. L’authentification
SecurID est disponible pour les transports L2TP et PPTP. Pour obtenir des détails et l’offre
des produits, consultez : www.rsasecurity.comChapitre 6 Service VPN 123
Le service VPN de Mac OS X Server permet l’authentification SecurID, mais cette dernière
ne peut pas être configurée à l’aide de l’application Admin Serveur. Vous pouvez utiliser
Admin Serveur pour configurer des services VPN standard, mais Admin Serveur n’a pas
d’interface pour choisir une méthode d’authentification. Si vous devez désigner un
schéma d’authentification autre que celui défini par défaut (SecurID de RSA Security, par
exemple), il vous faut modifier manuellement la configuration VPN manuellement.
Configuration pour SecurID
1 Pour configurer l’authentification SecurID de RSA Security, vous devez d’abord copier
le fichier sdconf.rec de votre serveur SecurID dans un nouveau répertoire nommé
/var/ace sur votre serveur Mac OS X Server.
Il y plusieurs manière de la faire. Les étapes qui suivent illustrent une des méthodes :
a Sur votre serveur, ouvrez Terminal (/Applications/Utilitaires/).
b Tapez sudo mkdir /var/ace, puis appuyez sur Retour.
c Tapez votre mot de passe d’administrateur, puis appuyez sur Retour.
d Cliquez sur l’icône du Finder dans le Dock.
e Dans le menu Aller, choisissez Aller au dossier.
f Tapez : /var/ace
g Cliquer sur Aller.
h Copiez le fichier sdconf.rec de votre serveur SecurID dans le dossier “ace”.
i Une zone de dialogue indiquant que le dossier “ace” ne peut pas être modifié apparaît.
Cliquez sur le bouton Authentifier pour autoriser la copie.
2 Configurez ensuite le service VPN sur votre serveur Mac OS X Server pour activer
l’authentification EAP-SecurID pour les protocoles avec lesquels vous souhaitez
l’utiliser. Pour l’utiliser avec PPTP, exécutez les deux commandes suivantes dans
Terminal (chacune ne fait qu’une ligne) :
# sudo serveradmin settings
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index
: 0 = "EAP-RSA"
# sudo serveradmin settings
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0
= "EAP"
Pour l’utiliser avec L2TP, exécutez les deux commandes suivantes dans Terminal :
# sudo serveradmin settings
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index
: 0 = "EAP-RSA"
# sudo serveradmin settings
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0
= "EAP"
C’est tout ce qu’il faut faire pour configurer SecurID. Le reste de la configuration du
service VPN de Mac OS X Server peut se faire à l’aide de l’application Admin Serveur.124 Chapitre 6 Service VPN
Contrôle du service VPN
Cette section décrit les tâches associées au contrôle d’un service VPN en cours de
fonctionnement. Cela comprend l’accès aux rapports d’état, le réglage des options
de consignation, l’affichage des historiques et le contrôle des connexions.
Affichage de la vue d’ensemble de l’état du VPN
La vue d’ensemble VPN vous fournit un bref rapport d’état sur vos services VPN actifs. Elle
vous indique le nombre de clients L2TP et PPTP connectés, la méthode d’authentification
sélectionnée et l’heure de démarrage du service.
Pour afficher la vue d’ensemble :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Vue d’ensemble.
Configuration du niveau de détail de l’historique du service VPN
Vous pouvez choisir le niveau de détail de l’historique du service VPN.
• La consignation non prolixe ne consigne que les cas nécessitant une action immédiate
(par exemple, si le service VPN ne démarre pas).
• La consignation maximale enregistre toute l’activité du service VPN, y compris
les fonctions de routine.
La consignation non prolixe est activée par défaut.
Pour définir le niveau de détail de l’historique VPN :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Consignation.
4 Sélectionnez Maximale pour activer la consignation maximale, si vous le souhaitez.
5 Cliquer sur Enregistrer.
Affichage de l’historique du VPN
Vous allez devoir contrôler les historiques VPN pour garantir le bon fonctionnement
de votre réseau privé virtuel. Les historiques VPN peuvent vous aider à résoudre
les problèmes. L’historique affiche le contenu du fichier /var/log/ppp/vpnd.log.
Vous pouvez encore restreindre les règles à l’aide du champ de filtrage de texte.
Pour afficher l’historique :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Historiques.Chapitre 6 Service VPN 125
Affichage des connexions client VPN
Vous pouvez contrôler les connexions client VPN pour garantir un accès sécurisé au réseau
privé virtuel (VPN). L’écran des connexions client vous permet de voir l’utilisateur qui est
connecté, l’adresse IP à partir de laquelle il s’est connecté, l’adresse IP affectée par votre
réseau, ainsi que le type et la durée de la connexion.
Vous pouvez trier la liste en cliquant sur les en-têtes de colonne.
Pour afficher les connexions client :
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Connexions.
Tâches d’administration réseau courantes qui utilisent
le VPN
La section qui suit décrit certaines tâches d’administration de réseau courantes qui
utilisent le service VPN.
Liaison d’un ordinateur d’un réseau local avec un réseau distant
VPN permet de lier un ordinateur à un réseau distant et d’y accéder comme s’il était
connecté physiquement au réseau local. Cet exemple utilise les informations suivantes :
• L’utilisateur peut s’authentifier à l’aide d’un nom et d’un mot de passe.
• Type de VPN souhaité : L2TP
• Secret partagé : prDwkj49fd!254
• Adresse IP Internet ou publique de la passerelle VPN : passerelle.exemple.com
• Plage d’adresses IP et masque de réseau du réseau privé : 192.168.0.0-192.168.0.255
(aussi exprimé sous la forme 192.168.0.0/24 ou 192.168.0.0:255.255.255.0)
• Adresses de début et de fin DHCP : 192.168.0.3–192.168.0.127
• Adresse IP DNS du réseau privé : 192.168.0.2
Le résultat de cette configuration est un client VPN capable de se connecter
à un réseau local distant via L2TP et avec un accès complet au réseau local.126 Chapitre 6 Service VPN
Étape 1 : Configuration du VPN
1 Dans Admin Serveur, choisissez le service VPN dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez L2TP.
5 Tapez le secret partagé (prDwkj49fd!254).
Le secret partagé est un mot de passe commun qui authentifie les membres du cluster.
IPSec utilise le secret partagé en tant que clé prépartagée pour établir des tunnels
sécurisés entre les nœuds du cluster.
6 Définissez la première adresse IP de la plage d’affectation VPN.
Cette dernière ne peut pas chevaucher la plage d’affectation DHCP, donc tapez 192.168.0.128
7 Définissez la dernière adresse IP de la plage d’affectation VPN.
Cette dernière ne peut pas chevaucher la plage d’affectation DHCP, donc tapez 192.168.0.255
8 Laissez le champ pour le groupe vide pour que tous les groupes de travail aient accès
à la connexion VPN.
9 Cliquer sur Enregistrer.
10 Sélectionnez l’onglet Informations sur les clients.
11 Saisissez l’adresse IP du serveur DNS du réseau local (192.168.0.2).
12 Laissez les définitions de routage vides.
Tout le trafic provenant du client transitera par le tunnel VPN.
13 Cliquer sur Enregistrer.
14 Démarrez le service VPN.
Étape 2 : Configuration du coupe-feu IP
1 Créez un groupe d’adresses pour la plage d’affectation VPN.
Pour plus de détails, consultez la section “Création d’un groupe d’adresses” à la page 74.
2 Ouvrez le coupe-feu aux connexions VPN externes en activant les connexions L2TP
dans le groupe d’adresses “tout”.
Pour plus de détails, consultez la section “Ouverture du coupe-feu pour les services
standard” à la page 76.
3 Configurez le coupe-feu pour le groupe d’adresses VPN en autorisant ou refusant des
ports et des services comme vous le souhaitez.
4 Enregistrez vos modifications, puis démarrez ou redémarrez le coupe-feu.Chapitre 6 Service VPN 127
Étape 3 : Configuration du client
Le client de cet exemple est un client Mac OS X qui utilise Connexion à Internet.
1 Ouvrez Connexion à Internet.
2 Choisissez Fichier > Nouvelle connexion VPN.
3 Sélectionnez L2TP via IPSec.
4 Sélectionnez “Modifier les configurations” dans le menu local Configuration.
5 Saisissez les informations de configuration suivantes :
a Nom du serveur : passerelle.exemple.com
b Nom du compte :
c Authentification : utilisez Mot de passe
d Secret partagé : prDwkj49fd!254
6 Cliquez sur OK.
L’utilisateur peut désormais se connecter.
Accès à un élément de parc informatique situé derrière
le coupe-feu du réseau distant
Accéder à un élément de parc informatique situé derrière un coupe-feu, ce n’est
pas la même chose qu’autoriser un client à devenir un nœud sur le réseau distant.
Dans l’exemple précédent, l’ordinateur de l’utilisateur VPN devient un participant
à part entière dans le réseau local distant. Dans ce nouveau scénario, l’élément de
parc informatique auquel il s’agit d’accéder est uniquement un serveur de fichiers,
l’ordinateur de l’utilisateur VPN n’ayant pas d’autre contact avec le réseau local
distant. Ce scénario tient compte de toutes les informations de la section “Liaison
d’un ordinateur d’un réseau local avec un réseau distant” à la page 125 et y ajoute
les informations suivantes :
• Adresse IP du serveur de fichiers : 192.168.0.15
• Type du serveur de fichiers : partage de fichiers Apple
Pour ce scénario, suivez toutes les instructions qui figurent dans la section “Liaison d’un
ordinateur d’un réseau local avec un réseau distant” à la page 125, à l’exception des
instructions suivantes :
m À l’étape 1, partie 12, ne laissez pas les définitions de routage vides.
Créez une route privée avec le numéro IP du serveur de fichiers
(192.168.0.15 255.255.255.255)
m À l’étape 2, partie 3, configurez le coupe-feu pour n’accepter que les connexions
Apple File Sharing Protocol et DNS provenant du groupe d’adresses VPN.
Les utilisateurs VPN qui sont maintenant connectés au travers de la passerelle VPN
auront accès au serveur de fichiers alors qu’aucun autre trafic réseau ne transitera
par la passerelle cryptée.128 Chapitre 6 Service VPN
Liaison de deux sites réseau distants ou plus
VPN ne permet pas seulement de relier un ordinateur à un réseau principal, mais aussi
à un réseau supplémentaire. Cela permet aux deux réseaux d’interagir comme s’ils
étaient connectés l’un à l’autre physiquement. Chaque site doit disposer de sa propre
connexion à Internet, mais les données privées transitent entre les deux sites sous une
forme cryptée. On utilise souvent cette fonctionnalité pour relier des bureaux satellites
au réseau local du siège d’une organisation.
À propos de l’outil d’administration VPN de site à site
Pour relier plusieurs réseaux locaux distants à un réseau local principal, il faut utiliser un
utilitaire à ligne de commande installé sur Mac OS X Server appelé s2svpnadmin (pour
l’anglais “site-to-site VPN admin”). Pour utiliser s2svpnadmin, il faut disposer de Terminal,
être familiarisé avec ce dernier et disposer d’un accès administratif aux privilèges de root
à l’aide de sudo. Pour en savoir plus sur s2svpnadmin, consultez sa page man en tapant :
man s2svpnadmin
Pour relier plusieurs réseaux locaux distants à un réseau local principal, il faut également
créer un certificat de sécurité. L’outil s2svpnadmin peut créer des liens à l’aide soit de
l’authentification par secret partagé (les deux sites ont un mot de passe dans leur fichier
de configuration) soit de l’authentification par certificat. Pour utiliser l’authentification par
certificat, vous devez créer le certificat avant d’exécuter s2svpnadmin.
Les connexions VPN de site à site ne peuvent être réalisées qu’à l’aide de connexions VPN
L2TP/IPSec. Vous ne pourrez pas relier deux sites à l’aide de PPTP et de ces instructions.
Cet exemple utilise les informations suivantes :
• Type de VPN souhaité : L2TP
• Authentification par secret partagé.
• Secret partagé : prDwkj49fd!254
• Adresse IP Internet ou publique de la passerelle du réseau local principal VPN
(du “site 1”) : A.B.C.D
• Adresse IP Internet ou publique de la passerelle du réseau local distant VPN
(du “site 2”) : W.X.Y.Z
• Adresse IP privée de Site 1 : 192.168.0.1
• Adresse IP privée de Site 2 : 192.168.20.1
• Plage d’adresses IP et masque de réseau du réseau local privé de Site 1 : 192.168.0.0-
192.168.0.255 (aussi exprimé sous la forme 192.168.0.0/24 ou 192.168.0.0:255.255.0.0)
• Plage d’adresses IP et masque de réseau du réseau local privé de Site 2 : 192.168.20.0-
192.168.20.255 (aussi exprimé sous la forme 192.168.20.0/16 ou 192.168.0.0:255.255.0.0)
• Adresse IP DNS de l’organisation : 192.168.0.2
Le résultat de cette configuration est un réseau local distant auxiliaire connecté
à un réseau local principal par L2TP.Chapitre 6 Service VPN 129
Étape 1 : Exécutez s2svpnadmin sur les passerelles des deux sites
1 Dans Terminal, démarrez s2svpnadmin en tapant :
sudo s2svpnadmin
2 Tapez le nombre approprié dans le champ “Configurer un nouveau serveur de site à site”.
3 Tapez un nom identifiant la configuration (pas d’espaces).
Dans notre exemple, tapez “site_1” sur la passerelle de Site 1 et ainsi de suite.
4 Tapez l’adresse IP publique de la passerelle.
Dans notre exemple, tapez A.B.C.D sur la passerelle de Site 1 et W.X.Y.Z sur la passerelle
de Site 2.
5 Tapez l’adresse IP publique de l’autre site.
Dans notre exemple, tapez W.X.Y.Z sur la passerelle de Site 1 et A.B.C.D sur la passerelle
de Site 2.
6 Tapez “s” pour l’authentification par secret partagé, puis tapez le secret partagé :
(“prDwkj49fd!254”).
Si vous utilisez l’authentification par certificat, tapez “c”, puis choisissez le certificat
installé à utiliser.
7 Saisissez au moins une politique d’adressage pour la configuration.
8 Saisissez une adresse de sous-réseau local (par exemple, 192.168.0.0 pour Site 1
et 192.168.20.0 pour Site 2).
9 Saisissez les bits de préfixe pour la plage d’adresses avec la notation CIDR.
Dans notre exemple, la notation CIDR pour la plage du sous-réseau est 192.168.2.0/16
pour Site 1, vous devez donc entrer “16.”
10 Saisissez une adresse de sous-réseau distant (par exemple, 192.168.20.0 pour Site 1
et 192.168.0.0 pour Site 2).
11 Saisissez les bits de préfixe pour la plage d’adresses avec la notation CIDR.
Dans notre exemple, la notation CIDR pour la plage du sous-réseau est 192.168.2.0/16
pour Site 1, vous devez donc entrer “16.”
12 Pour créer d’autres politiques, indiquez-le maintenant, sinon, appuyez sur Retour.
Si vous avez d’autres sites à connecter ou une configuration d’adresses plus complexe
(par exemple, si vous ne deviez relier que certaines parties de votre réseau local principal
au réseau local distant), créez dès à présent les autres politiques pour cette configuration.
Répétez les étapes relatives à la politique précédentes pour chacune des nouvelles
politiques.130 Chapitre 6 Service VPN
13 Activez la configuration du site en appuyant sur “y”.
Vous pouvez vérifier vos réglages en affichant les détails de la configuration du serveur,
puis en saisissant le nom de la configuration (dans notre exemple, “site_1”).
14 Quittez s2svpnadmin.
Étape 2 : Configuration du coupe-feu sur les passerelles des deux sites
1 Créez un groupe d’adresses ne contenant que l’adresse IP publique de la passerelle
du réseau local.
Dans notre exemple, utilisez A.B.C.D/32 pour Site 1 et W.X.Y.Z/32 pour Site 2.
Pour plus de détails, consultez la section “Création d’un groupe d’adresses” à la
page 74.
2 Ouvrez le coupe-feu aux connexions VPN externes en activant les connexions L2TP
dans le groupe d’adresses “tout”.
Pour plus de détails, consultez la section “Ouverture du coupe-feu pour les services
standard” à la page 76.
3 Créez les règles de filtrage IP avancées suivantes sur les passerelles des deux sites :
Règle 1
Action : Autoriser
Protocole : UDP
Adresse source : A.B.C.D
Adresse de destination : W.X.Y.Z
Interface : Autre, tapez “isakmp”
Règle 2
Action : Autoriser
Protocole : UDP
Adresse source : W.X.Y.Z
Adresse de destination : A.B.C.D
Interface : Autre, tapez “isakmp”
Règle 3
Action : Autoriser
Protocole : Autre, tapez “esp”
Adresse source : A.B.C.D
Adresse de destination : W.X.Y.ZChapitre 6 Service VPN 131
Règle 4
Action : Autoriser
Protocole : Autre, tapez “esp”
Adresse source : W.X.Y.Z
Adresse de destination : A.B.C.D
Règle 5
Action : Autoriser
Protocole : Autre, tapez “ipencap”
Adresse source : A.B.C.D
Adresse de destination : W.X.Y.Z
Règle 6
Action : Autoriser
Protocole : Autre, tapez “ipencap”
Adresse source : W.X.Y.Z
Adresse de destination : A.B.C.D
Pour en savoir plus sur la création de règles avancées, consultez la section “Création
d’une règle de coupe-feu IP avancée” à la page 78.
4 Ces règles permettent au trafic crypté de transiter jusqu’aux deux hôtes.
5 Enregistrez vos modifications et (re)démarrez le coupe-feu.
Étape 3 : Démarrage du service VPN sur les passerelles des deux sites
1 Pour les deux passerelles VPN, dans Admin Serveur, choisissez Service VPN dans la liste
Ordinateurs et services.
Si vous avez utilisé s2svpnadmin correctement, le bouton Démarrer le service doit être
activé et prêt à l’emploi.
2 Cliquez sur Démarrer le service.
Vous devriez maintenant pouvoir accéder à un ordinateur sur le réseau local distant à
partir du réseau local. Vous pouvez utiliser ping ou tout autre moyen pour vérifier le lien.132 Chapitre 6 Service VPN
Autres sources d’informations
Pour plus d’informations sur le protocole L2TP/IPSec :
L’IETF (Internet Engineering Task Force) travaille à la création de normes standard
formelles pour le système d’authentification d’utilisateur L2TP/IPsec. Pour en savoir
plus, consultez le site Web suivant : www.ietf.org/ids.by.wg/ipsec.html.
Documents RFC
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
administrateur serveur débutant, vous trouverez probablement certaines informations
utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous trouverez tous
les détails techniques sur un protocole particulier dans le document RFC correspondant.
Vous pouvez rechercher les documents RFC par numéro sur le site Web
www.ietf.org/rfc.html.
• Pour une description du protocole L2TP, consultez le document RFC 2661.
• Pour une description du protocole PPTP, consultez le document RFC 2637.
• Pour Kerberos 5, consultez le document RFC 1510.7
133
7 Service NTP
Le protocole NTP (Network Time Protocol) est un protocole réseau utilisé pour
synchroniser les horloges des ordinateurs de votre réseau sur l’heure d’une horloge
de référence. Le protocole NTP est utilisé pour garantir que tous les ordinateurs du
réseau affichent la même heure.
Si un réseau isolé, voire un seul ordinateur, fonctionne avec la mauvaise heure,
les services utilisant l’horodatage (comme le service de courrier ou le service Web
utilisant des cookies horodatés) enverront des dates et des heures erronées et ne
seront donc plus synchronisés avec les autres ordinateurs sur Internet. Par exemple,
un message électronique pourrait arriver plusieurs minutes ou années avant son
envoi (d’après l’horodatage) et la réponse à ce message pourrait arriver avant que
l’original n’ait été envoyé.
Fonctionnement du service NTP
NTP utilise le temps universel coordonné UTC, (Universal Time Coordinated) comme heure
de référence. L’heure universelle se fonde sur une résonance atomique, c’est pourquoi les
horloges qui affichent l’heure universelle sont souvent appelées “horloges atomiques”.
Les serveurs NTP faisant autorité sur l’ensemble d’Internet (on les appelle des serveurs
d’horloge de strate 1) conservent l’heure UTC courante. D’autres serveurs subordonnés
(appelés serveurs d’horloge de strate 2 et 3) interrogent régulièrement les serveurs de
la strate 1 et évaluent le temps qu’il a fallu pour envoyer et recevoir la requête. Ils
combinent ensuite cette estimation avec le résultat de la requête pour synchroniser
l’heure des serveurs d’horloge des strates 2 et 3. La précision des estimations est de
l’ordre de la nanoseconde.
Votre réseau local peut alors synchroniser son horloge sur les serveurs de strate 3.
Le processus se répète ainsi de suite. Un ordinateur client NTP de votre réseau prend
pour référence l’heure UTC et la convertit en heure locale d’après ses propres réglages
de fuseau horaire et règle son horloge interne en conséquence.134 Chapitre 7 Service NTP
Utilisation du service NTP sur votre réseau
Mac OS X Server peut servir non seulement de client NTP, recevant l’heure officielle
d’un serveur de temps sur Internet, mais aussi de serveur de temps de référence pour
un réseau. Vos clients locaux peuvent interroger votre serveur pour synchroniser leur
horloge. Si vous définissez votre serveur pour qu’il réponde aux requêtes de temps,
il est conseillé de le configurer également pour qu’il se synchronise sur un serveur
de référence sur Internet.
Configuration du service NTP
Si vous choisissez d’exécuter le service NTP sur votre réseau, assurez-vous que votre
serveur désigné peut accéder à un serveur de temps de référence plus élevé. Apple
fournit un serveur de temps de strate 2 à ses clients sur le site time.apple.com.
En outre, vous devez vous assurer que votre coupe-feu autorise les requêtes NTP
vers un serveur de temps de référence sur le port UDP 123, ainsi que les requêtes
entrantes provenant des clients locaux sur le même port. Pour plus d’informations sur
la configuration de votre coupe-feu, consultez le chapitre 4, “Service de coupe-feu IP”,
à la page 65.
Pour configurer le service NTP :
1 Ouvrez Admin Serveur.
2 Assurez-vous que votre serveur est bien configuré pour “Régler automatiquement
la date et l’heure”.
Ce réglage s’effectue dans la sous-fenêtre Date et heure de la sous-fenêtre des réglages
d’Admin Serveur pour le serveur.
3 Sélectionnez le serveur que vous souhaitez utiliser comme serveur d’horloge.
4 Cliquez sur Réglages.
5 Sélectionnez l’onglet Général.
6 Sélectionnez Activer NTP.
7 Cliquer sur Enregistrer.Chapitre 7 Service NTP 135
Configuration de NTP sur des clients
Si vous avez configuré un serveur de temps local, vous pouvez configurer vos clients pour
qu’ils interrogent ce serveur de temps afin d’obtenir la date et l’heure du réseau. Par défaut,
les clients peuvent se synchroniser sur le serveur de temps Apple. Ces instructions vous
permettent de configurer vos ordinateurs clients pour qu’ils interrogent votre serveur
de temps.
Pour configurer le service NTP sur vos ordinateurs clients :
1 Ouvrez les Préférences Système.
2 Cliquez sur Date et heure.
3 Sélectionnez “Régler automatiquement la date et l’heure”.
4 Sélectionnez et supprimez le texte qui se trouve dans le champ au lieu d’utiliser
le menu local.
5 Saisissez le nom d’hôte de votre serveur de temps.
Le nom d’hôte peut correspondre à un nom de domaine (tel que “temps.exemple.com”)
ou à une adresse IP.
6 Quittez Préférences Système.
Autres sources d’informations
Vous trouverez le groupe de travail, la documentation et une FAQ concernant le service NTP
sur le site Web suivant :
www.ntp.org
Vous trouverez des listes de serveurs NTP accessibles publiquement et leurs politiques
d’utilisation sur le site Web suivant :
www.eecis.udel.edu/~mills/ntp/servers.html
Les documents RFC
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
administrateur serveur débutant, vous trouverez probablement certaines informations
utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous trouverez tous
les détails techniques sur un protocole particulier dans le document RFC correspondant.
Vous pouvez rechercher des documents RFC par numéro sur le site suivant :
www.ietf.org/rfc.html
La spécification officielle de la version 3 du service NTP se trouve dans le document
RFC 1305.8
137
8 Prise en charge des
réseaux locaux virtuels
Comprendre les réseaux locaux virtuels
Mac OS X Server gère les réseaux locaux virtuels (en anglais, Virtual Local Area Network
ou VLAN) à la norme 802.1q sur les ports Ethernet et sur les cartes Ethernet Gigabit PCI
secondaires disponibles en option pour les serveurs Xserve ou livrées avec ces derniers.
Les réseaux locaux virtuels permettent à plusieurs ordinateurs situés sur des réseaux
locaux physiques différents de communiquer entre eux comme s’ils se trouvaient sur le
même réseau local. Parmi leurs avantages, citons une utilisation plus efficace de la bande
passante réseau et une meilleure sécurité car le trafic de diffusion ou de multidiffusion
n’est envoyé qu’aux ordinateurs qui se trouvent sur le segment de réseau commun.
La prise en charge de VLAN par les serveurs Xserve G5 est conforme à la norme IEEE 802.1q.
Configuration de l’adhésion des clients à un réseau
local virtuel
Vous pouvez utiliser la zone VLAN de la sous-fenêtre Réseau des Préférences
Système pour configurer et gérer des réseaux locaux virtuels. Il est important
de s’assurer que les ports auxquels sont connectés des périphériques non VLAN
(c’est-à-dire non conformes à la norme 802.1Q) sont configurés pour transmettre
des trames non balisées. De nombreuses cartes Ethernet ne sont pas conformes
à la norme 802.1Q. Si elles reçoivent une trame balisée, elles ne comprennent pas
la balise VLAN et abandonnent la trame.
Remarque : cette partie de la sous-fenêtre Réseau n’est visible que si votre matériel,
comme, par exemple, un système Xserve G5, prend en charge cette fonctionnalité.138 Chapitre 8 Prise en charge des réseaux locaux virtuels
Pour configurer un réseau local virtuel :
1 Connectez-vous à votre serveur en tant qu’administrateur.
2 Ouvrez la sous-fenêtre Réseau des Préférences Système.
3 Choisissez “Configuration des ports réseau” dans le menu local Afficher.
4 Cliquez sur le bouton VLAN.
5 Sélectionnez le port Ethernet que vous souhaitez utiliser pour le réseau local virtuel.
6 Cliquez sur Créer un réseau VLAN.
7 Tapez le nom du réseau local virtuel, tapez une balise (un nombre entre 1 et 4094)
dans le champ Balise, puis cliquez sur OK.
La balise VLAN désigne l’identifiant de VLAN (en anglais, VLAN ID ou VID). Chaque réseau
logique possède un VID unique. Les interfaces qui sont configurées avec le même VID se
trouvent sur le même réseau virtuel.
8 Pour utiliser le réseau local virtuel, sélectionnez-le dans la liste des configurations
de port réseau, puis cliquez sur Appliquer.
Autres sources d’informations
Pour en savoir plus sur les réseaux locaux virtuels sur Internet :
www.ieee.org
La norme VLAN est définie par l’IEEE.
Document de référence
Les documents de référence contiennent un aperçu d’un protocole et des détails sur
la manière dont le protocole doit se comporter. Si vous êtes administrateur serveur
débutant, vous trouverez probablement certaines informations utiles dans les documents
de référence. Si vous êtes administrateur serveur expérimenté, vous trouverez des détails
techniques sur un protocole particulier dans le document de référence correspondant.
Ce dernier est disponible à l’adresse :
standards.ieee.org/getieee802/download/802.1Q-1998.pdf 9
139
9 Gestion IPv6
IPv6 est l’abréviation de “Internet Protocol Version 6”. IPv6 est le protocole Internet
nouvelle génération conçu pour remplacer le protocole Internet actuel, IP Version 4
(IPv4, ou simplement IP).
Le protocole Internet actuel commence à être confronté à des problèmes liés à la
croissance et à la popularité d’Internet. Les principaux problèmes liés à IPv4 sont :
• Les limites de l’adressage IP.
Les adresses IPv4 sont de 32 bits, ce qui signifie qu’il ne peut exister que 4 300 000 000
adresses réseau.
• Le poids accru de la configuration et du routage.
À mesure que le nombre d’ordinateurs connectés à Internet augmente, la charge sur
le réseau, la mémoire et le temps nécessaires à l’acheminement des informations IPv4
s’accroissent rapidement.
• La communication de bout en bout est couramment contournée.
Cela est en réalité une conséquence du problème d’adressage d’IPv4. Comme
le nombre d’ordinateurs allait en grandissant et la pénurie d’adresses se faisait de
plus en plus aiguë, il a fallu développer un autre service d’adressage et de routage :
Network Address Translation (NAT). Le protocole NAT sert d’intermédiaire entre les
deux extrémités du réseau et les sépare. Cela s’avère toutefois restrictif et freine un
certain nombre de services réseau.
IPv6 permet de résoudre certains de ces problèmes et d’en réduire d’autres. Il améliore
le routage et la configuration automatique du réseau. Il ’augmente le nombre d’adresses
réseau, pour atteindre plus de 3 x1038
, et de supprimer le recours au protocole NAT. Il est
prévu qu’IPv6 remplace progressivement IPv4 lors des prochaines années et que les deux
protocoles coexistent pendant la transition.
Ce chapitre répertorie les services compatibles IPv6 utilisés par Mac OS X Server, donne
les lignes directrices pour l’utilisation des adresses IPv6 dans ces services et explique les
types d’adresse IPv6 et leur notation.140 Chapitre 9 Gestion IPv6
Services compatibles IPv6
Les services suivants de Mac OS X Server gèrent IPv6 pour l’adressage :
• DNS (BIND)
• Service de coupe-feu IP
• Courrier (POP/IMAP/SMTP)
• SMB/CIFS
• Web (Apache 2)
De plus, certains outils à ligne de commande installés dans Mac OS X Server gèrent IPv6
(par exemple, ping6 et traceroute6).
Adresses IPv6 dans Admin Serveur
Les services ci-dessus ne gèrent pas les adresses IPv6 dans l’interface utilisateur.
Ils peuvent être configurés à l’aide d’outils à ligne de commande de façon à ajouter
des adresses IPv6, mais ces mêmes adresses ne donnent rien si elles sont saisies dans
les champs d’adresse d’Admin Serveur.
Adresses IPv6
Les adresses IPv6 sont différentes des adresses IPv4. À la modification des adresses
s’ajoute la modification de la notation d’adresse, des adresses réservées, du modèle
d’adresse et des types d’adresse.
Notation
Alors que les adresses IPv4 ont une longueur de 4 octets et sont exprimées en décimales,
les adresses IPv6 ont une longueur de 16 octets et peuvent être exprimées de multiples
façons.
Les adresses IPv6 s’écrivent généralement de la façon suivante :
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Les groupes d’octets IPv6 sont séparés par deux points et chaque octet est représenté
par une paire de nombres hexadécimaux, comme le montre l’exemple suivant :
E3C5:0000:0000:0000:0000:4AC8:C0A8:6420
ou
E3C5:0:0:0:0:4AC8:C0A8:6420Chapitre 9 Gestion IPv6 141
Les adresses IPv6 contiennent souvent plusieurs octets de valeur zéro, une notation
abrégée est donc autorisée. Cette notation abrégée permet d’omettre l’écriture des
zéros et de les remplacer par un double deux-points, comme suit :
E3C5::4AC8:C0A8:6420
Le dernier type de notation comprend les adresses IPv4. Comme beaucoup d’adresses
IPv6 sont des extensions d’adresses IPv4, le groupe de 4 octets situé le plus à droite de
l’adresse IPv6 (les 2 paires de 2 octets situées le plus à droite) peut être réécrit en notation
IPv4. Cette notation mixte (à partir de l’exemple ci-dessus) pourrait être exprimée de la
façon suivante :
E3C5:4AC8:192.168.100.32
Adresses réservées IPv6
IPv6 réserve deux adresses que les nœuds de réseau ne peuvent pas utiliser pour
leurs besoins de communication :
0:0:0:0:0:0:0:0 (adresse non spécifiée, interne au protocole)
0:0:0:0:0:0:0:1. (adresse de bouclage, comme 127.0.0.1 dans IPv4)
Modèle d’adressage IPv6
Les adresses IPv6 sont affectées aux interfaces (votre carte Ethernet, par exemple) et
non aux nœuds (votre ordinateur, par exemple). Plusieurs adresses IPv6 peuvent être
affectées à une même interface. En outre, une même adresse IPv6 peut être affectée
à plusieurs interfaces pour le partage de charge. Enfin, les routeurs n’ont pas besoin
d’adresse IPv6, ce qui évite d’avoir à les configurer pour les monodiffusions point
à point. De plus, IPv6 n’utilise pas les classes d’adresses IPv4.
Types d’adresse IPv6
IPv6 gère les trois types d’adresse IP suivants :
• Unicast (communication un à un)
• Multicast (communication un à plusieurs)
• Anycast
Vous remarquerez que le protocole IPv6 ne gère plus les adresses broadcast. La
préférence a été accordée au multicast pour les diffusions réseau. Sinon, les adresses
unicast et multicast dans IPv6 sont les mêmes que dans IPv4. Avec IPV6, les adresses
multidiffusions (multicast) commencent par “FF” (255).
Anycast est une variante du multicast. Tandis que les adresses multicast distribuent les
messages à tous les nœuds du groupe multicast, les adresses anycast ne les distribuent
qu’à un seul nœud du groupe.142 Chapitre 9 Gestion IPv6
Autres sources d’informations
Le site Web du groupe de travail sur le protocole IPv6 (Internet Protocol Version 6)
se trouve à l’adresse :
www.ipv6.org
Un groupe de passionnés d’IPv6 tient à jour la liste des applications compatibles IPv6
sur le site Web :
www.ipv6forum.com/navbar/links/v6apps.htm
Les documents RFC
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
administrateur serveur débutant, vous trouverez probablement certaines informations
utiles dans les RFC. Si vous êtes administrateur serveur expérimenté, vous trouverez tous
les détails techniques sur un protocole particulier dans le document RFC correspondant.
Vous pouvez rechercher des documents RFC par numéro sur le site :
www.ietf.org/rfc.html
Il existe plus de 29 documents RFC relatifs à IPv6. Vous en trouverez une liste à l’adresse :
www.ipv6.org/specs.html 143
Glossaire
Glossaire
Ce glossaire définit les termes et explique les abréviations que vous pouvez rencontrer
en utilisant l’aide en ligne ou en lisant le manuel Mac OS X Server Administration des
services réseau pour version 10.3 ou ultérieur. Les références à des termes définis
ailleurs dans ce glossaire apparaissent en italiques.
ACL Access Control List ou liste de contrôle d’accès. Liste maintenue par un système
qui définit les droits des utilisateurs et des groupes pour accéder aux ressources qui se
trouvent sur le système.
administrateur de liste Administrateur de liste de diffusion. Les administrateurs de liste
peuvent ajouter et supprimer des abonnés d’une liste de diffusion et désigner d’autres
administrateurs de liste. Les administrateurs de liste ne sont pas nécessairement des
administrateurs d’ordinateur local ni des administrateurs de domaine.
adresse Numéro ou autre identifiant qui identifie sans ambiguïté un ordinateur sur un
réseau, un bloc de données stocké sur un disque ou un emplacement dans la mémoire
d’un ordinateur. Voir aussi adresse IP, adresse MAC.
adresse IP Adresse numérique unique qui identifie un ordinateur sur Internet.
adresse IP dynamique Adresse IP affectée pour une période de temps limitée
ou jusqu’à ce que l’ordinateur client n’en ait plus besoin.
adresse IP statique Adresse IP affectée de manière permanente à un ordinateur
ou un périphérique.
adresse MAC Adresse Media Access Control ou adresse de contrôle d’accès au support.
Adresse matérielle qui identifie sans ambiguïté chaque nœud d’un réseau. Pour les
périphériques AirPort, l’adresse MAC est appelée l’identifiant AirPort.
attaque par saturation Également appelé attaque par déni de service. Attaque
Internet qui utilise de milliers de pings réseau dans le but d’empêcher l’utilisation
légitime d’un serveur.144 Glossaire
autorisations Réglages qui déterminent le type d’accès à des éléments partagés dont
les utilisateurs bénéficient dans un système de fichiers.
Vous pouvez affecter quatre types d’autorisations à un point de partage, dossier
ou fichier : lecture/écriture, lecture seule, écriture seule et aucune (pas d’accès).
Voir aussi privilège.
autorité de certificat Autorité qui émet et gère des certificats numériques pour assurer
la transmission sécurisée de données sur un réseau public. Voir aussi infrastructure à clé
publique et certificat.
bidouilleur Personne qui aime la programmation et qui explore des façons de
programmer de nouvelles fonctionnalités et d’étendre les possibilités d’un système
informatique. Voir aussi pirate.
bit Unité élémentaire d’information ayant pour valeur 0 ou 1.
caractère Synonyme d’octet.
caractère générique Plage de valeurs possibles pour tout segment d’une adresse IP.
carte d’interface réseau Voir NIC.
certificat Appelé parfois également “certificat d’identité” ou “certificat à clé publique”.
Fichier dans un format spécial (Mac OS X Server utilise le format x.509) qui contient
la partie clé publique d’une paire de clés publique-privée, des informations sur
l’identité de l’utilisateur, notamment son nom et des informations de contact, et la
signature numérique et soit une autorité de certificat (AC), soit l’utilisateur de la clé.
Challenge Handshake Authentication Protocol Voir CHAP.
CHAP Challenge Handshake Authentication Protocol. Protocole d’authentification
courant. Voir aussi MS-CHAP.
chemin de recherche Voir politique de recherche.
contrôle d’accès Méthode consistant à contrôler quels ordinateurs peuvent accéder
à un réseau ou à des services réseau.
contrôle d’accès au support Voir adresse MAC.
coupe-feu Logiciel destiné à protéger les applications réseau exécutées sur votre
serveur. Le service de coupe-feu IP, inclus dans le logiciel Mac OS X Server, examine
les paquets IP entrants et les rejette ou les accepte en fonction d’un jeu de filtres
que vous créez.
cryptage Processus peu élaboré consistant à brouiller des données pour les rendre
illisibles. On utilise généralement le cryptage à des fins de secret et pour préserver
la confidentialité des communications. Voir aussi décryptage.Glossaire 145
délai de bail Période limitée durant laquelle les adresses IP sont affectées. En utilisant
des délais courts, le protocole DHCP peut réaffecter des adresses IP sur les réseaux
ayant plus d’ordinateurs que d’adresses IP.
délai de bail DHCP Voir délai de bail.
DHCP Dynamic Host Configuration Protocol. Protocole utilisé pour la répartition
dynamique d’adresses IP entre les ordinateurs clients. Chaque fois qu’un ordinateur
client démarre, le protocole recherche un serveur DHCP et demande une adresse IP
au serveur DHCP rencontré. Ce serveur cherche une adresse IP disponible et l’envoie
à l’ordinateur client accompagnée d’un délai de bail : période pendant laquelle
l’ordinateur client est autorisé à utiliser l’adresse.
diffusion Dans le contexte de la mise en réseau en général, la transmission d’un
message ou de données que tout client sur le réseau peut lire. En matière de diffusion,
l’on distingue la monodiffusion (l’envoi d’un message à un ordinateur spécifique) et
à la multidiffusion (l’envoi d’un message à un ensemble d’ordinateurs sélectionnés).
Dans QuickTime Streaming Server, la transmission d’une copie d’un flux sur l’ensemble
du réseau.
DNS multidiffusion Protocole développé par Apple pour la détection automatique
d’ordinateurs, de périphériques et de services sur les réseaux IP. Ce protocole standard
Internet proposé est parfois aussi appelé “ZeroConf”. Pour plus d’informations, visitez les
sites www.apple.com ou www.zeroconf.org. Pour voir comment ce protocole est utilisé
dans Mac OS X Server, voir nom d’hôte local.
Domain Name System Voir DNS.
domaine DNS Nom unique d’un ordinateur, utilisé dans le système DNS (Domain
Name System) pour convertir les adresses IP et les noms. Également appelé nom de
domaine.
domaine local Domaine de répertoires accessible uniquement à partir de l’ordinateur
sur lequel il réside.
durée de vie Voir TTL.
Dynamic Host Configuration Protocol Voir DHCP.
EAP Extensible Authentication Protocol. Protocole d’authentification qui gère plusieurs
méthodes d’authentification.
enregistrement d’échange de courrier Voir enregistrement MX.146 Glossaire
enregistrement MX Enregistrement d’échange de courrier. Entrée d’un tableau DNS qui
détermine l’ordinateur gérant le courrier pour un domaine Internet. Lorsqu’un serveur de
courrier doit remettre des messages à un domaine Internet, il demande l’enregistrement
MX du domaine concerné. Le serveur envoie les messages à l’ordinateur spécifié dans
l’enregistrement MX.
enregistrement pointeur Voir enregistrement PTR.
enregistrement PTR Enregistrement pointeur. Type d’enregistrement DNS qui traduit
les adresses IP (IPv4) en noms de domaine. Utilisé dans les recherches DNS inverses.
enregistrement TXT Enregistrement de texte. Type d’enregistrement DNS qui stocke
une chaîne de texte en réponse à une requête DNS.
étendue Groupe de services. Une étendue peut correspondre à un regroupement
logique d’ordinateurs (tous les ordinateurs utilisés par le département de production,
par exemple) ou à un regroupement physique (tous les ordinateurs situés au premier
étage d’un bâtiment, par exemple). Vous pouvez définir une étendue en tant que
simple partie ou en tant qu’ensemble de votre réseau.
Ethernet Technologie de réseau local courante dans laquelle les données sont
transmises en unités appelées paquets à l’aide de protocoles, par exemple TCP/IP.
FAI Fournisseur d’accès à Internet. Entreprise qui commercialise l’accès à Internet
et fournit généralement un service d’hébergement de sites Web pour le commerce
électronique, ainsi que des services de courrier.
filtre Méthode de “filtrage” utilisée pour contrôler l’accès à un serveur. Un filtre est
constitué d’une adresse IP, d’un masque de sous-réseau et parfois d’un numéro de
port et d’un type d’accès. L’adresse IP et le masque de sous-réseau déterminent la
plage d’adresses IP à laquelle s’applique le filtre.
fournisseur d’accès à Internet Voir FAI.
FTP File Transfer Protocol. Protocole permettant aux ordinateurs de transférer des
fichiers sur un réseau. Les clients FTP dont le système d’exploitation gère le protocole
FTP peuvent se connecter à un serveur de fichiers et télécharger des fichiers, en
fonction des autorisations d’accès dont ils bénéficient. La plupart des navigateurs
Internet et bon nombre d’applications gratuites (“freeware”) peuvent être utilisés
pour accéder à un serveur FTP.
gigaoctet Voir Go.
Go Gigaoctet. 1 073 741 824 (2
30
) octets.Glossaire 147
groupe de travail Ensemble d’utilisateurs pour lesquels vous définissez des préférences
et des autorisations de groupe. Toutes les préférences que vous définissez pour un
groupe sont stockées dans le compte de groupe.
HTTP Hypertext Transfer Protocol. Protocole client/serveur pour le Web. Le protocole
HTTP permet à un navigateur Web d’accéder à un serveur Web et de demander des
documents hypermédia créés en HTML.
Hypertext Transfer Protocol Voir HTTP.
IANA Internet Assigned Numbers Authority. Organisation chargée d’attribuer des
adresses IP et des paramètres de protocole, ainsi que de gérer des noms de domaines.
ICMP Internet Control Message Protocol. Protocole dédié au contrôle des messages
et à la génération de rapports d’erreurs, utilisé entre serveurs hôtes et passerelles. Par
exemple, certaines applications Internet utilisent le protocole ICMP pour envoyer un
paquet en aller-retour entre deux hôtes, déterminer ainsi la durée requise par le trajet
et détecter ainsi d’éventuels problèmes sur le réseau.
identifiant Ethernet Voir adresse MAC.
IEEE Institute of Electrical and Electronics Engineers, Inc. Organisation chargée de
promouvoir des normes en informatique et dans le génie électrique.
IGMP Internet Group Management Protocol. Protocole Internet utilisé par les hôtes et
les routeurs pour envoyer des paquets à des listes d’hôtes volontaires, dans le cadre d’un
processus appelé multidiffusion. Le serveur d’enchaînement QuickTime (QTSS) utilise
l’adressage multidiffusion, de même que le protocole SLP (Service Location Protocol).
indicatif d’un interpréteur de commandes Caractère qui apparaît au début d’une
ligne, dans une interface à ligne de commande, pour indiquer que vous pouvez saisir
une commande.
interface à ligne de commande Manière de communiquer avec un ordinateur (par
exemple, pour exécuter des programmes ou modifier des autorisations de système de
fichiers) en tapant des commandes sous la forme de texte à l’invite d’un interpréteur de
commandes.
interface réseau Connexion du matériel de votre ordinateur à un réseau. Cela comprend,
entre autres, les connexions Ethernet, les cartes Airport et les connexions FireWire.
Internet Ensemble de réseaux d’ordinateurs interconnectés, qui communiquent via un
protocole commun (TCP/IP). Internet (notez la majuscule) est le système public le plus
étendu au monde de réseaux d’ordinateurs interconnectés.
Internet Assigned Numbers Authority Voir IANA.
Internet Control Message Protocol Voir ICMP.148 Glossaire
Internet Group Management Protocol Voir IGMP.
Internet Message Access Protocol Voir IMAP.
Internet Protocol Voir IP.
IP Internet Protocol. Également désigné par IPv4. Méthode utilisée conjointement
avec le protocole TCP (Transmission Control Protocol) pour envoyer des données
d’un ordinateur à un autre via un réseau local ou via Internet. Le protocole IP envoie
les paquets de données, alors que le protocole TCP se charge du suivi de ces paquets.
IPSec Complément de sécurité au protocole IP. Protocole qui assure la sécurité de la
transmission des données pour les connexions VPN L2TP. IPSec intervient au niveau
de la couche réseau, en protégeant et en authentifiant les paquets IP qui circulent
entre les nœudsIP participants.
IPv4 Voir IP.
IPv6 Internet Protocol version 6. Protocole de communication prochaine génération
destiné à remplacer le protocole IP (appelé également IPv4IP). IPv6 permet d’affecter un
plus grand nombre d’adresses réseau et de réduire les charges de routage sur Internet.
Ko Kilooctet. 1 024 (2
10
) octets.
L2TP Layer Two Tunnelling Protocol. Protocole de transport réseau utilisé pour les
connexions VPN. Il s’agit ni plus ni moins d’une combinaison du protocole L2F de Cisco
et du protocole PPTP. L2TP lui-même n’est pas un protocole de cryptage, c’est pourquoi
il utilise IPSec pour crypter les paquets.
LAN Réseau local. Réseau local géré au sein d’une infrastructure donnée, contrairement
au réseau étendu WAN (Wide Area Network), qui relie des infrastructures séparées
géographiquement.
LDAP Lightweight Directory Access Protocol. Protocole client-serveur standard pour
accéder à un domaine de répertoires.
Lightweight Directory Access Protocol Voir LDAP.
ligne de commande Texte que vous tapez à l’invite d’un interpréteur de commandes
lorsque vous utilisez une interface à ligne de commande.
liste de contrôle d’accès Voir ACL.
Mac OS X La dernière version du système d’exploitation d’Apple. Mac OS X associe la
fiabilité d’UNIX à la facilité d’utilisation de Macintosh. Glossaire 149
Mac OS X Server Plate-forme de serveur puissante qui permet de gérer les clients Mac,
Windows, UNIX et Linux sans préparation préalable et vous offre toute une gamme de
services réseau et de groupes de travail évolutifs, ainsi que des outils de gestion à
distance avancés.
masque de sous-réseau Nombre utilisé dans la mise en réseau IP pour spécifier quelle
portion d’une adresse IP est le numéro du réseau.
mégaoctet Voir Mo.
Microsoft Challenge Handshake Authentication Protocol Voir MS-CHAP.
mot de passe Chaîne alphanumérique utilisée pour authentifier l’identité d’un
utilisateur ou autoriser l’accès à des fichiers ou à des services.
MS-CHAP Microsoft Challenge Handshake Authentication Protocol. Système
d’authentification standard de Windows pour le VPN. Cette méthode d’authentification
permet d’encoder les mots de passe lorsqu’ils sont envoyés à travers le réseau et de
les stocker sous une forme cryptée sur le serveur. Elle offre un bon niveau de sécurité
au cours de la transmission réseau. MS-CHAP est une version propriétaire de CHAP.
multi-adressage Capacité à gérer plusieurs connexions réseau. Lorsque plusieurs
connexions sont disponibles, Mac OS X sélectionne la connexion adéquate en fonction
de l’ordre spécifié dans les préférences Réseau.
multidiffusion En général, la transmission simultanée d’un message à un ensemble
spécifique d’ordinateurs sur un réseau. Voir aussi diffusion, monodiffusion. Dans le
serveur d’enchaînement QuickTime, moyen efficace de diffusion d’un message à
plusieurs destinataires. Les utilisateurs peuvent rejoindre ou quitter le multicast mais
ils ne peuvent interagir avec ce dernier.
NAT Network Address Translation. Méthode de connexion de plusieurs ordinateurs
à Internet (ou tout autre réseau IP) en utilisant une seule adresse IP. NAT convertit les
adresses IP que vous affectez aux ordinateurs de votre réseau interne privé en adresses
IP officielles pour les communications Internet.
NetInfo L’un des protocoles Apple d’accès à un domaine de répertoire.
Network Address Translation Voir NAT.
nœud Emplacement de traitement. Un nœud peut correspondre à un ordinateur ou
autre périphérique, tel qu’une imprimante. Chaque nœud possède une adresse réseau
unique. Dans Xsan, un nœud, c’est tout ordinateur connecté à un réseau de stockage.
nom canonique Nom “réel” d’un serveur lorsque vous lui avez donné un “surnom”
ou un alias. Le serveur “courrier.apple.com”, par exemple, peut avoir comme nom
canonique “SrvCourrier473.apple.com”.150 Glossaire
nom d’hôte Nom unique pour un serveur. Pour des raisons historiques, on l’appelle
également nom d’hôte UNIX. Le nom d’hôte Mac OS X Server est utilisé principalement
pour l’accès client à des répertoires de départ NFS. Un serveur détermine son nom
d’hôte en prenant le premier nom qui est disponible parmi les sources suivantes :
le nom spécifié dans le fichier /etc/hostconfig (HOSTNAME=un-nom-d’hôte), le nom
fourni par le serveur DHCP ou BootP pour l’adresse IP principale, le premier nom
renvoyé par une recherche DNS inverse (de l’adresse vers le nom) pour l’adresse IP
principale, le nom de l’hôte local ou le nom “localhost”.
nom d’hôte local Nom qui désigne un ordinateur sur un sous-réseau local. Il peut
être utilisé sans système DNS global afin de résoudre les noms en adresses IP. Il est
constitué de lettres minuscules, de chiffres ou de traits d’union (sauf en tant que
derniers caractères) et se termine par “.local” (par exemple, factures-ordinateur.local).
Bien que le nom soit défini par défaut à partir du nom d’ordinateur, l’utilisateur peut
définir ce nom dans la sous-fenêtre Réseau des Préférences Système. Il peut être
modifié facilement et utilisé partout où un nom DNS ou un nom de domaine
complet est utilisé. Il peut uniquement être résolu sur le même sous-réseau que
l’ordinateur qui l’utilise.
nom d’utilisateur Nom complet d’un utilisateur, parfois qualifié de réel. Voir aussi
nom abrégé.
nom de domaine Voir nom DNS.
nom de l’ordinateur Nom par défaut utilisé pour les enregistrements des services SLP
et SMB/CIFS. L’Explorateur réseau du Finder utilise SLP pour trouver les ordinateurs qui
utilisent le partage de fichiers personnels et le partage de fichiers Windows. Il peut
être configuré pour relier des sous-réseaux en fonction des réglages du routeur réseau.
Lorsque vous activez le partage de fichiers personnels, les utilisateurs voient le nom de
l’ordinateur dans la zone de dialogue Se connecter au serveur, dans le Finder. Il s’agit
initialement de “Ordinateur de ” (par exemple, “Ordinateur de
Pierre”), mais ce nom peut être modifié. Le nom de l’ordinateur est utilisé pour explorer
les serveurs de fichiers réseau, les files d’attente d’impression, la détection Bluetooth,
les clients Apple Remote Desktop, ainsi que toute autre ressource réseau qui identifie
les ordinateurs par nom d’ordinateur plutôt que par adresse réseau. Le nom
d’ordinateur est également la base du nom d’hôte local par défaut.
nom DNS Nom unique d’un ordinateur, utilisé dans le système DNS (Domain Name
System) pour convertir les adresses IP et les noms. Également appelé nom de domaine.
octet Unité de mesure élémentaire pour les données équivalente à huit bits
(ou chiffres binaires).Glossaire 151
Open Directory Architecture des services de répertoires Apple, qui peut accéder à
des informations de référence sur les utilisateurs et les ressources réseau à partir de
domaines de répertoires utilisant les protocoles LDAP, NetInfo ou Active Directory ;
les fichiers de configuration BSD et les services de réseau.
open-source Terme désignant le développement coopératif de logiciels par la
communauté Internet. Le principe de base consiste à impliquer le maximum de
personnes dans l’écriture et la mise au point du code en publiant le code source et
en encourageant la formation d’une large communauté de développeurs qui feront
part de leurs modifications et améliorations.
paquet Unité de données composée d’enregistrements d’en-tête, d’informations, de
détection d’erreurs et complémentaires. QTSS utilise des paquets TCP, UDP et IP pour
communiquer avec des clients de diffusion.
passerelle Nœud de réseau qui relie un réseau à un autre. Il fait souvent référence à
un ordinateur qui relie un réseau LAN privé à un réseau WAN public, avec ou sans NAT
(Network Address Translation). Un routeur est un type particulier de passerelle qui relie
des segments réseau liés.
pirate Utilisateur malveillant qui tente d’accéder à un système informatique sans y
être autorisé dans le but de saboter des ordinateurs et des réseaux ou de voler des
informations. Comparer à bidouilleur.
Point to Point Tunneling Protocol Voir PPTP.
politique de mot de passe Ensemble de règles qui régulent la composition et la
validité du mot de passe d’un utilisateur.
politique de recherche Liste des domaines de répertoires parmi lesquels un ordinateur
Mac OS X effectue ses recherches lorsqu’il a besoin d’informations de configuration.
Désigne également l’ordre dans lequel les domaines sont pris en compte lors de la
recherche. Parfois appelé “chemin de recherche”.
pont Périphérique de mise en réseau d’ordinateurs qui connecte deux types de support
de réseau, comme, par exemple, un support de réseau sans fil et un support de réseau
Ethernet. Un pont fonctionne comme une passerelle car il fait transiter du trafic réseau
directement vers le support de destination sans le router ou l’altérer d’aucune manière.
Les deux extrémités du pont doivent avoir le même sous-réseau d’adresses IP. Un pont
permet de relier plusieurs petits segments de réseau de manière simple.
port Sorte de boîte à lettres virtuelle. Un serveur utilise les numéros de port pour
déterminer quelle application doit recevoir les paquets de données. Les coupe-feu
utilisent les numéros de port pour déterminer si les paquets de données sont autorisés
ou non à traverser un réseau local. “Port” fait généralement référence à un port TCP
ou UDP. 152 Glossaire
Post Office Protocol Voir POP.
PPTP Point to Point Tunneling Protocol. Protocole de transport réseau utilisé pour les
connexions VPN. Il s’agit du protocole VPN standard de Windows. Il utilise le mot de
passe fourni par l’utilisateur pour produire une clé de cryptage.
privilège Droit d’accéder à des zones restreintes d’un système ou d’effectuer certaines
tâches (telles que des tâches de gestion) dans le système.
protocole Ensemble de règles qui déterminent la manière dont les données sont
envoyées et reçues entre deux applications.
QTSS QuickTime Streaming Server. Technologie permettant de diffuser des données
en temps réel sur Internet.
récursion Procédé de résolution complète des noms de domaines en adresses IP.
Une requête DNS non-récursive permet d’interroger d’autres serveurs DNS pour résoudre
l’adresse. En général, les applications d’utilisateur dépendent du serveur DNS pour exécuter
cette fonction, mais les autres serveurs DNS n’ont pas à effectuer de requête récursive.
relais Dans QuickTime Streaming Server, un relais reçoit un flux entrant et le réexpédie
vers un ou plusieurs serveurs de diffusion en continu. Les relais permettent de réduire
la consommation de bande passante Internet et s’avèrent très utiles pour les diffusions
ayant de nombreux spectateurs à différents endroits. Dans le domaine du courrier
électronique sur Internet, un relais est un serveur de courrier SMTP qui envoie le
courrier à un autre serveur SMTP, mais pas à son destinataire final.
relais ouvert Serveur recevant et transférant automatiquement le courrier vers un
autre serveur. Les expéditeurs de courrier indésirable exploitent les serveurs de relais
ouverts, afin d’éviter que leurs propres serveurs de courrier ne figurent pas sur une
liste noire comme sources de courriers indésirables.
répartition de la charge Processus qui consiste à répartir sur plusieurs services les
demandes de services réseau effectuées par les ordinateurs clients, afin d’optimiser
les performances.
réseau local Voir LAN.
saturation Voir attaque par saturation.
secret partagé Valeur définie à chaque nœud d’une connexion VPN L2TP et servant de
clé de cryptage pour négocier les connexions du transport des données et de
l’authentification.
Secure Sockets Layer Voir SSL.
serveur Ordinateur qui fournit des services (comme, par exemple, le service de fichiers,
de courrier ou le service Web) à d’autres ordinateurs ou périphériques réseau.Glossaire 153
serveur d’horloge Serveur de réseau sur l’horloge duquel d’autres ordinateurs du
réseau synchronisent leur horloge afin que tous les ordinateurs indiquent la même
heure. Voir aussi NTP.
serveur de mots de passe Voir Serveur de mots de passe Open Directory.
serveur de noms Serveur d’un réseau qui tient à jour une liste des noms de domaines
et des adresses IP associées à chaque nom. Voir aussi DNS, WINS.
Serveur Enchaînement QuickTime (QTSS) Voir QTSS.
serveur proxy Serveur qui se trouve entre une application cliente, comme, par
exemple, un navigateur Web, et un serveur réel. Le serveur proxy intercepte toutes
les requêtes adressées au serveur réel pour voir s’il ne peut pas répondre à la requête
lui-même. S’il ne peut pas, il réexpédie la requête au serveur réel.
service DNS Domain Name System. Base de données distribuée qui fait correspondre
des adresses IP à des noms de domaines. Un serveur DNS, appelé également “serveur
de noms”, conserve une liste des noms et des adresses IP associées à chaque nom.
service NTP Network Time Protocol. Protocole réseau utilisé pour synchroniser les
horloges des ordinateurs d’un réseau avec une horloge de référence. Le protocole NTP
est utilisé pour garantir que tous les ordinateurs du réseau affichent la même heure.
services de répertoire Services fournissant au logiciel système et aux applications un
accès uniforme aux domaines de répertoires et autres sources d’informations sur les
utilisateurs et les ressources.
shell Programme qui exécute d’autres programmes. Vous pouvez utiliser un interpréteur
de commandes pour interagir avec un ordinateur en tapant des commandes à l’invite de
l’interpréteur de commandes. Voir aussi interface à ligne de commande.
SLP DA Service Location Protocol Directory Agent. Protocole utilisé pour répertorier
les services disponibles sur un réseau, afin de permettre aux utilisateurs d’y accéder
facilement. Lorsqu’un service est ajouté au réseau, il utilise le protocole SLP pour
s’enregistrer sur le réseau. SLP/DA conserve les services de réseau enregistrés dans
un emplacement centralisé.
SMTP Simple Mail Transfer Protocol. Protocole utilisé pour envoyer et transférer du
courrier. Sa capacité à placer les messages entrants en file d’attente est limitée, il n’est
donc généralement utilisé que pour envoyer les messages, POP ou IMAP étant utilisés
pour les recevoir.
sous-domaine Appelé parfois nom d’hôte. Partie du nom de domaine d’un ordinateur
sur Internet. Il n’inclut pas le domaine ni la désignation du domaine de premier niveau
(par exemple .com, .net, .us, .uk). Le nom de domaine “www.exemple.com” est constitué
du sous-domaine “www”, du domaine “exemple” et du domaine de premier niveau “com”.154 Glossaire
sous-réseau Regroupement d’ordinateurs clients faisant partie du même réseau,
structuré en fonction de l’emplacement physique (les différents étages d’un bâtiment,
par exemple) ou de l’utilisation (tous les élèves d’une même classe par exemple).
L’utilisation de sous-réseaux permet de simplifier les tâches d’administration. Voir
aussi sous-réseau IP.
sous-réseau IP Portion d’un réseau IP, qui peut être un segment de réseau physiquement
indépendant, partageant une adresse réseau avec d’autres portions du réseau et identifiée
par un numéro de sous-réseau.
spam courrier non sollicité ; courrier indésirable.
SSL Secure Sockets Layer. Protocole permettant d’envoyer sur Internet des informations
cryptées et authentifiées. Les versions plus récentes de SSL sont appelées TLS (Transport
Level Security).
strate 1 Serveur Internet NTP (Network Time Protocol) de référence qui gère l’heure
UTC courante. Il existe d’autres strates (2, 3, etc.), chacune synchronisant son horloge
sur un serveur de la strate supérieure.
TCP Transmission Control Protocol. Méthode utilisée avec le protocole IP (Internet
Protocol) pour envoyer, via Internet, des données sous forme d’unités de messages
entre ordinateurs. Le protocole IP se charge de gérer le transfert des données, alors que
le protocole TCP effectue le suivi individuel des unités de données (appelées “paquets”).
Chaque message est fractionné en plusieurs unités afin d’assurer un routage efficace
à travers Internet.
texte en clair Données non cryptées.
transfert de zone Méthode utilisée pour copier des données de zone sur des serveurs
DNS de référence. Les serveurs DNS esclaves demandent des transferts de zones à leur
serveur maître pour acquérir leurs données.
Transmission Control Protocol Voir TCP.
TTL Time-to-live ou durée de vie. Durée spécifiée pendant laquelle les informations DNS
sont stockées dans la mémoire cache. Lorsqu’une paire nom de domaine/adresse IP se
trouve en mémoire cache depuis plus longtemps que la durée TTL spécifiée, l’entrée est
supprimée du cache du serveur de noms (mais pas du serveur DNS principal).
type d’enregistrement Catégorie spécifique d’enregistrements, comme les
enregistrements d’utilisateurs, d’ordinateurs et de montage. Pour chaque type
d’enregistrement, un domaine de répertoire peut contenir un nombre quelconque
d’enregistrements.
UCE Unsolicited Commercial Email ou polluriel. Voir courrier indésirable.Glossaire 155
UDP User Datagram Protocol. Méthode de communication utilisant le protocole IP
pour envoyer une unité de données (appelée datagramme) d’un ordinateur à un autre
sur un réseau. Les applications réseau qui ont de toutes petites unités de données à
échanger peuvent utiliser le protocole UDP à la place du TCP.
monodiffusion Transmission de données à un seul destinataire ou client. Si un film est
diffusé en monodiffusion (unicast) à un utilisateur à l’aide de RSTP, l’utilisateur peut se
déplacer librement d’un point à l’autre dans un film à la demande.
monodiffusion manuelle Méthode de transmission en direct d’un flux vers
un unique client QuickTime Player ou un ordinateur exécutant QTSS. Un fichier
SDP est généralement créé par l’application de diffusion et doit ensuite être envoyé
manuellement au spectateur ou au serveur d’enchaînement.
Universal Time Coordinated Voir UTC.
User Datagram Protocol Voir UDP.
UTC Universal Time Coordinated ou temps universel coordonné. Heure de référence
standard. L’heure universelle se fonde sur une résonance atomique, c’est pourquoi les
horloges qui affichent l’heure universelle sont souvent appelées “horloges atomiques”.
Virtual Private Network Voir VPN.
VPN Virtual Private Network. Réseau privé virtuel utilisant le cryptage ainsi que
d’autres technologies pour fournir des communications sécurisées sur un réseau public,
en général Internet. Ces réseaux sont généralement moins onéreux que des réseaux
privés réels qui recourent à des lignes privées, mais s’appuient sur le même système de
cryptage aux deux extrémités de la ligne. Le cryptage peut être réalisé par des logiciels
de coupe-feu ou par des routeurs.
WAN Réseau étendu. Réseau reliant des sites géographiquement dispersés, par
opposition au réseau local (LAN, Local Area Network), installé au sein d’un même groupe
de bâtiments. Votre interface WAN est généralement celle qui est connectée à Internet.
Windows Internet Naming Service Voir WINS.
WINS Windows Internet Naming Service. Service de résolution de noms utilisé par les
ordinateurs Windows pour faire correspondre les noms des clients avec des adresses IP.
Un serveur WINS peut se trouver soit sur le réseau local, soit sur Internet.
WLAN Wireless Local Area Network ou réseau local sans fil.
zone de réexpédition Zone DNS qui ne contient aucun enregistrement, mais qui
réexpédie les requêtes DNS vers une autre zone.
zone maîtresse Enregistrements de zones du DNS détenus par un serveur DNS
principal. Une zone maîtresse est dupliquée par transferts de zones sur des zones
esclaves situées sur des serveurs DNS secondaires.157
Index
Index
A
Admin Serveur 27, 33, 87, 88, 89, 107, 108, 110, 120
adresses IP
affectation 25
affectation dynamique 24
DHCP et 23
durée de bail et DHCP 23
durée du bail DHCP, modification 29
dynamiques 24
multiples 72
notation IPv6 140
ordre des filtres 71
plages 71
réservées 25
statiques 24
attaques par déni de service (DoS)
prévention 90
B
BIND 39, 40
répartition de la charge 60
bornes d’accès AirPort
service DHCP et 25
C
coupe-feu IP
démarrage et arrêt 32
courrier
redirection 57
D
désactivation 28
documentation 11
Dynamic Host Configuration Protocol
Voir DHCP
E
échangeurs de courrier 57
éléments de l’historique
activité DHCP 26
enregistrement IANA 41
enregistrements MX (Mail Exchange) 43, 58
F
filtres
exemples 86–89
modification 79
filtres, IP
ajout 73
description 69
G
guides d’administration du serveur 11
H
historiques
DHCP 33
service de coupe-feu IP 83–85
service DNS 53
hôtes MX 57
I
Internet Gateway Multicast Protocol Voir IGMP
Internet Protocol Version 6 Voir IPv6
IPv6
adressage 140–141
dans Admin Serveur 140
informations supplémentaires 142
notation d’adresses 140
services disponibles 140
L
Les 92
M
Mac OS X Server
ports utilisés par 92–96
Mail Exchange. Voir MX
masques de sous-réseaux 69
N
NAT
à propos de 99
configuration 101
contrôle 105
démarrage, arrêt 101158 Index
vue d’ensemble de l’état 105
NetBoot
visualisation des listes de clients 33
noms de domaine
enregistrement 41
notation CIDR des masques de réseaux 69, 71
NTP
à propos de 133
configuration 134
configuration des clients 135
informations supplémentaires 135
système de temps 133
P
permutation circulaire 60
ports
ordinateurs sous Mac OS X 92–96
ports TCP 92–93, 95
ports UDP 95
R
répartition de la charge 60
réseaux
privés 61
réseaux TCP/IP 61
S
serveurs de courrier 57
serveurs de noms 40
serveurs de temps de strate 133
serveurs DHCP 25
emplacement du réseau 25
interactions 25
service de coupe-feu IP 65–68
adresses IP multiples 72
affichage des historiques 83
ajout de filtres 73
à propos de 65
avantages 66
configuration 72–73, 76–89
contexte 68
création de filtres 77, 78
démarrage, arrêt 74
filtres 69–72
filtres exemples 86–89
gestion 74–81
historiques, configuration 83–84
informations supplémentaires 97
modification des filtres 79
planification 72
préparation de la configuration 68–72
prévention des attaques par déni de service
(DoS) 90
référence des ports 92–96
utilisations 66
service de courrier
utilisation du service DNS avec 57
service DHCP 23–37
bornes d’accès AirPort 25
configuration 26
configuration automatique LDAP 25
démarrage et arrêt 27
désactivation de sous-réseaux 29
description 23
durée du bail des adresses IP d’un sous-réseau,
modification 29
gestion 27–32
historiques 33
historiques pour 26
informations supplémentaires 37
modification des sous-réseaux 28
options DNS 29
options LDAP pour les sous-réseaux 30
options WINS pour les sous-réseaux 31, 32
préparation de la configuration 23–25
réglages du sous-réseau 28
serveur DNS pour clients DHCP 29
sous-réseaux 24
sous-réseaux, création 27
suppression des sous-réseaux 28
utilisations pour 23
visualisation des listes de clients 33
visualisation du bail, liste des clients 34
service DNS 39–63
arrêt 43
avec service de courrier 57
configuration 41
démarrage 43
description 39
gestion 43–44
informations supplémentaires 63
options des sous-réseaux DHCP 29
planification 40
préparation de la configuration 40
présentation générale de la configuration 41–43
répartition de la charge 60
serveurs 40
stratégies 40–43
utilisations 39
sous-réseaux 24
création 24, 27
Systèmes Mac OS X 92–96
T
TCP/IP
réseaux privés 61
Temps universel coordonné (UTC) 133
V
VPN
affichage de l’état 124
affichage des historiques 124
connexions client 125
consignation 124
iPod
USB Power
AdapterEnglish 3
iPod USB
Power Adapter
The iPod USB Power Adapter is for use with
iPod shuffle, and with all iPods with Dock
Connectors.
Note: Your power adapter may look different
from the one pictured here.
Connect your iPod to the power adapter using
the USB cable that came with your iPod. If you
have an original iPod shuffle, you can connect it
directly to the power adapter.
Then extend the electrical prongs (if necessary)
and plug the adapter into an electrical outlet to
charge the iPod battery.
AC plug adapter
iPod USB Power Adapter
USB cable that came
with your iPod4 English
You can also connect the power adapter to an
iPod Dock and place iPod in the Dock.
For information on charging times, see the
manual that came with your iPod.
Important: If your power adapter has
retractable prongs, be sure to extend them
completely before you plug the adapter into
the outlet.
Safety
The only way to shut off power to your power
adapter completely is to disconnect it from
the power source.
Always leave space around your power
adapter. Don’t use it in a location where
airflow around the power adapter is
obstructed, such as a bookcase.
When connecting or disconnecting your
power adapter, always hold it by its sides.
Keep your fingers away from the metal part
of the plug.
Before connecting the USB cable to the
power adapter, make sure there are no
foreign objects inside the power adapter’s
USB port.
The power adapter is a high-voltage
component and should not be opened for
any reason, even when iPod is off.English 5
Never force a connector into the power
adapter USB port. If the connector and port
do not join with reasonable ease, make sure
that the connector matches the port and that
you have positioned the connector correctly
in relation to the port.
Keep your power adapter away from sources
of liquid, such as drinks, washbasins,
bathtubs, shower stalls, rain, and so on.
Take care not to spill any food or liquid on the
power adapter. If you do, unplug the power
adapter before cleaning up the spill. In case
of a spill, you may have to send your
equipment to Apple for service.
Do not attempt to open your power adapter
or disassemble it. You run the risk of electric
shock and voiding the limited warranty. No
user-serviceable parts are inside.
If the power adapter appears to be damaged
or does not function properly, go to
www.apple.com/support for instructions on
how to obtain warranty service.
Specifications
Input: AC 100-240 volts (V), 50/60 hertz (Hz)
Output: DC 5V, 1 A678Français 9
Adaptateur secteur
USB iPod Power
Adapter
L’adaptateur secteur de l’iPod USB Power
Adapter est à utiliser avec l’iPod shuffle ou
tout autre iPod muni du connecteur Dock.
Remarque : votre adaptateur secteur peut être
différent de celui illustré ci-dessus.
Branchez votre iPod à l’adaptateur secteur grâce
au câble USB fourni avec votre iPod. Si vous
disposez du tout premier iPod shuffle, vous
pouvez le brancher directement à l’adaptateur.
Adaptateur CA
Adaptateur secteur USB
iPod Power Adapter
Câble USB fourni
avec votre iPod10 Français
Étendez ensuite les broches électriques (si
besoin), puis branchez l’adaptateur à une prise
électrique afin de recharger la batterie de l’iPod.
Vous pouvez aussi placer votre iPod sur son
socle iPod Dock et brancher ce dernier à
l’adaptateur secteur.
Pour de plus amples informations sur les temps
de charge de la batterie, reportez-vous au
manuel fourni avec votre iPod.
Important : si votre adaptateur secteur est doté
de broches électriques à enrouleur, assurezvous de les étendre au maximum avant de
brancher l’adaptateur sur la prise.
Sécurité
Le seul moyen de couper complètement
le courant de votre adaptateur secteur est
de le débrancher de sa source électrique.
Gardez toujours un peu d’espace autour
de votre adaptateur secteur. Ne l’utilisez pas
dans un endroit où l’air ne circule pas autour
de l’adaptateur, comme c’est le cas dans une
bibliothèque.Français 11
Lorsque vous branchez ou débranchez votre
adaptateur secteur, tenez-le toujours par ses
côtés. Ne touchez pas la partie en métal de
la prise.
Avant de brancher le câble USB à l’adaptateur
secteur, assurez-vous qu’aucun objet n’est
logé dans le port USB de ce dernier.
L’adaptateur secteur est un composant à haut
voltage et ne doit en aucun cas être ouvert,
même si l’iPod est éteint.
Ne forcez jamais de connecteur à entrer dans
le port USB de l’adaptateur. Si le connecteur
et le port ne s’adaptent pas relativement
facilement, assurez-vous qu’ils sont bien
prévus pour se brancher ensemble et
que vous avez positionné correctement
le connecteur par rapport au port.
Éloignez l’adaptateur secteur des liquides
et sources de liquides, tels que les boissons,
les lavabos, les baignoires, les blocs de douche,
la pluie, etc.12 Français
Prenez garde de ne pas faire tomber de
nourriture ou de liquide sur l’adaptateur
secteur. Si le cas se présente, débranchez
l’adaptateur secteur avant de l’essuyer.
Si vous renversez quelque chose dessus, il
peut s’avérer nécessaire de renvoyer votre
équipement à Apple pour le faire réviser.
N’essayez pas d’ouvrir ou de démonter votre
adaptateur secteur. Vous risquez de recevoir
une décharge électrique et d’annuler la
garantie limitée. L’appareil ne contient pas de
pièces pouvant être réparées par l’utilisateur.
Si l’adaptateur secteur semble endommagé
ou ne fonctionne pas correctement, rendezvous sur le site www.apple.com/fr/support
pour connaître les conditions de réparation
dans le cadre de la garantie.
Spécifications
Entrée : CA 100-240 volts (V), 50/60 hertz (Hz)
Sortie : CC 5V, 1 ADeutsch 13
iPod USB Power
Adapter (Netzteil)
Der iPod USB Power Adapter (Netzteil) kann mit
dem iPod shuffle und allen iPod Playern mit
Dock Connector verwendet werden.
Hinweis: Ihr Netzteil sieht möglicherweise
anders als hier dargestellt aus.
Schließen Sie den iPod mit dem mitgelieferten
USB-Kabel an das Netzteil an. Wenn Sie einen
original iPod shuffle besitzen, können Sie diesen
direkt an das Netzteil anschließen.
Netzteilstecker
iPod USB Power Adapter
(Netzteil)
Mit dem iPod
geliefertes
USB-Kabel14 Deutsch
Klappen Sie dann die Steckerstifte (falls erforderlich) heraus und schließen Sie das Netzteil
an eine Steckdose an, um die iPod Batterie
zu laden.
Sie können das Netzteil auch mit einem
iPod Dock verbinden und den iPod in das
Dock stellen.
Informationen zu Ladezeiten finden Sie im
Handbuch, das Sie mit Ihrem iPod erhalten
haben.
Wichtig: Wenn Ihr Netzteil herausklappbare
Steckerstifte besitzt, stellen Sie sicher, dass Sie
diese vollständig herausgeklappt haben, bevor
Sie das Netzteil an die Steckdose anschließen.
Sicherheit
Die einzige Möglichkeit, die Stromzufuhr zum
Netzteil komplett zu unterbrechen, besteht
darin, das Kabel des Netzteils vom Stromnetz
zu trennen.
Achten Sie darauf, dass um das Netzteil ausreichend Freiraum vorhanden ist. Verwenden
Sie es nur in Umgebungen, in denen eine
ausreichende Luftzirkulation gewährleistet ist.
Verwenden Sie es zum Beispiel nicht in einem
Aktenkoffer oder Ähnlichem.Deutsch 15
Halten Sie das Netzteil an den Seiten, wenn
Sie es vom Stromnetz trennen oder daran
anschließen. Achten Sie darauf, die Metallstifte des Steckers nicht zu berühren.
Stellen Sie vor dem Anschließen des USBKabels an das Netzteil sicher, dass sich keine
Fremdkörper im USB-Anschluss des Netzteils
befinden.
Bei dem Netzteil handelt es sich um ein
Hochspannungsbauteil, das unter keinen
Umständen geöffnet werden darf, auch dann
nicht, wenn der iPod ausgeschaltet ist.
Versuchen Sie niemals, einen Stecker mit
Gewalt an den USB-Anschluss des Netzteils
anzuschließen. Wenn sich der Stecker nicht
relativ einfach mit dem Netzteil verbinden
lässt, vergewissern Sie sich, dass der Stecker
zum Anschluss passt und Sie den Stecker wie
erforderlich mit dem Anschluss ausgerichtet
haben.
Schützen Sie Ihr Netzteil vor Feuchtigkeit und
Witterungseinflüssen. Legen Sie es nicht in
der Nähe von Getränken, Waschbecken,
Bade- und Duschwannen und anderen
Feuchtigkeitsquellen ab.16 Deutsch
Achten Sie darauf, dass das Netzteil nicht
durch Speisereste oder Flüssigkeiten verunreinigt wird. Wenn dies doch einmal passiert,
trennen Sie das Netzteil vom Stromnetz, bevor
Sie es reinigen. Unter Umständen ist es erforderlich, Ihre Geräte an Apple zur Wartung
zu senden.
Versuchen Sie keinesfalls, das Netzteil zu öffnen oder auseinander zu bauen. Dabei kann
es zu einem Kurzschluss kommen, und Sie
riskieren den Verlust des Garantieanspruchs.
Im Innern des Gerätes befinden sich keine
Komponenten, die vom Benutzer gewartet
werden können.
Wenn das Netzteil beschädigt ist oder nicht
korrekt funktioniert, finden Sie Näheres zu
Ihren Garantieansprüchen und zu Service
und Support unter folgender Adresse:
www.apple.com/de/support.
Technische Daten
Eingangsleistung: 100 - 240 V Wechselstrom,
50/60 Hz
Ausgangsleistung: 5 V Gleichstrom, 1,0 A17
Disposal and Recycling Information
When this product has reached the end of its useful life,
please dispose of it according to
your local environmental laws and guidelines.
For information about Apple’s recycling program, go to
www.apple.com/environment/summary.html.
European Union—Disposal Information:
The symbol above means that according to local laws
and regulations your product should be disposed of
separately from household waste. When this product
reaches its end of life, take it to a collection point
designated by local authorities. Some collection points
accept products for free. The separate collection and
recycling of your product at the time of disposal will
help conserve natural resources and ensure that it is
recycled in a manner that protects human health and
the environment.18
Union Européenne : informations sur l’élimination
Le symbole ci-dessus signifie que vous devez vous
débarasser de votre produit sans le mélanger avec les
ordures ménagères, selon les normes et la législation de
votre pays. Lorsque ce produit n’est plus utilisable,
portez-le dans un centre de traitement des déchets
agréé par les autorités locales. Certains centres
acceptent les produits gratuitement. Le traitement et le
recyclage séparé de votre produit lors de son
élimination aideront à préserver les ressources
naturelles et à protéger l’environnement et la santé des
êtres humains.
Europäische Union – Informationen zur Entsorgung
Das Symbol oben bedeutet, dass dieses Produkt
entsprechend den geltenden gesetzlichen Vorschriften
und getrennt vom Hausmüll entsorgt werden muss.
Geben Sie dieses Produkt zur Entsorgung bei einer
offiziellen Sammelstelle ab. Bei einigen Sammelstellen
können Produkte zur Entsorgung unentgeltlich
abgegeben werden. Durch das separate Sammeln und
Recycling werden die natürlichen Ressourcen geschont
und es ist sichergestellt, dass beim Recycling des
Produkts alle Bestimmungen zum Schutz von
Gesundheit und Umwelt beachtet werden.19
Unione Europea: informazioni per l’eliminazione
Questo simbolo significa che, in base alle leggi e alle
norme locali, il prodotto dovrebbe essere eliminato
separatamente dai rifiuti casalinghi. Quando il prodotto
diventa inutilizzabile, portarlo nel punto di raccolta
stabilito dalle autorità locali. Alcuni punti di raccolta
accettano i prodotti gratuitamente. La raccolta separata
e il riciclaggio del prodotto al momento
dell’eliminazione aiutano a conservare le risorse naturali
e assicurano che venga riciclato in maniera tale da
salvaguardare la salute umana e l’ambiente.
Europeiska unionen – uttjänta produkter
Symbolen ovan betyder att produkten enligt lokala
lagar och bestämmelser inte får kastas tillsammans med
hushållsavfallet. När produkten har tjänat ut måste den
tas till en återvinningsstation som utsetts av lokala
myndigheter. Vissa återvinningsstationer tar
kostnadsfritt hand om uttjänta produkter. Genom att
låta den uttjänta produkten tas om hand för
återvinning hjälper du till att spara naturresurser och
skydda hälsa och miljö.Apple and the Environment
At Apple, we recognize our responsibility to minimize
the environmental impacts of our operations and
products.
For more information, go to
www.apple.com/environment/summary.html.
www.apple.com/ipod/support
© 2006 Apple Computer, Inc. All rights reserved.
Apple, the Apple logo, and iPod are trademarks of Apple
Computer, Inc., registered in the U.S. and other countries.
Shuffle is a trademark of Apple Computer, Inc.
0Z034-3775-A
Printed in XXXX
Mac OS X Server
Administration du service
de messagerie
Pour version 10.4 ou ultérieureKApple Computer, Inc.
© 2005 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’un exemplaire
enregistré du logiciel Mac OS X Server peut reproduire
cette publication aux fins d’apprentissage du logiciel.
Cette publication ne peut être reproduite ou transmise
en tout ou partie à des fins commerciales, comme la
vente de copies de cette publication ou la fourniture
d’un service d’assistance payant.
Tout a été mis en œuvre pour que les informations
contenues dans ce manuel soient exactes. Apple
Computer, Inc., n’est pas responsable des erreurs
d’impression ou de typographie.
Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com
Le logo Apple est une marque d’Apple Computer Inc.
déposée aux États-Unis et dans d’autres pays.
L’utilisation de ce logo à des fins commerciales via
le clavier (Option-1) pourra constituer un acte de
contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, AppleScript, AppleShare,
AppleTalk, ColorSync, FireWire, Keychain, Mac,
Macintosh, Power Macintosh, QuickTime, Sherlock et
WebObjects sont des marques d’Apple Computer, Inc.,
déposées aux États-Unis et dans d’autres pays. AirPort,
Extensions Manager, Finder, iMac et Power Mac sont
des marques d’Apple Computer, Inc.
Java et tous les logos et marques dérivés de Java
sont des marques ou des marques déposées de Sun
Microsystems, Inc. aux États-Unis et dans d’autres pays.
UNIX est une marque déposée aux États-Unis et dans
d’autres pays sous la licence exclusive de X/Open
Company Ltd.
F019-0163/03-24-05 3
1 Table des matières
Préface 9 À propos de ce guide
9 Nouveautés de la version 10.4
9 Contenu de ce guide
9 Utilisation de ce guide
10 Configuration initiale de Mac OS X Server
10 Pour toute aide concernant les tâches de gestion quotidiennes
10 Utilisation de l’aide à l’écran
11 La suite Mac OS X Server
13 Obtenir des mises à jour de documentation
13 Informations complémentaires
Chapitre 1 15 Configuration du service de messagerie
16 Protocoles du service de messagerie
16 Courrier sortant
16 Courrier entrant
18 Interaction de l’utilisateur avec le service de messagerie
18 Stockage du courrier
18 Emplacement du courrier sortant
18 Emplacement du courrier entrant
19 Nombre maximal de messages par volume
19 Utilisation du service Web avec Mail
20 Utilisation des services réseau avec le service de messagerie
21 Configuration DNS pour le service de messagerie
22 Utilisation des connexions SSL par le service de messagerie
23 Activation du transport de courrier sécurisé à l’aide de SSL
23 Avant de commencer
24 Impact des réglages du compte d’utilisateur sur le service de messagerie
24 Déplacement des messages d’Apple Mail Server vers Mac OS X Server version 10.4
24 Présentation générale des outils du service de messagerie
25 Présentation générale de la configuration
27 Configuration du service de messagerie entrant
28 Activation de l’accès POP
28 Activation de l’accès IMAP4 Table des matières
29 Si vous choisissez de ne pas récupérer le courrier entrant
30 Activation de l’authentification POP sécurisée
30 Activation de l’authentification moins sécurisée pour POP
31 Configuration du transport SSL pour les connexions POP
31 Activation de l’authentification IMAP sécurisée
32 Activation de l’authentification IMAP moins sécurisée
33 Configuration du transport SSL pour les connexions IMAP
33 Configuration du service de messagerie sortant
33 Activation de l’accès SMTP
34 L’authentification SMTP
34 Activation de l’authentification SMTP sécurisée
35 Activation de l’authentification SMTP moins sécurisée
36 Configuration du transport SSL pour les connexions SMTP
36 Retransmission du courrier SMTP via un autre serveur
37 Limitation de la taille des messages entrants
37 Utilisation des listes de contrôle d’accès (ACL) pour l’accès au service de messagerie
39 Gestion des utilisateurs du service de messagerie
39 Configuration des réglages de courrier pour les comptes d’utilisateur
39 Configuration du logiciel client de messagerie
40 Création d’un compte d’administration
41 Création d’adresses électroniques supplémentaires pour un utilisateur
42 Configuration du transfert d’adresses électroniques pour un utilisateur
43 Ajout ou suppression de domaines virtuels
44 Exécution d’un hôte virtuel
44 Activation de l’hébergement virtuel
45 Ajout ou suppression d’hôtes virtuels
45 Association d’utilisateurs à l’hôte virtuel
47 Gestion des quotas de courrier
48 Activation de quotas de courrier pour les utilisateurs
48 Configuration d’avertissements de quota
49 Configurer les réactions au dépassement de quota
49 Limitation du courrier indésirable et des virus
50 Contrôle de la connexion
53 Filtrage des connexions SMTP
53 Contrôle des messages
58 Options et outils de configuration avancés
58 cyradm
59 Prise en charge des scripts Sieve
Chapitre 2 63 Maintenance du service de messagerie
63 Démarrage et arrêt du service de messagerie
64 Suspension du service de messagerie sortant
64 Blocage des connexions du courrier entrantTable des matières 5
65 Rechargement du service de messagerie
65 Modification des réglages de protocole pour le service de messagerie entrant
65 Amélioration des performances
66 Utilisation de la base de données et de l’espace de stockage du courrier
66 Visualisation de l’emplacement de la base de données et de l’espace de stockage du
courrier
67 Réparation de la base de données du courrier
67 Réparation de la base de données du compte d’utilisateur de courrier
68 Conversion de l’espace de stockage et de la base de données du courrier à partir
d’une version antérieure
69 Spécification de l’emplacement de la base de données et de l’espace de stockage du
courrier
70 Création d’emplacements supplémentaires de stockage du courrier
71 Sauvegarde et restauration des messages de courrier
71 Surveillance des dossiers et des messages de courrier
72 Autorisation de l’accès administrateur aux dossiers de courrier
72 Enregistrement des messages électroniques pour la surveillance et l’archivage
73 Surveillance du service de messagerie
73 Visualisation de l’ensemble des activités du service de messagerie
74 Affichage de la liste des connexions de courrier
74 Consultation de la file d’attente du courrier sortant
74 Effacement de messages dans la file d’attente du courrier sortant
75 Visualisation des comptes de messagerie
75 Affichage des historiques du service de messagerie
75 Configuration du niveau de détail de l’historique du service de messagerie
76 Archivage par planification des historiques du service de messagerie
76 Récupération de l’espace disque utilisé par les archives des historiques du service de
messagerie
77 Gestion d’un disque saturé
77 Traitement du courrier non distribuable
77 Transfert du courrier entrant non distribuable
78 Copie du courrier entrant non distribuable
78 Nouvelle tentative d’envoi des messages sortants non distribués
79 Autres sources d’informations
79 Bibliographie
79 Internet
Chapitre 3 81 Listes d’envoi
82 Configuration d’une liste d’envoi
82 Activation des listes d’envoi
83 Création d’une nouvelle liste d’envoi
84 Définition de la taille maximum d’un message
84 Création d’une description de liste d’envoi6 Table des matières
85 Personnalisation du message d’accueil de la liste d’envoi
85 Personnalisation du message d’annulation d’inscription à la liste d’envoi
86 Activation d’un modérateur de liste d’envoi
87 Définition des options de renvoi de messages de la liste d’envoi
87 Constitution d’une liste d’envoi en tant que privée
88 Ajout de membres
89 Administration des listes d’envoi
89 Affichage des listes d’envoi d’un serveur
89 Affichage de la page d’information d’une liste d’envoi
90 Désignation d’un administrateur de liste
90 Accès aux options de l’administrateur basées sur le Web
91 Désignation d’un modérateur de liste
91 Archivage du courrier électronique d’une liste
92 Affichage des archives de liste d’envoi
92 Utilisation des membres de la liste d’envoi
92 Ajout d’un abonné à une liste existante
93 Suppression d’un abonné d’une liste
93 Modification des autorisations de publication pour les abonnés
94 Suspension d’un abonné
94 Options de membre de liste
94 Inscription à une liste d’envoi par courrier électronique
95 Inscription à une liste d’envoi par Internet
96 Annulation d’inscription à une liste d’envoi par courrier électronique
96 Annulation d’inscription à une liste d’envoi par Internet
96 Définition et modification de votre mot de passe de liste d’envoi
97 Désactivation de la distribution du courrier d’une liste
97 Basculement en mode digest
98 Faire basculer les résumés (“digests”) MIME ou en texte clair
99 Définition des options d’abonné supplémentaires
99 Autres sources d’informations
Annexe 101 Certificats et sécurité
101 Infrastructure de clés publiques
102 Clés publiques et privées
102 Certificats
103 Autorités de certificat (CA, Certificate Authority)
103 Identités
103 Certificats auto-signés
103 Gestionnaire de certificats d’Admin Serveur
104 Préparation des certificats
104 Demande d’un certificat à une autorité de certificat
105 Création d’un certificat auto-signé
106 Importation d’un certificatTable des matières 7
106 Gestion des certificats
107 Modification d’un certificat
107 Suppression d’un certificat
107 Utilisation des certificats
Glossaire 109
Index 119 9
Préface
À propos de ce guide
Ce guide explique comment configurer et administrer
les services de messagerie de Mac OS X Server.
Nouveautés de la version 10.4
Le service de messagerie de Mac OS X Server inclut plusieurs nouvelles fonctionnalités
très utiles. Elles comptent :
• de nouvelles règles de prévention de courrier indésirable ;
• le contrôle du courrier indésirable (basé sur SpamAssassin) ;
• l’hébergement virtuel ;
• une meilleure gestion du quota de messages ;
• des outils de maintenance et de migration intégrés.
Contenu de ce guide
Ce guide est divisé en trois chapitres et une annexe.
• Le chapitre 1, “Configuration du service de messagerie”, à la page 15 contient toutes
les informations nécessaires à l’installation et à la configuration du service de
messagerie, ainsi qu’à l’assistance et à la configuration des utilisateurs du courrier.
• Le chapitre 2, “Maintenance du service de messagerie”, à la page 63 vous informe sur
la maintenance courante et l’administration du serveur de messagerie.
• Le chapitre 3, “Listes d’envoi”, à la page 81 explique le service de liste d’envoi de
Mac OS X Server. Les listes d’envoi sont un outil performant de collaboration pour
l’archivage et la diffusion de discussions par courrier électronique.
• L’annexe “Certificats et sécurité” à la page 101 décrit le gestionnaire de certificats
de Admin Serveur, un moyen simple de créer, d’organiser et d’utiliser les certificats
de sécurité pour des services compatibles SSL.
Utilisation de ce guide
Le premier chapitre donne un aperçu du fonctionnement du service de messagerie, de
ce qu’il permet de faire, des stratégies d’utilisation, de la manière de le configurer pour
la première fois et de l’administrer par la suite. 10 Préface À propos de ce guide
Consultez également tout chapitre décrivant un service avec lequel vous n’êtes
pas familiarisé. Vous constaterez peut-être que certains des services que vous n’aviez
pas utilisés jusqu’à présent peuvent vous permettre de gérer votre réseau de manière
plus efficace et d’en améliorer les performances pour vos utilisateurs.
La plupart des chapitres se terminent par une section appelée “Autres sources
d’informations”. Cette section vous propose des sites Web et d’autres documents
de référence où figurent d’autres informations sur le service concerné.
Configuration initiale de Mac OS X Server
Si vous n’avez pas encore installé, puis configuré Mac OS X Server, procédez de suite.
• Consultez le document Mac OS X Server Premiers contacts avec la version 10.4 ou
ultérieure, fourni avec le logiciel, afin de prendre connaissance des instructions
d’installation et de configuration du serveur. Ce document fournit toutes les
informations nécessaires, dans plusieurs environnements, pour démarrer votre
serveur, le faire fonctionner et le rendre disponible pour une première utilisation.
• Lisez les sections spécifiques pour apprendre à configurer des fonctions individuelles
du service de messagerie. Portez une attention toute particulière aux informations
figurant dans les sections suivantes : “Présentation générale de la configuration” et
“Avant de commencer”.
Pour toute aide concernant les tâches de gestion
quotidiennes
Pour modifier des réglages, contrôler des services, afficher des historiques sur les services
ou effectuer toute autre tâche d’administration quotidienne, consultez les aides à l’écran
disponibles dans Mac OS X Server pour obtenir des procédures détaillées. Toutes les
tâches d’administration sont décrites dans le deuxième chapitre de ce guide, mais il peut
s’avérer plus pratique de rechercher des informations via l’aide à l’écran lorsque vous
utilisez votre serveur.
Utilisation de l’aide à l’écran
Vous pouvez afficher des instructions et d’autres informations utiles sur la suite serveur
en utilisant l’aide à l’écran.
Sur un ordinateur qui exécute Mac OS X Server, vous pouvez accéder à l’aide à l’écran
en ouvrant Gestionnaire de groupe de travail ou Admin Serveur. Sélectionnez une
option dans le menu Aide :
• Aide Gestionnaire de groupe de travail ou Aide Admin Serveur affiche des informations
sur l’application.Préface À propos de ce guide 11
• Aide Mac OS X Server affiche la page d’aide principale du serveur, à partir de laquelle
vous pouvez rechercher des informations sur le serveur.
• Documentation vous permet d’accéder au site www.apple.com/fr/server/
documentation, à partir duquel vous pouvez télécharger la documentation
du serveur.
Vous pouvez également accéder à l’aide à l’écran à partir du Finder ou d’autres
applications d’un serveur ou d’un ordinateur administrateur. Un ordinateur
administrateur est un ordinateur Mac OS X sur lequel est installé un logiciel
d’administration de serveur. Utilisez le menu Aide afin d’ouvrir Visualisation Aide,
puis choisissez Bibliothèque > Aide Mac OS X Server.
Pour consulter les toutes dernières rubriques d’aide, assurez-vous que l’ordinateur
serveur ou administrateur est connecté à Internet lorsque vous utilisez Visualisation
Aide. Visualisation Aide extrait et met en cache automatiquement les toutes dernières
rubriques d’aide sur Internet concernant le serveur. Lorsque vous n’êtes pas connecté
à Internet, Visualisation Aide affiche les rubriques d’aide mises en cache.
La suite Mac OS X Server
La documentation de Mac OS X Server comprend une série de guides présentant les
services offerts ainsi que les instructions relatives à leur configuration, leur gestion et
leur dépannage. Tous les guides sont disponibles au format PDF via :
www.apple.com/fr/server/documentation/
Ce guide ... explique comment :
Mac OS X Server Premiers contacts
avec la version 10.4 ou ultérieure
installer Mac OS X Server et le configurer pour la première fois.
Mac OS X Server Mise à niveau et
migration vers la version 10.4 ou
ultérieure
utiliser les données et réglages des services actuellement utilisés
sur les versions antérieures du serveur.
Mac OS X Server Gestion
utilisateur pour la version 10.4 ou
ultérieure
créer et gérer les utilisateurs, groupes et listes d’ordinateurs ;
configurer les préférences gérées des clients Mac OS X.
Mac OS X Server Administration
du service de fichiers pour la
version 10.4 ou ultérieure
partager des volumes ou dossiers de serveur sélectionnés parmi les
clients du serveur via les protocoles suivants : AFP, NFS, FTP, et SMB.
Mac OS X Server Administration
du service d'impression pour la
version 10.4 ou ultérieure
héberger les imprimantes partagées et gérer les files d’attente et
travaux d’impression associés.
Mac OS X Server Administration
de mises à jour de logiciels et
d'images de système pour la
version 10.4 ou ultérieure
utiliser NetBoot et Installation en réseau pour créer des images
disque à partir desquelles les ordinateurs Macintosh peuvent
démarrer sur le réseau ; configurer un serveur de mise à jour de
logiciels pour la mise à jour d’ordinateurs clients via le réseau.12 Préface À propos de ce guide
Mac OS X Server Administration
du service de courrier pour la
version 10.4 ou ultérieure
installer, configurer et administrer les services de messagerie sur
le serveur.
Mac OS X Server Administration
de technologies Web pour la
version 10.4 ou ultérieure
configurer et gérer un serveur Web, dont WebDAV, WebMail, et les
modules Web.
Mac OS X Server Administration
de services de réseaux pour la
version 10.4 ou ultérieure
installer, configurer et administrer DHCP, DNS, VPN, NTP, coupe-feu
IP et services NAT sur le serveur.
Mac OS X Server Administration
d'Open Directory pour la version
10.4 ou ultérieure
gérer les services de répertoires et d’authentification.
Mac OS X Server Administration
du Serveur Enchaînement
QuickTime pour la version 10.4 ou
ultérieure
configurer et gérer les services d’enchaînement QuickTime.
Mac OS X Server Administration
des services Windows pour la
version 10.4 ou ultérieure
configurer et gérer des services tels que PDC, BDC, fichiers et
impression pour les utilisateurs d’ordinateurs Windows.
Mac OS X Server Migration à
partir de Windows NT pour la
version 10.4 ou ultérieure
déplacer des comptes, des dossiers partagés et des services à partir
de serveurs Windows NT vers Mac OS X Server.
Mac OS X Server Administration
du serveur d’applications Java
pour la version 10.4 ou ultérieure
configurer et administrer un serveur d’applications JBoss sur
Mac OS X Server.
Mac OS X Server Administration
de la ligne de commande pour la
version 10.4 ou ultérieure
utiliser les commandes et les fichiers de configuration pour
exécuter les tâches d’administration du serveur via l’interpréteur
de commandes UNIX.
Mac OS X Server Administration
des services de collaboration pour
la version 10.4 ou ultérieure
configurer et gérer un journal Web, des discussions instantanées
et d’autres services facilitant les interactions entre les utilisateurs.
Mac OS X Server Administration
de la haute disponibilité pour la
version 10.4 ou ultérieure
gérer le basculement et la restauration automatique pour les
services de fichiers, les services Web, les services de messagerie,
les services IP et d’autres services.
Mac OS X Server Administration
d'Xgrid pour la version 10.4 ou
ultérieure
gérer des clusters de calcul Xserve à l’aide de l’application Xgrid.
Mac OS X Server Glossaire : inclut
la terminologie pour Mac OS X
Server, Xserve, Xserve RAID et
Xsan
interpréter les termes utilisés pour les produits de serveur et les
produits de stockage.
Ce guide ... explique comment :Préface À propos de ce guide 13
Obtenir des mises à jour de documentation
Apple publie régulièrement de nouvelles rubriques d’aide à l’écran, des guides révisés
et des documents de solutions. Les nouvelles rubriques d’aide incluent des mises à jour
des guides les plus récents.
• Pour afficher de nouvelles rubriques d’aide à l’écran, assurez-vous que votre serveur
ou ordinateur d’administration administrateur est connecté à Internet et cliquez sur
le lien Informations de dernière minute dans la page d’aide principale de Mac OS X
Server.
• Pour télécharger les guides et documents de solutions les plus récents au format PDF,
rendez-vous sur la page Web de documentation de Mac OS X Server :
www.apple.com/fr/server/documentation.
Informations complémentaires
Pour plus d’informations, consultez les ressources suivantes :
Documents Ouvrez-moi—mises à jour importantes et informations spécifiques.
Recherchez-les sur les disques du serveur.
Site Web de Mac OS X Server—source d’informations sur la technologie et les produits.
www.apple.com/fr/macosx/server/
Service & Support AppleCare—accès à des centaines d’articles des services d’assistance
Apple.
www.apple.com/fr/support/
Formation des clients Apple—cours en salle et autoformations afin de développer vos
compétences en termes d’administration de serveur.
train.apple.com
Groupes de discussion Apple—moyen de partager des questions, des connaissances
et des conseils avec d’autres administrateurs.
discussions.info.apple.com
Répertoire de listes d’envoi Apple—abonnez-vous à des listes d’envoi afin de pouvoir
communiquer par courrier électronique avec d’autres administrateurs.
www.lists.apple.com1
15
1 Configuration du service
de messagerie
Le service de messagerie de Mac OS X Server permet aux utilisateurs du réseau
d’envoyer ou de recevoir des messages électroniques sur votre réseau ou sur Internet.
Pour ce faire, il recourt à des protocoles de messagerie Internet standard : IMAP
(Internet Message Access Protocol), POP (Post Office Protocol) et SMTP (Simple Mail
Transfer Protocol). Le service de messagerie utilise également un service DNS (Domain
Name System) afin de déterminer l’adresse IP de destination du courrier sortant.
Ce chapitre offre tout d’abord une présentation générale des protocoles standard
utilisés pour l’envoi et la réception de messages électroniques. Il décrit ensuite
le fonctionnement du service de messagerie, expose brièvement les aspects de la
configuration du service de messagerie et vous explique comment :
• configurer le service de messagerie pour les messages entrants et sortants,
• fournir l’assistance aux utilisateurs du service de messagerie,
• limiter le courrier indésirable.
Entrant
Sortant
Entrant
Sortant
cathie@school.edu
Internet
roland@exemple.com
Serveur de messagerie de school.edu Serveur de messagerie d'exemple.com16 Chapitre 1 Configuration du service de messagerie
Protocoles du service de messagerie
La configuration standard d’un client de courrier utilise le protocole SMTP pour envoyer
les messages sortants et les protocoles POP et IMAP pour recevoir les messages entrants.
Mac OS X Server comprend un service SMTP et un service combiné POP et IMAP. Nous
vous conseillons d’examiner plus en détails ces trois protocoles de messagerie.
Courrier sortant
Le service de messagerie sortant constitue le moyen par lequel les utilisateurs envoient
des messages électroniques via Internet. Sauf restrictions de votre part, ce service transfère
également du courrier en provenance et à destination de services de messagerie situés sur
d’autres serveurs. Si les utilisateurs de votre service de messagerie envoient des messages
vers un autre domaine Internet, votre service SMTP transmet ces messages sortants au
domaine serveur correspondant.
Simple Mail Transfer Protocol (SMTP)
SMTP est un protocole utilisé pour envoyer et transférer le courrier. SMTP met les
messages sortant de l’utilisateur en file d’attente. Ces messages sont transférés vers
leur destination via Internet, et seront reçus par des protocoles de courrier entrant.
Mac OS X Server utilise Postfix comme agent de transfert de messages (MTA). Postfix
prend intégralement en charge le protocole Internet standard SMTP. Vos utilisateurs
de courrier électronique choisiront votre Mac OS X Server exécutant Postfix comme
serveur de messagerie sortant pour leurs applications de courrier électronique et
accéderont à leur propre courrier entrant à partir d’un Mac OS X Server exécutant
un service de messagerie entrant. Vous trouverez plus d’informations sur Postfix
à l’adresse suivante :
www.postfix.org
Si vous choisissez d’utiliser un autre MTA (tel que Sendmail), vous ne pourrez
pas configurer votre service de messagerie à l’aide des outils d’administration de
Mac OS X Server.
Si vous souhaitez utiliser le programme Sendmail plutôt que Postfix, vous devez
désactiver le service SMTP actuel via Postfix, puis installer et configurer Sendmail.
Pour plus d’informations sur Sendmail, consultez le site Web www.sendmail.org.
Courrier entrant
Le courrier est transféré de l’espace de stockage du courrier entrant vers la boîte
de réception du destinataire par un agent de distribution local (LDA). Le LDA est
responsable de la gestion de la distribution locale, en mettant le courrier à la
disposition de l’application de courrier de l’utilisateur. L’agent d’accès au courrier
de Mac OS X Server propose deux protocoles différents : POP et IMAP.Chapitre 1 Configuration du service de messagerie 17
Mac OS X Server utilise Cyrus pour fournir les services POP et IMAP. Vous trouverez plus
d’informations sur Cyrus à l’adresse suivante :
asg.web.cmu.edu/cyrus
Post Office Protocol (POP)
POP est utilisé uniquement pour la réception de courrier et non pour l’envoi.
Le service de messagerie de Mac OS X Server stocke le courrier POP entrant jusqu’à ce
que l’ordinateur de l’utilisateur soit connecté au service et que l’utilisateur télécharge
son courrier en attente. Une fois les messages POP téléchargés, ils ne sont plus stockés
que sur l’ordinateur de l’utilisateur. L’ordinateur de l’utilisateur se déconnecte alors du
service de messagerie et l’utilisateur peut lire, organiser et répondre au courrier POP
reçu. Le fonctionnement du service POP est analogue à celui d’un bureau de poste, car
il stocke le courrier et le remet à une adresse donnée.
L’un des avantages de l’utilisation de POP est que votre serveur n’a pas besoin de
stocker le courrier que les utilisateurs ont téléchargé. Votre serveur ne nécessite
donc pas un espace de stockage aussi important que s’il utilisait le protocole IMAP.
Cependant, le courrier étant supprimé du serveur, si certains ordinateurs clients
connaissent des problèmes de disque dur et perdent leurs fichiers de courrier,
seule l’utilisation de sauvegardes de données permet de récupérer ces fichiers.
Un autre avantage de POP est dû au fait que les connexions POP sont transitoires. Une
fois le courrier transféré, la connexion est interrompue et la charge sur le réseau et sur
le serveur de messagerie est supprimée.
Le protocole POP ne constitue pas la meilleure solution pour les utilisateurs qui
accèdent à leur courrier à partir de plusieurs ordinateurs, tels qu’un ordinateur chez
eux, leur ordinateur de bureau ou un ordinateur portable lors de déplacements.
Lorsqu’un utilisateur extrait son courrier via le protocole POP, il le télécharge sur son
ordinateur, le supprimant en général totalement du serveur. Si l’utilisateur se connecte
par la suite à partir d’un ordinateur différent, il ne pourra plus accéder aux messages
téléchargés précédemment.
Protocole IMAP (Internet Message Access Protocol)
IMAP est la solution pour ceux qui sont amenés à utiliser plusieurs ordinateurs pour
recevoir leur courrier. Il s’agit d’un protocole de messagerie client-serveur qui permet
aux utilisateurs d’accéder à leur courrier à partir de n’importe quel emplacement sur
Internet. Les utilisateurs peuvent envoyer et lire du courrier avec plusieurs clients de
messagerie compatibles à ce protocole.
Avec le protocole IMAP, le courrier d’un utilisateur est distribué au serveur et stocké
dans une boîte aux lettres distante sur le serveur ; il s’affiche comme s’il se trouvait sur
l’ordinateur local de l’ordinateur. Une différence essentielle entre IMAP et POP est la
suivante : avec le protocole IMAP, le courrier n’est pas supprimé du serveur tant que
l’utilisateur ne l’a pas lui-même supprimé.18 Chapitre 1 Configuration du service de messagerie
L’ordinateur de l’utilisateur IMAP peut demander au serveur l’accès aux en-têtes
de messages ou au corps de certains messages, ou encore rechercher des messages
répondant à des critères spécifiques. Ces messages sont téléchargés lors de leur
ouverture par l’utilisateur. Les connexions IMAP sont persistantes et demeurent
ouvertes, ce qui a pour effet d’entraîner une charge sur le serveur, ainsi que sur
le réseau.
Interaction de l’utilisateur avec le service de messagerie
Le courrier est distribué au destinataire final via un agent utilisateur de courrier (MUA). Les
MUA sont généralement appelés “clients de messagerie” ou “applications de messagerie”.
Ces clients de messagerie sont généralement exécutés sur l’ordinateur local de chaque
utilisateur. L’application de messagerie de chaque utilisateur doit être configurée pour
envoyer les messages vers le serveur sortant approprié et recevoir les messages en
provenance du serveur entrant. Ces configurations peuvent affecter la charge de
traitement supportée par votre serveur ainsi que l’espace de stockage disponible.
Stockage du courrier
Le courrier est stocké soit dans une file d’attente sortante en attendant le transfert vers
un serveur distant, soit dans un espace local de stockage des messages accessible par
les utilisateurs du service de messagerie local.
Emplacement du courrier sortant
Les messages sortants sont stockés par défaut dans le répertoire d’attente suivant sur
le disque de démarrage :
/var/spool/postfix
Cet emplacement est temporaire et le courrier y est stocké jusqu’à ce qu’il ait été
transféré avec succès vers Internet. Ces emplacements peuvent être placés sur n’importe
quel volume accessible (local ou monté NFS) et l’administrateur de courrier peut établir
un lien symbolique vers ces emplacements.
Emplacement du courrier entrant
Le service de messagerie assure le suivi des messages entrants à l’aide d’une petite
base de données (BerkeleyDB.4.2.52) qui ne contient pas, cependant, les messages
proprement dits. Le service de messagerie stocke chaque message sous la forme d’un
fichier distinct dans un dossier de courrier correspondant à chaque utilisateur. Le
courrier entrant est stocké sur le disque de démarrage dans le répertoire suivant :
/var/spool/imap/user/[nom d’utilisateur]Chapitre 1 Configuration du service de messagerie 19
Cyrus place un fichier d’index de base de données dans le dossier des messages
d’utilisateur. Vous pouvez déplacer tout ou partie des dossiers de messages et des
index de base de données vers un autre dossier, un autre disque ou une autre partition
de disque. Bien que l’utilisation d’un volume partagé provoque des problèmes de
performances, il vous est même possible de spécifier un volume partagé sur un autre
serveur comme emplacement du dossier des messages et de la base de données. Pour
des systèmes de fichiers montés à distance, NFS n’est pas recommandé. Le courrier
entrant demeure sur le serveur tant qu’il n’a pas été supprimé par un MUA.
Le stockage de courrier Cyrus peut également être divisé sur plusieurs partitions.
Cela peut servir à ajuster la taille des services de messagerie ou à faciliter la sauvegarde
des données. Pour plus de détails, consultez la rubrique “Création d’emplacements
supplémentaires de stockage du courrier” à la page 70.
Nombre maximal de messages par volume
Dans la mesure où le service de messagerie stocke chaque message dans un fichier
distinct, le nombre de messages pouvant être stockés sur un volume est déterminé par le
nombre total de fichiers que ce dernier peut accueillir.
Le nombre total de fichiers pouvant être stockés sur un volume utilisant le format Mac
OS étendu (parfois appelé format HFS Plus) dépend des facteurs suivants :
• la taille du volume ;
• la taille des fichiers ;
• la taille minimale d’un fichier (par défaut, un bloc de 4 Ko).
Par exemple, un volume HFS Plus de 4 Go avec une taille de bloc par défaut de 4 Ko
comporte un million de blocs disponibles. Ce volume peut contenir un maximum
d’un million de fichiers de 4 Ko, c’est-à-dire un million de messages électroniques
d’une taille inférieure ou égale à 4 Ko. Si certains messages électroniques présentent
une taille supérieure à 4 Ko, ce volume peut contenir un nombre inférieur de messages.
Un volume de plus grande capacité doté de la même taille de bloc par défaut peut
contenir proportionnellement plus de fichiers.
Utilisation du service Web avec Mail
WebMail est un agent utilisateur de courrier (MUA) utilisant le Web. Il permet à un
navigateur Web, tel que Safari d’Apple de rédiger, lire et réexpédier un message
électronique comme n’importe quel autre client de messagerie électronique. La
fonctionnalité WebMail de Mac OS X Server est également incluse dans un logiciel
appelé SquirrelMail. Rendez-vous à l’adresse suivante :
www.squirrelmail.org.
Avec WebMail, le serveur de messagerie réel est en fait fourni par votre service de
messagerie. WebMail ne peut fournir le service de messagerie sans la présence du serveur
de messagerie. WebMail utilise le service de messagerie de votre Mac OS X Server.20 Chapitre 1 Configuration du service de messagerie
WebMail utilise les protocoles de courrier standard et requiert que ces derniers soient
pris en charge par votre serveur de messagerie. Ces protocoles sont les suivants :
• Protocole IMAP (Internet Message Access Protocol) pour la récupération du courrier
entrant
• Protocole SMTP (Simple Mail Transfer Protocol) pour l’échange du courrier avec
d’autres serveurs de messagerie (envoi du courrier sortant et réception du courrier
entrant)
WebMail ne prend pas en charge la récupération du courrier entrant via le protocole
POP (Post Office Protocol). Même si votre serveur de messagerie dispose d’un protocole
POP activé, WebMail ne l’utilise pas.
Pour utiliser WebMail :
1 Premièrement, vous devez activer et configurer votre serveur de messagerie. Ce livre
contient des instructions d’installation détaillées pour mettre en marche votre serveur
de messagerie.
2 Puis, une fois le serveur de messagerie configuré, vous devez activer le logiciel de
WebMail.
Pour obtenir des instructions sur l’installation du WebMail, consultez le guide “Mac OS X
Server Administration de technologies Web pour la version 10.4 ou ultérieure” disponible
sur www.apple.com/fr/server/documentation/.
Utilisation des services réseau avec le service de messagerie
Le service de messagerie utilise les services réseau afin de garantir la distribution du
courrier électronique. Avant d’envoyer un message électronique, votre service de
messagerie utilisera certainement un service DNS (Domain Name System) pour
déterminer l’adresse IP (Internet Protocol) de la destination. Le service DNS est
nécessaire car les utilisateurs adressent généralement leur courrier sortant via un nom
de domaine, tel que exemple.com, plutôt que via une adresse IP, telle que 198.162.12.12.
Pour envoyer un message sortant, votre service de messagerie doit connaître l’adresse
IP de la destination. Il fait donc appel à un service DNS pour rechercher les noms des
domaines et déterminer les adresses IP correspondantes. Le service DNS peut être
fourni par votre fournisseur d’accès à Internet (FAI) ou par Mac OS X Server, comme
l’explique le guide d’administration de services de réseau.
En outre, un enregistrement de type Mail Exchange (MX) peut être source de
redondance en indiquant un hôte de courrier alternatif pour un domaine. Si l’hôte
de courrier principal n’est pas disponible, le message peut être envoyé à l’hôte de
courrier alternatif. Un enregistrement MX peut répertorier plusieurs hôtes de courrier
ayant chacun un numéro de priorité. Si l’hôte prioritaire est occupé, les messages
peuvent être envoyés à l’hôte suivant selon l’ordre de priorité défini et ainsi de suite.Chapitre 1 Configuration du service de messagerie 21
Les services de messagerie utilisent le service DNS de la façon suivante :
1 Le serveur d’envoi examine le nom de domaine du destinataire du message (c’est-à-dire
la portion qui se trouve après le caractère @ dans l’adresse).
2 Le serveur d’envoi examine l’enregistrement MX de ce nom de domaine afin de
rechercher le serveur destinataire.
3 S’il le trouve, le message est envoyé au serveur destinataire.
4 Si la recherche d’un enregistrement MX pour le nom de domaine échoue, le serveur
expéditeur suppose généralement que le nom du serveur destinataire correspond au
nom de domaine. Dans ce cas, le serveur expéditeur recherche une adresse (A) sur ce
nom de domaine et tente d’y envoyer le fichier.
En l’absence d’un enregistrement MX correctement configuré dans le service DNS, il se
peut que le courrier ne parvienne pas au serveur destinataire.
Configuration DNS pour le service de messagerie
La configuration DNS pour le service de messagerie consiste à activer les enregistrements
MX avec votre propre serveur DNS. Si votre FAI assure le service DNS, vous devez le
contacter afin qu’il puisse activer vos enregistrements MX. Ne suivez les étapes suivantes
que dans le cas où vous assurez votre propre service DNS à l’aide de Mac OS X Server.
Pour activer les enregistrements MX :
1 Dans Admin Serveur, sélectionnez DNS dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Zones.
4 Sélectionnez la zone où l’enregistrement MX sera ajouté.
S’il n’y a pas de zone, vous devrez en créer une. Pour plus d’informations, consultez
le guide d’administration de services réseau.
5 Cliquez sur le bouton Modifier (/) situé sous la liste des zones.
6 Sélectionnez l’onglet Ordinateurs.
7 Cliquez sur le bouton Ajouter (+) situé sous la liste des ordinateurs.
8 Saisissez l’adresse IP du serveur de messagerie.
9 Sélectionnez le nom d’hôte du serveur de messagerie.
Sous le nom d’hôte, vous verrez le futur nom de domaine complet de l’ordinateur.
10 Cliquez sur le bouton Ajouter (+) à côté de la case Alias pour ajouter d’autres noms à
cet ordinateur.
Ajoutez autant d’alias que vous le souhaitez.
11 Cochez la case intitulée “Cet ordinateur est un serveur de courrier pour la zone”.
Ce champ constitue la base de l’enregistrement MX de l’ordinateur.22 Chapitre 1 Configuration du service de messagerie
12 Définissez un numéro de priorité du serveur de courrier.
Les serveurs de messagerie tentent de délivrer le courrier premièrement à un petit
nombre de serveurs de messagerie.
13 Saisissez toutes les informations concernant le matériel et le logiciel de l’ordinateur
dans les cases appropriées.
14 Saisissez tous les commentaires concernant votre ordinateur dans la case “Commentaire”.
Vous pouvez entrer pratiquement n’importe quelle chaîne de texte dans la case de
commentaires. Par exemple, vous pouvez préciser le lieu où se trouve l’ordinateur
(tel que 1er étage, porte 3) ou bien le propriétaire de l’ordinateur (tel que Ordinateur
de Pierre) ou toute autre information que vous souhaitez garder concernant votre
ordinateur.
15 Cliquez sur OK puis sur Enregistrer.
Si vous devez configurer plusieurs serveurs pour la redondance, il est nécessaire
d’ajouter des enregistrements MX supplémentaires avec différents numéros d’ordre.
Utilisation des connexions SSL par le service de messagerie
Les connexions SSL (Secure Sockets Layer) garantissent le cryptage des données
échangées entre votre serveur de messagerie et les clients de messagerie de vos
utilisateurs. Cela permet le transport sécurisé et confidentiel des messages sur un
réseau local. Le transport SSL n’offre pas d’authentification sécurisée, mais simplement
le transfert sécurisé entre votre serveur de messagerie et vos clients. Reportez-vous
au guide d’administration Open Directory pour obtenir des informations sur
l’authentification sécurisée.
S’agissant du courrier entrant, le service de messagerie gère les connexions de messagerie
sécurisées avec le logiciel client qui les demande. Si un client de messagerie demande
une connexion SSL, le service de messagerie peut l’établir automatiquement si cette
option a été activée. Le service de messagerie continue d’établir des connexions non SSL
(non chiffrées) avec les clients qui ne demandent pas de connexion SSL. En fait, seule
la configuration de chaque client détermine si la connexion SSL a lieu ou non.
S’agissant du courrier sortant, le service de messagerie gère les connexions de messagerie
sécurisées entre les serveurs SMTP. Si un serveur SMTP demande une connexion SSL,
le service de messagerie peut l’établir automatiquement si cette option a été activée.
Le service de messagerie peut toujours autoriser les connexions non SSL (non chiffrées)
avec les serveurs de messagerie qui ne demandent pas de connexion SSL.Chapitre 1 Configuration du service de messagerie 23
Activation du transport de courrier sécurisé à l’aide de SSL
Le service de messagerie nécessite quelques étapes de configuration pour établir
automatiquement des connexions SSL. La procédure de base est la suivante :
Étape 1 : obtention d’un certificat de sécurité
Pour cela, vous pouvez procéder de la manière suivante :
1 Procurez-vous un certificat provenant d’une autorité de certificat.
a Générez une demande de signature de certificat (CSR) et créez un trousseau.
b Utilisez la CSR pour obtenir un certificat auprès d’une autorité de certificat.
2 Créez un certificat auto-signé dans le gestionnaire de certificats d’Admin Serveur.
3 Localisez un certificat existant d’une installation antérieure de Mac OS X Server 10.3.
Si vous avez déjà généré un certificat de sécurité dans une version antérieure de
Mac OS X Server, vous pouvez l’importer pour l’utiliser.
Consultez l’annexe “Certificats et sécurité” à la page 101 pour obtenir plus d’informations.
Étape 2 : importez le certificat vers le gestionnaire de certificats d’Admin
Serveur
Vous pouvez soit utiliser le gestionnaire de certificats pour faire glisser et déposer les
informations du certificat, soit diriger le gestionnaire vers un certificat déjà installé.
Consultez l’annexe “Certificats et sécurité” à la page 101 pour en savoir plus.
Étape 3 : configuration du service souhaité pour utiliser le certificat
Pour savoir comment autoriser ou exiger le transport SSL, consultez les sections suivantes :
• “Configuration du transport SSL pour les connexions POP” à la page 31
• “Configuration du transport SSL pour les connexions IMAP” à la page 33
• “Configuration du transport SSL pour les connexions SMTP” à la page 36
Avant de commencer
Avant de configurer le service de messagerie pour la première fois :
• Choisissez le protocole à utiliser pour accéder au courrier : POP, IMAP ou les deux.
• Si votre serveur fournit le service de messagerie via Internet, votre nom de domaine
doit être enregistré. Vous devez également déterminer si votre fournisseur d’accès
Internet doit créer les enregistrements MX ou si vous devez les créer dans votre
propre service DNS.
• Identifiez les futurs utilisateurs du service de messagerie ne disposant pas encore de
comptes d’utilisateur dans un domaine de répertoire accessible à votre service
de courrier, puis créez-leur des comptes d’utilisateur.
• Déterminez les exigences en termes de stockage du courrier et assurez-vous que
vous disposez de suffisamment d’espace disque pour le volume de courrier prévu.
• Déterminez vos besoins en termes d’authentification et de sécurité du transport.24 Chapitre 1 Configuration du service de messagerie
Impact des réglages du compte d’utilisateur sur le service
de messagerie
Outre la configuration du service de messagerie telle qu’elle est décrite dans ce chapitre,
vous pouvez également configurer certains réglages de courrier pour chaque utilisateur
disposant d’un compte sur votre serveur. Chaque compte d’utilisateur dispose de
réglages permettant :
• d’activer ou désactiver le service de messagerie pour le compte d’utilisateur ou
transférer le courrier entrant destiné à ce compte vers une autre adresse électronique ;
• de spécifier le serveur assurant le service de messagerie pour le compte d’utilisateur ;
• de définir un quota d’espace disque pour le stockage des messages de l’utilisateur
sur le serveur.
• de spécifier le protocole pour le courrier entrant du compte d’utilisateur : POP, IMAP
ou les deux.
Déplacement des messages d’Apple Mail Server vers Mac OS X
Server version 10.4
Si vous avez mis à niveau votre serveur à partir d’une version antérieure
à Mac OS X Server 10.3 et que vous possédez une base de données Apple Mail Server
existante, vous devez procéder à la migration de votre base de données de courrier
vers le service de messagerie Mac OS X Server 10.4.
Pour obtenir des instructions plus détaillées et des descriptions d’outils, consultez la
section “Conversion de l’espace de stockage et de la base de données du courrier à
partir d’une version antérieure” à la page 68.
Présentation générale des outils du service de messagerie
Les applications suivantes vous permettent de configurer et de gérer le service
de courrier :
• Admin Serveur : utilisez cette application pour démarrer, arrêter, configurer, maintenir
et surveiller le service de messagerie lorsque vous installez Mac OS X Server.
• Gestionnaire de groupe de travail : utilisez cette application pour créer des comptes
pour les utilisateurs de la messagerie et configurer les options de courrier de chaque
utilisateur.
• Terminal : utilisez cette application pour les tâches qui impliquent des outils de ligne
de commande UNIX, telles que la sauvegarde et la restauration de la base de données
de courrier.Chapitre 1 Configuration du service de messagerie 25
Présentation générale de la configuration
La configuration et le démarrage du service de messagerie peuvent être automatiques lors
de l’installation de Mac OS X Server. Une option de configuration du service de messagerie
apparaît dans l’application “Assistant du serveur”, qui s’exécute automatiquement à la fin
de la procédure d’installation. En sélectionnant cette option, le service de messagerie est
configuré de la manière suivante :
• SMTP, POP et IMAP sont tous actifs et utilisent des ports standard.
• Des modes d’authentification standard (et non Kerberos) sont utilisés, les protocoles
POP et IMAP étant configurés pour les mots de passe en clair (les modes APOP et
CRAM MD-5 sont désactivés) et l’authentification SMTP désactivée.
• Le courrier n’est distribué que localement (aucun courrier n’est envoyé vers Internet).
• La retransmission du courrier est restreinte.
Les tâches suivantes sont essentielles pour modifier cette configuration de base ou
configurer votre service de messagerie, si ce n’est déjà fait :
Étape 1 : avant de commencer, élaborez un plan
Pour obtenir la liste des éléments à prendre en considération avant de lancer un service
de messagerie complet, consultez la section “Avant de commencer” à la page 23.
Étape 2 : configuration des enregistrements MX
Pour que les utilisateurs puissent envoyer et recevoir du courrier via Internet, assurezvous que le service DNS est configuré avec les enregistrements MX appropriés pour
votre service de messagerie.
• Si votre FAI fournit un service DNS pour votre réseau, contactez-le et demandez-lui
de configurer les enregistrements MX pour vous. Votre FAI vous demandera le nom
DNS (tel que courrier.exemple.com) ainsi que l’adresse IP de votre serveur.
• Si vous utilisez Mac OS X Server pour fournir un service DNS, créez vos propres
enregistrements MX, selon la procédure décrite dans la section “Configuration DNS
pour le service de messagerie” à la page 21.
• Si vous ne configurez aucun enregistrement MX pour votre serveur de messagerie, il
est probable qu’il puisse tout de même permettre l’échange de courrier avec d’autres
serveurs. Certains serveurs de messagerie localiseront votre serveur en recherchant
son enregistrement A dans DNS (vous possédez probablement un enregistrement A
si vous disposez d’un serveur Web configuré).
Remarque : si vous n’avez défini aucun enregistrement MX, les utilisateurs de votre
service de messagerie peuvent tout de même s’envoyer du courrier entre eux. Le
service de messagerie local ne nécessite pas d’enregistrements MX.
Étape 3 : configuration du service de messagerie entrant
Votre service de messagerie dispose de plusieurs réglages définissant le traitement du
courrier entrant. Pour obtenir des instructions, consultez la section “Configuration du
service de messagerie entrant” à la page 27.26 Chapitre 1 Configuration du service de messagerie
Étape 4 : configuration du service de messagerie sortant
Votre service de messagerie est également doté de plusieurs réglages définissant le
traitement du courrier sortant. Pour obtenir des instructions, consultez la section
“Configuration du service de messagerie sortant” à la page 33.
Étape 5 : sécurité de votre serveur
Si votre serveur échange du courrier via Internet, assurez-vous que vous ne fonctionnez
pas comme relais ouvert. Un relais ouvert présente un risque en termes de sécurité et
permet aux expéditeurs de courrier indésirable d’utiliser vos ressources informatiques
pour l’envoi de tel courrier. Pour obtenir des instructions, consultez les sections
“Limitation du courrier indésirable et des virus” à la page 49 et “Limitation du relais
SMTP” à la page 50.
Étape 6 : configuration des réglages supplémentaires du service de
messagerie
Il existe des réglages supplémentaires que vous pouvez modifier pour influer sur le
comportement du service de messagerie relatif au stockage du courrier, à son interaction
avec le service DNS, à la limitation du courrier indésirable et au traitement du courrier
non distribué. Pour obtenir des instructions détaillées, consultez les sections suivantes :
• “Utilisation de la base de données et de l’espace de stockage du courrier” à la
page 66.
• “Limitation du courrier indésirable et des virus” à la page 49.
• “Traitement du courrier non distribuable” à la page 77.
Étape 7 : configuration des comptes d’utilisateur pour le service de
messagerie
Quiconque souhaite utiliser le service de messagerie doit disposer d’un compte
d’utilisateur dans un domaine de répertoire accessible au service de messagerie. Le
nom abrégé du compte d’utilisateur correspond au nom du compte de messagerie et
est utilisé pour constituer l’adresse électronique de l’utilisateur. Par ailleurs, chaque
compte d’utilisateur est doté de réglages définissant le traitement du courrier par le
service de messagerie. Vous pouvez configurer les réglages de courrier d’un utilisateur
lorsque vous créez son compte, mais également les modifier à tout moment pour un
utilisateur existant. Pour obtenir des instructions, consultez les sections “Gestion des
utilisateurs du service de messagerie” à la page 39 et “Configuration du logiciel client
de messagerie” à la page 39.
Étape 8 : création d’un alias postmaster (facultatif, mais recommandé)
Vous devez créer un alias d’administration appelé “postmaster”. Des rapports sont
susceptibles de lui être envoyés par le service de messagerie ou les administrateurs de
courrier. Un alias permet que du courrier envoyé à “postmaster@votredomaine.com”
soit réexpédié vers un compte de votre choix.Chapitre 1 Configuration du service de messagerie 27
Il est recommandé de configurer le transfert du courrier du compte postmaster vers
un compte que vous consultez régulièrement. D’autres comptes postmaster courants
sont nommés “abuse” (utilisés pour signaler les abus de votre service de messagerie)
et “spam” (utilisé pour signaler les abus relatifs au courrier indésirable).
Consultez la section “Création d’adresses électroniques supplémentaires pour un
utilisateur” à la page 41 afin d’en savoir plus sur la création d’un alias pour un utilisateur
de courrier existant.
Étape 9 : démarrage du service de messagerie
Avant de démarrer le service de messagerie, assurez-vous que l’ordinateur serveur
affiche la date, l’heure, le fuseau horaire et les réglages d’heure d’été appropriés dans
le tableau Date et heure de Préférences Système. Le service de messagerie utilise ces
informations pour horodater chaque message. Si les messages sont mal horodatés,
leur traitement par d’autres serveurs risque d’engendrer des problèmes.
Assurez-vous également que vous avez activé un ou plusieurs protocoles de service
de courrier (SMTP, POP ou IMAP) dans le volet Réglages.
Après avoir vérifié ces informations, vous pouvez démarrer le service de messagerie.
Si vous avez sélectionné dans l’Assistant du serveur l’option pour que le service de
messagerie démarre automatiquement, arrêtez le service de messagerie maintenant, puis
redémarrez-le pour que vos modifications prennent effet. Pour obtenir des instructions
détaillées, consultez la section “Démarrage et arrêt du service de messagerie” à la page 63.
Étape 10 : configuration du logiciel client de chaque utilisateur pour le
courrier
Une fois le service de messagerie configuré sur votre serveur, les utilisateurs doivent
configurer leur logiciel client en conséquence. Pour plus de détails sur les informations
nécessaires aux utilisateurs pour configurer leur logiciel client, consultez la section
“Gestion des utilisateurs du service de messagerie” à la page 39.
Configuration du service de messagerie entrant
La configuration du service de messagerie entrant permet de configurer le courrier
pour être récupéré par les utilisateurs et les applications des clients de messagerie.
Elle compte trois étapes principales :
• choisir et activer le type d’accès (POP, IMAP ou les deux) ;
• choisir une méthode pour authentifier le client de courrier électronique ;
• choisir une politique pour l’acheminement sécurisé des données de courrier via SSL.
La section suivante contient les informations sur la façon d’accomplir ces trois étapes.28 Chapitre 1 Configuration du service de messagerie
Activation de l’accès POP
Le protocole POP est utilisé pour recevoir du courrier. Le service de messagerie POP
stocke du courrier POP entrant jusqu’à ce que les utilisateurs connectent leur ordinateur
au service de messagerie et téléchargent leur courrier en attente. Une fois les messages
POP téléchargés, ils ne sont plus stockés que sur l’ordinateur de l’utilisateur. L’un des
avantages de l’utilisation de POP est que votre serveur n’a pas besoin de stocker le
courrier que les utilisateurs ont téléchargé.
Le protocole POP ne constitue pas la meilleure solution pour les utilisateurs qui
accèdent à leur courrier à partir de plusieurs ordinateurs, tels qu’un ordinateur chez
eux, leur ordinateur de bureau ou un ordinateur portable lors de déplacements, car
une fois qu’un ordinateur a accédé aux messages, ils sont éliminés du serveur.
Pour activer l’accès POP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur Activer POP.
5 Cliquez sur Enregistrer.
6 Continuez et configurez la sécurité pour l’authentification et l’acheminement POP.
Consultez les sections suivantes pour continuer la configuration :
• “Activation de l’authentification POP sécurisée” à la page 30.
• “Activation de l’authentification moins sécurisée pour POP” à la page 30.
• “Configuration du transport SSL pour les connexions POP” à la page 31.
Activation de l’accès IMAP
Il s’agit d’un protocole de messagerie client-serveur qui permet aux utilisateurs
d’accéder à leur courrier à partir de n’importe quel endroit via Internet. Avec
le protocole IMAP, le courrier d’un utilisateur est distribué au serveur et stocké dans
une boîte aux lettres distante sur le serveur ; il s’affiche comme s’il se trouvait sur
l’ordinateur local de l’ordinateur. Une différence essentielle entre IMAP et POP est la
suivante : avec le protocole IMAP, le courrier n’est pas supprimé du serveur tant que
l’utilisateur ne l’a pas lui-même supprimé. Les connexions IMAP sont persistantes et
demeurent ouvertes, ce qui a pour effet d’entraîner une charge sur le serveur, ainsi
que sur le réseau.Chapitre 1 Configuration du service de messagerie 29
Pour activer l’accès IMAP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur Activer IMAP.
5 Tapez le nombre de connexions simultanées que vous souhaitez autoriser, puis cliquez
sur Enregistrer.
La valeur par défaut est 32 et la valeur maximale est 300.
6 Cliquez sur Enregistrer.
7 Continuez et configurez la sécurité pour l’authentification et l’acheminement IMAP.
Consultez les sections suivantes pour continuer la configuration :
• “Activation de l’authentification IMAP sécurisée” à la page 31.
• “Activation de l’authentification IMAP moins sécurisée” à la page 32.
• “Configuration du transport SSL pour les connexions IMAP” à la page 33.
Si vous choisissez de ne pas récupérer le courrier entrant
Vous pouvez choisir d’activer le service de messagerie SMTP, mais de ne pas fournir
de service IMAP ou POP pour la récupération de courrier entrant. Si vous n’activez
ni POP ni IMAP, le courrier entrant provenant d’autres services de messagerie sera
toujours transmis à l’utilisateur, mais les utilisateurs ne pourront pas utiliser les
applications de client de messagerie pour accéder à leur courrier.
Le courrier pouvant être distribué localement sera mis en attente jusqu’à ce que les
services POP et/ou IMAP soient activés, ou que la distribution sur /var/mail soit activée,
ou encore que le message expire et que l’envoyeur reçoive un message d’avis de
non-distribution, un “Non Delivery Receipt” (NDR) (par défaut, après 72 heures). Si la
distribution sur /var/mail a été activée, les utilisateurs peuvent encore accéder au
courrier via les outils de courrier UNIX tels que PINE ou ELM. Les messages distribués
sur /var/mail/ ne pourront être distribués aux utilisateurs avec Cyrus, une fois POP
et/ou IMAP de nouveau activé(s).
Si les protocoles POP et IMAP sont tous les deux désactivés, vous pouvez modifier
l’emplacement de votre courrier entrant défini par défaut sur /var/spool/imap/user/
[nom d’utilisateur] à /var/mail/[nom d’utilisateur].30 Chapitre 1 Configuration du service de messagerie
Pour modifier le répertoire de distribution local :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez “Distribuer à /var/mail/...”
5 Cliquez sur Enregistrer.
Activation de l’authentification POP sécurisée
Votre service de messagerie POP peut protéger les mots de passe des utilisateurs à
l’aide des protocoles APOP (Authenticated POP) ou Kerberos. Si un utilisateur se
connecte via une connexion APOP ou Kerberos, son logiciel client chiffre son mot
de passe avant de l’envoyer à votre service POP. Avant de configurer votre service de
messagerie pour imposer l’authentification sécurisée, assurez-vous que les applications
de courrier et les comptes de vos utilisateurs gèrent la méthode d’authentification
que vous avez choisie.
Avant d’activer l’authentification Kerberos pour le service de messagerie entrant, vous
devez intégrer Mac OS X à un serveur Kerberos. Si vous utilisez Mac OS X Server pour
l’authentification Kerberos, cette opération a déjà été effectuée. Pour obtenir des
instructions et en savoir plus, consultez le guide d’administration d’Open Directory.
Si vous souhaitez exiger l’une ou l’autre de ces méthodes d’authentification, n’activez
qu’une méthode.
Pour configurer la méthode d’authentification POP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez APOP ou Kerberos (selon vos besoins) dans la liste POP3.
6 Cliquez sur Enregistrer.
Activation de l’authentification moins sécurisée pour POP
Vous pouvez choisir d’autoriser l’authentification par mot de passe élémentaire (texte
en clair). Cette méthode est considérée comme moins sécurisée qu’APOP ou Kerberos,
car le mot de passe lui-même est transmis en texte clair.
Si vous souhaitez exiger l’authentification en texte clair, activez En clair comme seule
méthode d’authentification.Chapitre 1 Configuration du service de messagerie 31
Pour activer l’authentification POP en texte clair :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez En clair.
6 Cliquez sur Enregistrer.
Configuration du transport SSL pour les connexions POP
Le transport SSL permet le cryptage sécurisé du courrier transmis via le réseau. Vous
pouvez choisir d’exiger, d’utiliser ou de ne pas utiliser SSL pour les connexions POP (et
IMAP). Pour utiliser des connexions SSL, vous devez disposer d’un certificat de sécurité
pour l’utilisation du courrier.
Consultez “Gestionnaire de certificats d’Admin Serveur” à la page 103 pour en savoir
plus sur les certificats.
La configuration du transport SSL pour POP entraîne également sa configuration
pour IMAP.
Pour configurer le transport SSL pour les connexions POP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez Demander ou Utiliser pour activer (Ne pas utiliser pour désactiver) dans
la section SSL IMAP et POP.
6 Sélectionnez le certificat que vous souhaitez utiliser dans le menu local correspondant,
si vous utilisez ou demandez l’utilisation de SSL.
7 Cliquez sur Enregistrer.
Activation de l’authentification IMAP sécurisée
Votre service de messagerie IMAP peut protéger les mots de passe des utilisateurs en
exigeant que les connexions utilisent une méthode d’authentification sécurisée. Vous
pouvez choisir l’authentification CRAM MD-5 ou Kerberos v5. Lorsqu’un utilisateur se
connecte avec une authentification sécurisée, son logiciel client chiffre son mot de passe
avant de l’envoyer à votre service IMAP. Assurez-vous que les applications de courrier
et les comptes de vos utilisateurs gèrent la méthode d’authentification choisie.32 Chapitre 1 Configuration du service de messagerie
Si vous configurez votre service de messagerie pour imposer l’utilisation de CRAM MD-5,
les comptes des utilisateurs du courrier doivent être configurés de manière à utiliser
un serveur de mot de passe de Mac OS X Server pour lequel CRAM MD-5 est activé.
Pour plus d’informations, consultez le guide d’administration d’Open Directory.
Avant d’activer l’authentification Kerberos pour le service de messagerie entrant, vous
devez intégrer Mac OS X à un serveur Kerberos. Si vous utilisez Mac OS X Server pour
l’authentification Kerberos, cette opération a déjà été effectuée. Pour obtenir des
instructions et en savoir plus, consultez le guide d’administration d’Open Directory.
Si vous souhaitez exiger l’une ou l’autre de ces méthodes d’authentification, n’activez
qu’une méthode.
Pour configurer l’authentification IMAP sécurisée :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez CRAM MD-5 ou Kerberos (selon vos besoins) dans la section IMAP.
6 Cliquez sur Enregistrer.
Activation de l’authentification IMAP moins sécurisée
Votre service de messagerie IMAP peut fournir les mots de passe des utilisateurs via
des méthodes moins sécurisées. Ces méthodes d’authentification ne chiffrent pas de
manière sécurisée les mots de passe des utilisateurs lors de leur transit sur le réseau.
Si vous souhaitez exiger l’une ou l’autre de ces méthodes d’authentification, n’activez
qu’une méthode.
Pour autoriser l’authentification IMAP LOGIN, PLAIN ou En clair :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez LOGIN, PLAIN ou En clair dans la liste IMAP.
6 Cliquez sur Enregistrer.Chapitre 1 Configuration du service de messagerie 33
Configuration du transport SSL pour les connexions IMAP
Le transport SSL permet le cryptage sécurisé du courrier transmis via le réseau. Vous
pouvez choisir d’exiger, d’utiliser ou de ne pas utiliser SSL pour les connexions IMAP.
Pour utiliser des connexions SSL, vous devez disposer d’un certificat de sécurité pour
l’utilisation du courrier.
Consultez “Gestionnaire de certificats d’Admin Serveur” à la page 103 pour en savoir
plus sur les certificats.
La configuration du transport SSL pour IMAP entraîne également sa configuration
pour POP.
Pour configurer le transport SSL pour les connexions IMAP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Cliquez sur Demander ou Utiliser pour activer (Ne pas utiliser pour désactiver) dans la
section SSL IMAP et POP.
6 Sélectionnez le certificat que vous souhaitez utiliser dans le menu local correspondant,
si vous utilisez ou demandez l’utilisation de SSL.
7 Cliquez sur Enregistrer.
Configuration du service de messagerie sortant
Le service de messagerie inclut un service SMTP pour l’envoi du courrier. Sauf
restrictions de votre part, ce service transfère également du courrier en provenance
et à destination de services de messagerie situés sur d’autres serveurs. Si les utilisateurs
de votre service de messagerie envoient des messages vers un autre domaine Internet,
votre service SMTP transmet ces messages sortants au service correspondant. Les
autres services transmettent les messages destinés à vos utilisateurs à votre service
SMTP, qui transfère alors ces messages vers vos services POP et IMAP.
Activation de l’accès SMTP
On utilise SMTP pour transférer du courrier entre les services de messagerie et envoyer
des messages provenant des clients de messagerie des utilisateurs. Le service de
messagerie SMTP stocke le courrier sortant dans une file d’attente jusqu’à ce qu’il trouve
le serveur d’échange de courrier à la destination du message. Il transfère ensuite le
courrier vers le serveur de destination pour le traitement et la distribution finale.
Le service SMTP est requis pour le service de messagerie sortant et pour pouvoir
recevoir du courrier provenant de serveurs de messagerie externes à votre entreprise.34 Chapitre 1 Configuration du service de messagerie
Pour activer l’accès SMTP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur Activer SMTP.
5 Sélectionnez “Autoriser le courrier entrant”, le cas échéant.
Si vous autorisez le courrier entrant, saisissez le nom de domaine pour accepter
le courrier et le nom d’hôte du serveur de messagerie.
6 Cliquez sur Enregistrer.
L’authentification SMTP
Si vous ne choisissez pas de méthode d’authentification SMTP ni de serveurs SMTP
spécifiques autorisés pour retransmettre le courrier, le serveur SMTP autorisera les relais
de messagerie SMTP anonymes et sera considéré comme un “relais ouvert”. Les relais
ouverts ont l’inconvénient de permettre aux expéditeurs de courrier indésirable
d’exploiter le relais pour masquer leur identité et envoyer du courrier indésirable
en toute impunité.
Il faut faire la distinction entre retransmettre du courrier et accepter la distribution de
courrier. Le fait de retransmettre du courrier revient à passer du courrier d’un serveur
de messagerie (pouvant être externe) ou du client de messagerie d’un utilisateur local
à un autre (troisième) serveur de messagerie. En acceptant la distribution, vous recevez
du courrier provenant d’un serveur de messagerie (pouvant être externe) devant être
distribué aux utilisateurs de messagerie propres au serveur. Le courrier adressé
à des destinataires locaux demeure toujours accepté et distribué. L’activation de
l’authentification pour SMTP requiert l’authentification par l’une ou l’autre des
méthodes d’authentification sélectionnées avant la retransmission du courrier.
L’authentification SMTP est utilisée en même temps qu’un transfert de courrier SMTP
restreint pour limiter la propagation de courrier indésirable. Pour plus d’informations
sur ces réglages, consultez la section “Limitation du courrier indésirable et des virus” à
la page 49.
Activation de l’authentification SMTP sécurisée
Votre serveur peut prendre lui-même les dispositions nécessaires pour ne pas se
comporter comme un relais ouvert en autorisant l’authentification SMTP (un relais ouvert
retransmet le courrier sans distinction aux autres serveurs de messagerie). Vous pouvez
configurer le service de messagerie afin qu’il exige l’authentification sécurisée via la
méthode CRAM MD-5 ou Kerberos. Si certains utilisateurs possèdent des clients de
messagerie qui ne gèrent pas les méthodes sécurisées, vous pouvez également autoriser
les méthodes d’authentification moins sécurisées, telles que PLAIN et LOGIN, qui ne
chiffrent pas les mots de passe.Chapitre 1 Configuration du service de messagerie 35
Si vous configurez votre service de messagerie pour imposer l’utilisation de CRAM MD-5,
les comptes des utilisateurs du courrier doivent être configurés pour utiliser un serveur
de mot de passe pour lequel CRAM MD-5 est activé. Pour en savoir plus, consultez le guide
d’administration Open Directory.
Avant d’activer l’authentification Kerberos pour le service de messagerie entrant, vous
devez intégrer Mac OS X à un serveur Kerberos. Si vous utilisez Mac OS X Server pour
l’authentification Kerberos, cette opération a déjà été effectuée. Pour obtenir des
instructions, reportez-vous au guide d’administration Open Directory.
En activant l’authentification SMTP :
• vos utilisateurs devront s’authentifier auprès de leur client de messagerie avant
d’accepter l’envoi de tout courrier ;
• vous empêchez des utilisateurs mal intentionnés d’utiliser le serveur de messagerie
pour envoyer des messages par le biais de votre système sans votre consentement.
Si vous souhaitez exiger l’une ou l’autre de ces méthodes d’authentification, n’activez
qu’une méthode.
Pour autoriser l’authentification SMTP sécurisée :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez CRAM MD-5 ou Kerberos (selon vos besoins) dans la section SMTP.
6 Cliquez sur Enregistrer.
Activation de l’authentification SMTP moins sécurisée
Votre serveur peut prendre lui-même les dispositions nécessaires pour ne pas se
comporter comme un relais ouvert en exigeant une authentification SMTP (un relais
ouvert retransmet le courrier sans distinction aux autres serveurs de messagerie). ce qui
garantit que seuls les utilisateurs connus (c’est-à-dire disposant de comptes d’utilisateur
sur votre serveur) peuvent envoyer du courrier depuis votre service de messagerie. Vous
pouvez choisir d’exiger, d’autoriser ou d’interdire les méthodes d’authentification moins
sécurisées (PLAIN ou LOGIN) pour le service de messagerie SMTP.
L’authentification PLAIN envoie les mots de passe de courrier sous forme de texte en
clair via le réseau. L’authentification LOGIN envoie, via le réseau, un hachage chiffré du
mot de passe, sécurisé au minimum.
Si vous souhaitez exiger l’une ou l’autre de ces méthodes d’authentification, n’activez
qu’une méthode. 36 Chapitre 1 Configuration du service de messagerie
Pour autoriser l’authentification moins sécurisée :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Sélectionnez PLAIN ou LOGIN dans la section SMTP.
6 Cliquez sur Enregistrer.
Configuration du transport SSL pour les connexions SMTP
Le transport SSL permet le cryptage sécurisé du courrier transmis via le réseau. Vous
pouvez choisir d’exiger, d’utiliser ou de ne pas utiliser SSL pour les connexions IMAP.
Pour utiliser des connexions SSL, vous devez disposer d’un certificat de sécurité pour
l’utilisation du courrier.
Consultez “Gestionnaire de certificats d’Admin Serveur” à la page 103 pour en savoir
plus sur les certificats.
Pour configurer le transport SSL pour les connexions SMTP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Sécurité.
5 Cliquez sur Demander ou Utiliser pour activer (Ne pas utiliser pour désactiver) dans la
section STMP SSL.
6 Sélectionnez le certificat que vous souhaitez utiliser dans le menu local correspondant,
si vous utilisez ou demandez l’utilisation de SSL.
7 Cliquez sur Enregistrer.
Retransmission du courrier SMTP via un autre serveur
Au lieu d’acheminer le courrier sortant vers ses différentes destinations, votre service
de messagerie SMTP peut le transmettre à un autre serveur.
En général, lorsqu’un serveur SMTP reçoit un message adressé à un destinataire
distant, il tente d’envoyer ce message directement à ce serveur ou au serveur spécifié
dans l’éventuel enregistrement MX. En fonction de votre configuration réseau, il se
peut que cette méthode de transport du courrier ne soit pas souhaitable ni même
possible. Vous pouvez alors être amené à retransmettre tous les messages sortants
via un serveur spécifique.Chapitre 1 Configuration du service de messagerie 37
• Cette méthode peut être nécessaire pour distribuer le courrier sortant via le coupe-feu
configuré par votre entreprise. Dans ce cas, l’entreprise désigne un serveur particulier
pour retransmettre le courrier via le coupe-feu.
• Cette méthode peut s’avérer utile si les connexions de votre serveur avec Internet
sont lentes ou intermittentes.
N’essayez pas de retransmettre du courrier via un serveur de messagerie indépendant
du contrôle de votre entreprise ou sans l’autorisation de l’administrateur du serveur de
relais. Sinon, sans l’autorisation expresse de l’administrateur du serveur de relais, vous
serez considéré comme un utilisateur indésirable du service de messagerie.
Pour retransmettre le courrier SMTP via un autre serveur :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Général.
4 Cliquez sur “Relayer tout le courrier SMTP via cet hôte”, puis saisissez le nom DNS
ou l’adresse IP du serveur servant de relais SMTP.
5 Cliquez sur Enregistrer.
Limitation de la taille des messages entrants
Vous pouvez fixer une taille maximale pour les messages entrants, dont la valeur par
défaut est de 10 mégaoctets. Vous souhaitez peut-être limiter la taille des pièces jointes
ajoutées aux messages.
Pour définir une taille maximale de message entrant :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Quotas.
4 Cochez “Refuser les messages entrants... “ et indiquez le nombre de mégaoctets
correspondant à la quantité maximale souhaitée.
5 Cliquez sur Enregistrer.
Utilisation des listes de contrôle d’accès (ACL) pour
l’accès au service de messagerie
Les listes de contrôle d’accès (ou ACL, Access Control Lists) permettent de désigner
un accès au service pour certains utilisateurs ou groupes de manière individuelle. Par
exemple, vous pouvez utiliser une ACL pour permettre à un seul utilisateur d’accéder
à un serveur de fichiers ou à une connexion shell, sans autoriser n’importe quel
utilisateur sur le serveur.38 Chapitre 1 Configuration du service de messagerie
Les services de messagerie sont différents des nombreux autres services qui utilisent
traditionnellement une ACL pour déterminer l’accès au service. Le service de messagerie
est déjà spécifié sur la base d’un utilisateur. Soit vous disposez d’un compte de messagerie
sur un serveur particulier soit vous n’en disposez pas. Le simple fait d’utiliser un serveur
ne permet pas automatiquement d’accéder au stockage et à la récupération du courrier
électronique.
Certains administrateurs trouvent qu’il est peut-être plus facile de désigner un accès au
courrier au moyen des ACL, s’ils utilisent des ACL pour toutes leurs autres configurations.
Ils peuvent également disposer d’environnements réseau mixtes nécessitant des ACL
pour assigner un accès au courrier électronique.
Mac OS X Server vous permet d’activer l’accès au courrier pour les utilisateurs
utilisant l’onglet d’accès dans la liste Admin Serveur d’un serveur. Si vous avez activé
un accès utilisateur via Admin Serveur et un accès au courrier traditionnel au moyen de
Gestionnaire de groupe de travail, les réglages interagissent de la manière suivante :
Pour activer un accès au courrier d’un utilisateur grâce aux ACL :
1 Dans Admin Serveur, sélectionnez le serveur dont le service de messagerie est en cours
d’exécution et l’utilisateur qui recevra un compte de courrier électronique.
2 Cliquez sur Accès.
3 Désélectionnez l’option “Utiliser le même accès pour tous les services”.
4 Sélectionnez “Autoriser uniquement les utilisateurs et groupes ci-dessous”.
5 Cliquez sur le bouton Ajouter (+) pour faire apparaître un volet Utilisateurs et groupes.
6 Faites glisser l’utilisateur souhaité vers la liste d’accès.
7 Cliquez sur Enregistrer.
Accès via
ACL
Accès via
Gestionnaire de
groupe de travail Résultat
Activé Activé L’utilisateur dispose d’un accès au courrier accordé selon les
réglages POP et/ou IMAP dans le panneau des réglages généraux
de la messagerie dans Admin Serveur.
Activé Désactivé L’utilisateur dispose d’un accès au courrier accordé selon les
réglages POP et/ou IMAP dans le panneau des réglages généraux
de la messagerie dans Admin Serveur.
Désactivé Activé L’utilisateur dispose d’un accès au courrier accordé selon les
réglages de sa fiche d’utilisateur dans Gestionnaire de groupe
de travail. Il s’agit du comportement par défaut.
Désactivé Désactivé L’utilisateur n’a pas accès au courrier.Chapitre 1 Configuration du service de messagerie 39
Gestion des utilisateurs du service de messagerie
Cette partie traite des réglages de messagerie dans les comptes d’utilisateur de votre
serveur, des quotas de stockage de courrier ainsi que des réglages de service de messagerie
dans le logiciel client de messagerie.
Configuration des réglages de courrier pour les comptes
d’utilisateur
Vous devez configurer les réglages de courrier dans les comptes de vos utilisateurs,
afin que ces derniers puissent accéder au service de messagerie. Pour chaque utilisateur,
vous devez :
• activer l’utilisation de la messagerie ;
• saisir le nom DNS ou l’adresse IP de votre serveur de messagerie ;
• sélectionner les protocoles pour la récupération du courrier entrant (POP, IMAP ou
les deux) ;
• définir un quota d’espace disque disponible pour le stockage du courrier d’un
utilisateur ;
• configurer tout emplacement de stockage de courrier alternatif souhaité.
Vous pouvez configurer ces réglages à l’aide de Gestionnaire de groupe de travail.
Pour obtenir des instructions détaillées, consultez la section Mac OS X Server Gestion
utilisateur pour la version 10.4 ou ultérieure.
Configuration du logiciel client de messagerie
Les utilisateurs doivent configurer leur logiciel client, afin que celui-ci puisse se
connecter à votre service de messagerie. Le tableau suivant détaille les informations
requises par la plupart des clients, ainsi que la source de ces informations dans
Mac OS X Server.
Logiciel client de messagerie Mac OS X Server Exemple
Nom d’utilisateur Nom complet de l’utilisateur Pierre Macintosh
Nom de compte
Identifiant de compte
Nom abrégé du compte
d’utilisateur
Pierre
Mot de passe Mot de passe du compte
d’utilisateur
Nom d’hôte
serveur de messagerie
Hôte de courrier
Nom DNS complet ou adresse IP
du serveur de messagerie,
correspondant à celui que vous
utilisez pour vous connecter au
serveur dans Admin Serveur
courrier.exemple.com
192.168.50.140 Chapitre 1 Configuration du service de messagerie
Création d’un compte d’administration
Vous pouvez être amené à créer un compte d’administrateur de courrier pour assurer
la maintenance et surveiller les dossiers de courrier, supprimer les comptes d’utilisateur
obsolètes et archiver le courrier. Ce compte d’administrateur ne doit pas nécessairement
être un administrateur du serveur. En outre, ce compte administrateur ne doit pas
recevoir du courrier. Il ne s’agit pas d’un compte de messagerie normal.
Pour créer un compte d’administrateur de courrier :
1 Créez un utilisateur qui sera administrateur du courrier.
2 Si vous n’avez pas créé d’enregistrement d’utilisateur pour le compte de
l’administrateur de courrier, consultez le guide de gestion des utilisateurs.
3 Ouvrez /etc/imapd.conf dans un éditeur de texte.
Si vous n’êtes pas habitué à utiliser un éditeur de texte terminal tel que emacs ou vi,
vous pouvez utiliser TextEdit.
4 Recherchez la ligne “admins:”.
5 Modifiez la ligne afin d’ajouter le nom du compte d’administrateur après les deux-points.
6 Enregistrez vos modifications.
Pour plus d’informations, consultez la page du manuel (“man”) correspondant
à imapd.conf.
Adresse électronique Nom abrégé de l’utilisateur, suivi
du symbole @, puis par l’un des
éléments suivants :
• Domaine Internet du serveur
(si le serveur de messagerie
dispose d’un enregistrement
MX dans DNS)
• Nom DNS complet du serveur
de messagerie
• Adresse IP du serveur
pierre@exemple.com
pierre@courrier.exemple.com
pierre@192.168.50.1
Hôte SMTP
Serveur SMTP
Identique au nom d’hôte courrier.exemple.com
192.168.50.1
Hôte POP
Serveur POP
Identique au nom d’hôte courrier.exemple.com
192.168.50.1
Hôte IMAP
Serveur IMAP
Identique au nom d’hôte courrier.exemple.com
192.168.50.1
Utilisateur SMTP Nom abrégé du compte
d’utilisateur
Pierre
Mot de passe SMTP Mot de passe du compte
d’utilisateur
Logiciel client de messagerie Mac OS X Server ExempleChapitre 1 Configuration du service de messagerie 41
Création d’adresses électroniques supplémentaires pour un
utilisateur
Le service de messagerie permet à chaque utilisateur de posséder plusieurs adresses
électroniques, appelées “alias”. Chaque utilisateur dispose d’une adresse constituée
du nom abrégé de son compte. Vous pouvez en outre définir plusieurs noms pour
tout compte d’utilisateur en créant un fichier d’alias. Chaque nom supplémentaire
constitue une adresse électronique alternative pour l’utilisateur dans le même
domaine. Ces adresses électroniques supplémentaires ne correspondent pas à des
comptes supplémentaires nécessitant des quotas ou des mots de passe distincts.
Les fichiers d’alias sont généralement utilisés pour mettre en correspondance des
utilisateurs “postmaster” avec un compte réel et attribuer une adresse électronique
du type “prénom.nom@exemple.com” aux utilisateurs dotés d’un nom de compte
de connexion abrégé.
Il existe deux manières de créer des alias de courrier électronique : style Mac OS X Server
et style Postfix. Chacun comporte des avantages et des inconvénients. Les alias
Mac OS X Server sont faciles à créer et sont répertoriés suivant un nom d’utilisateur.
Vous pouvez ainsi identifier facilement un alias et son utilisateur. Le problème avec ce
genre d’alias est que la fonctionnalité Sieve du service de messagerie ne comprend pas
les alias Mac OS X Server et ne filtrera pas le courrier qui dépend d’alias Mac OS X Server.
Les alias Postfix requièrent une administration par ligne de commande et sont
plus difficiles à vérifier. Cependant, le principal avantage des alias Postfix est qu’ils
permettent une utilisation des scripts Sieve. Seuls les alias créés avec Postfix peuvent
être commandés par des scripts Sieve.
Pour créer un alias Mac OS X Server :
1 Dans Gestionnaire de groupe de travail, ouvrez le compte d’utilisateur souhaité (si ce
n’est déjà fait).
Pour ouvrir le compte, cliquez sur le bouton Comptes puis sur l’icône du globe située
sous le menu de la barre d’outils et ouvrez le domaine de répertoire où réside le
compte. Cliquez sur le verrou pour être authentifié. Sélectionnez l’utilisateur dans
la liste des utilisateurs.
2 Cliquez sur l’onglet Élémentaires.
3 Double-cliquez sous le dernier élément dans la liste Noms abrégés.
4 Saisissez l’alias.
Par exemple, si votre domaine est “exemple.com” et si vous choisissez le nom
d’utilisateur “bob” comme alias de “robert.utilisateur”, vous devez entrer :
robert.utilisateur
5 Cliquez sur Enregistrer.42 Chapitre 1 Configuration du service de messagerie
Dès lors, les messages adressés à “robert.utilisateur@exemple.com” seront envoyés
à l’utilisateur “bob,” attribuant ainsi deux adresses électroniques à Bob :
bob@exemple.com et robert.utilisateur@exemple.com.
Pour créer un alias Postfix :
1 Créez un fichier (si ce n’est pas déjà fait) qui sera utilisé comme liste d’alias dans /etc/
postfix/aliases.
2 Pour chaque alias, créez dans le fichier une ligne au format suivant :
alias:adresse_locale_1,adresse_locale_2,...
Si, par exemple, vous souhaitez attribuer au nom d’utilisateur “bob”, de votre domaine
exemple.com, l’alias “robert.utilisateur”, vous devez taper :
robert.utilisateur : bob
Les messages adressés à votre serveur de messagerie à l’attention de
robert.utilisateur@exemple.com seront en fait adressés au compte
de courrier réel bob@exemple.com.
3 Enregistrez les modifications apportées au fichier.
4 Dans Terminal.app, tapez la commande suivante :
postalias /etc/aliases
Le fichier texte est traité dans une base de données pour un accès plus rapide.
5 A l’invite, tapez la commande suivante :
newaliases
La base de données d’alias est rechargée.
Dès lors, les messages adressés à “robert.utilisateur@exemple.com” seront envoyés
à l’utilisateur “bob,” attribuant ainsi deux adresses électroniques à Bob :
bob@exemple.com et robert.utilisateur@exemple.com.
Pour plus d’informations sur la création et la gestion des alias d’adresse électronique,
consultez /etc/postfix/alias.
Configuration du transfert d’adresses électroniques pour un
utilisateur
Vous pouvez utiliser cette fonction pour offrir à vos utilisateurs un service de
redirection du courrier électronique. Tout message envoyé au compte de courrier
électronique de l’utilisateur est transféré vers le compte indiqué.
Il est également possible de réexpédier des messages grâce aux scripts Sieve. Pour en
savoir plus sur cette méthode, consultez la section “Prise en charge des scripts Sieve” à
la page 59.Chapitre 1 Configuration du service de messagerie 43
Pour transférer le courrier d’un utilisateur :
1 Dans Gestionnaire de groupe de travail, ouvrez le compte d’utilisateur souhaité (si ce
n’est déjà fait).
Pour ouvrir le compte, cliquez sur le bouton Comptes, puis cliquez sur l’icône
représentant un globe sous la barre d’outils et ouvrez le domaine de répertoires
où est situé le compte. Cliquez sur le verrou pour être authentifié. Sélectionnez
l’utilisateur dans la liste des utilisateurs.
2 Cliquez sur l’onglet Courrier.
3 Sélectionnez Réexpédier.
4 Tapez l’adresse électronique de transfert dans le champ Réexpédier à.
Il est possible de saisir plusieurs adresses en les séparant par des virgules.
Ajout ou suppression de domaines virtuels
Les domaines virtuels sont d’autres domaines qui peuvent être utilisés dans les
adresses électroniques de vos utilisateurs. Un domaine virtuel comprend également
une liste de tous les noms de domaines qui lui appartiennent. Il est conseillé d’ajouter
tous les noms susceptibles d’apparaître après le symbole @ dans les adresses des
courriers destinés à votre serveur. Vous devez également indiquer tout nom de
domaine complet qui déterminerait l’adresse IP de votre serveur de messagerie.
Cette liste peut par exemple contenir des variantes de l’orthographe du nom de votre
domaine ou de votre société. Si vous hébergez le courrier des domaines exemple.com et
exemple.org, un domaine virtuel permettra à bob@exemple.com de recevoir le courrier
adressé à bob@exemple.com et bob@exemple.org via la même boîte aux lettres. En
outre, courrier.exemple.com pourrait être converti en une même adresse IP telle que
exemple.com. Assurez-vous donc que courrier.exemple.com constitue le groupe de
domaine virtuel.
En bref : les domaines virtuels permettent à un nom d’utilisateur (“bob” dans
l’exemple ci-dessus) de recevoir du courrier dans une boîte de réception unique,
indépendamment du domaine virtuel venant après le symbole @ dans l’adresse
électronique. L’adresse “bob@exemple.com” distribue sur la même adresse que
“bob@exemple.org.”
Les réglages de courrier s’appliquent à tous les noms de domaines de cette liste.
Il est recommandé de ne jamais indiquer le même domaine dans le domaine virtuel.
Pour utiliser un domaine virtuel, il faut que ce dernier soit enregistré et qu’un
enregistrement MX soit pointé vers votre serveur de messagerie pour les domaines
que vous souhaitez activer.44 Chapitre 1 Configuration du service de messagerie
Pour ajouter ou supprimer des noms de domaines virtuels pour le serveur
de messagerie :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Cliquez sur le bouton Ajouter (+) et tapez le nom de domaine d’un hôte de courrier
virtuel à ajouter à votre serveur.
5 Pour modifier un domaine virtuel, sélectionnez-le et cliquez sur le bouton Modifier (/).
6 Pour supprimer un élément de la liste, sélectionnez-le, puis cliquez sur le bouton
Supprimer (-).
Remarque : il est recommandé de définir des enregistrements MX pour chaque domaine
virtuel. Si un nom de domaine de cette liste ne comporte pas d’enregistrement MX, seul
votre service de messagerie le reconnaît. Tout courrier externe adressé à ce nom de
domaine sera renvoyé.
Exécution d’un hôte virtuel
L’hébergement virtuel est une méthode que vous pouvez utiliser pour héberger
plusieurs noms de domaine sur le même ordinateur et avec la même adresse IP,
avec des noms d’utilisateurs de messagerie identiques.
Par exemple, un serveur de messagerie pourrait recevoir des demandes de transfert de
courrier pour deux domaines, courrier.exemple1.com et courrier.exemple.com, les deux
étant convertis en une même adresse IP. Dans le cas de courrier.exemple1.com, le serveur
distribuerait le courrier sur “bob@exemple1.com” sur la boîte à lettres d’un utilisateur pour
“bob”, et distribuerait en même temps du courrier sur “bob@exemple2.com” sur une boîte
à lettres d’utilisateur différente. Les hôtes virtuels sont essentiellement l’inverse des
domaines virtuels.
Activation de l’hébergement virtuel
Avant de pouvoir activer l’hébergement virtuel, vous devez ajouter une liste de
domaines virtuels hébergés localement à votre serveur de messagerie. Pour plus
de détails, consultez la rubrique “Ajout ou suppression d’hôtes virtuels” à la page 45
Pour activer l’hébergement virtuel :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Hébergement.Chapitre 1 Configuration du service de messagerie 45
5 Ajoutez au moins un hôte virtuel.
Pour plus de détails, consultez la rubrique “Ajout ou suppression d’hôtes virtuels”
6 Sélectionnez “Activer l’hébergement virtuel”.
Vous pouvez à présent ajouter ou supprimer des hôtes virtuels grâce aux boutons
Ajouter (+) et Supprimer (-).
7 Cliquez sur Enregistrer.
Ajout ou suppression d’hôtes virtuels
Avant de pouvoir activer l’hébergement virtuel, vous devez ajouter une liste de domaines
virtuels hébergés localement à votre serveur de messagerie. L’hébergement virtuel doit
être activé pour pouvoir ajouter ou supprimer des hôtes virtuels. Si l’hébergement virtuel
n’est pas activé, consultez la section “Activation de l’hébergement virtuel” à la page 44
pour en savoir plus.
Pour ajouter ou supprimer des hôtes virtuels :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Sélectionnez Hébergement.
5 Cliquez sur le bouton Ajouter (+) situé à côté de la case “Domaines virtuels hébergés
localement” et saisissez le nom de domaine d’un hôte virtuel que vous souhaitez
ajouter sur votre serveur.
Pour modifier un domaine virtuel, sélectionnez-le et cliquez sur le bouton Modifier (/).
Pour supprimer un élément de la liste, sélectionnez-le, puis cliquez sur le bouton
Supprimer (-).
6 Cliquez sur Enregistrer.
Remarque : il est recommandé de définir des enregistrements MX pour chaque domaine
virtuel. Si un nom de domaine de cette liste ne comporte pas d’enregistrement MX, seul
votre service de messagerie le reconnaît. Tout courrier externe adressé à ce nom de
domaine sera renvoyé.
Association d’utilisateurs à l’hôte virtuel
L’association d’utilisateurs à un hôte virtuel nécessite la création d’un alias dans leurs
enregistrements d’utilisateur contenant l’adresse électronique entière (par exemple
“bob@exemple.com”, où “exemple.com” ne constitue pas le nom de domaine du serveur
de messagerie, mais un hôte virtuel).46 Chapitre 1 Configuration du service de messagerie
Il existe deux manières de créer des alias pour les utilisateurs d’un hôte virtuel :
Mac OS X Server et Postfix. Chacun comporte des avantages et des inconvénients.
Les alias Mac OS X Server sont faciles à créer et sont répertoriés suivant un nom
d’utilisateur. Vous pouvez ainsi identifier facilement un alias et son utilisateur. Le problème
avec ce genre d’alias est que la fonctionnalité Sieve du service de messagerie ne comprend
pas les alias Mac OS X Server et ne filtrera pas le courrier qui dépend d’alias Mac OS X Server.
Les alias Postfix requièrent une administration par ligne de commande et sont
plus difficiles à vérifier. Cependant, le principal avantage des alias Postfix est qu’ils
permettent une utilisation des scripts Sieve. Seuls les alias créés avec Postfix peuvent
être commandés par des scripts Sieve.
Pour associer un utilisateur à un hôte virtuel en utilisant les alias
Mac OS X Server :
1 Ajoutez un hôte virtuel en suivant les instructions de la section “Ajout ou suppression
d’hôtes virtuels” à la page 45.
2 Dans Gestionnaire de groupe de travail, ouvrez le compte d’utilisateur souhaité (si ce
n’est pas déjà fait).
Pour ouvrir le compte, cliquez sur le bouton Comptes puis sur l’icône située sous
le menu de la barre d’outils et ouvrez ensuite le domaine de répertoire hébergeant le
compte. Cliquez sur le verrou pour être authentifié. Sélectionnez l’utilisateur dans la
liste des utilisateurs.
3 Cliquez sur l’onglet Élémentaires.
4 Double-cliquez sous le dernier élément dans la liste Noms abrégés.
5 Saisissez l’alias correspondant à l’adresse de l’hôte virtuel.
Par exemple, si votre domaine est exemple.com et le domaine de l’hôte
virtuel est server.com, et si vous souhaitez que les messages soient adressés
à “postmaster@server.com” pour être distribués à l’utilisateur “bob”, ouvrez
l’enregistrement d’utilisateur de “bob” dans Gestionnaire de groupe de travail,
et tapez :
postmaster@server.com
6 Cliquez sur Enregistrer.
Les messages adressés à votre serveur de messagerie à l’attention de
“postmaster@server.com” seront en fait adressés au compte de courrier réel de
l’utilisateur “bob”. En attendant, le courrier envoyé à “postmaster@exemple.com”
ira sur un autre compte de messagerie choisi.
Pour associer un utilisateur à un hôte virtuel en utilisant les alias Postfix :
1 Ajoutez un nom d’hôte virtuel en suivant les instructions de la section “Ajout ou
suppression d’hôtes virtuels” à la page 45.Chapitre 1 Configuration du service de messagerie 47
2 Créez un fichier à utiliser en tant que liste d’alias dans /etc/aliases (si ce fichier n’existe
pas encore).
3 Pour chaque alias, créez dans le fichier une ligne au format suivant :
alias@hôtevirtuel:adresse_locale_1,adresse_locale_2...
Par exemple, si votre domaine est “exemple.com”, si vous êtes en train d’exécuter un
hôte virtuel pour “serveur.com” et si vous souhaitez que l’utilisateur “bob” reçoive du
courrier envoyé à “postmaster@serveur.com”, veuillez taper :
postmaster@serveur.com: bob
Cela permettra de prendre le courrier envoyé à votre serveur de messagerie
correspondant à “postmaster@serveur.com” et de l’envoyer à l’utilisateur “bob”.
Le courrier envoyé à “postmaster@exemple.com” sera envoyé à un autre
destinataire choisi.
4 Enregistrez les modifications apportées au fichier.
5 Dans Terminal.app, tapez la commande suivante :
postalias /etc/aliases
Le fichier texte est traité dans une base de données pour un accès plus rapide.
6 A l’invite, tapez la commande suivante :
newaliases
La base de données d’alias est rechargée.
7 A l’invite, rechargez le serveur de messagerie en tapant la commande suivante :
postfix reload
Les messages adressés à votre serveur de messagerie à l’attention de
“postmaster@server.com” seront en fait adressés au compte de courrier réel de
l’utilisateur “bob”. En attendant, le courrier envoyé à “postmaster@exemple.com”
ira sur un autre compte de messagerie choisi.
Gestion des quotas de courrier
Les quotas de courrier permettent de définir la quantité d’espace disque attribué au
courrier d’un utilisateur sur le serveur de messagerie. Les quotas sont définis pour
chaque utilisateur sur l’enregistrement d’utilisateur dans Gestionnaire de groupe de
travail. Bien que vous ne définissiez pas le quota d’un utilisateur de courrier dans
Admin Serveur, vous contrôlez malgré tout la contrainte de quota et la réaction de
votre serveur face à une violation du quota. Les quotas de courrier sont particulièrement
importants si le serveur de messagerie héberge de nombreux comptes IMAP. IMAP ne
requiert pas la suppression du courrier dans le serveur une fois lu ; par conséquent,
les utilisateurs IMAP qui reçoivent des pièces jointes de grande taille remplissent très
rapidement leur quota.48 Chapitre 1 Configuration du service de messagerie
Activation de quotas de courrier pour les utilisateurs
Vous pouvez mettre en place des limites de stockage de courrier sur le serveur. Ces
limites sont particulièrement importantes si vous utilisez le protocole IMAP pour les
messages entrants car les messages ne sont pas nécessairement supprimés une fois
que l’utilisateur les a téléchargés.
Utilisez Gestionnaire de groupe de travail pour activer le quota de courrier
d’un utilisateur.
Pour activer le quota de courrier d’un utilisateur :
1 Dans Gestionnaire de groupe de travail, ouvrez le compte d’utilisateur souhaité (si ce
n’est pas déjà fait).
Pour ouvrir le compte, cliquez sur le bouton Comptes puis sur l’icône située sous
le menu de la barre d’outils et ouvrez ensuite le domaine de répertoire hébergeant le
compte. Cliquez sur le verrou pour être authentifié. Sélectionnez l’utilisateur dans la
liste des utilisateurs.
2 Cliquez sur l’onglet Courrier.
Si le courrier de l’utilisateur n’est pas activé, activez-le.
3 Saisissez le nombre de Mo correspondant au stockage de messages de l’utilisateur dans
la case Quota de courrier.
4 Cliquez sur Enregistrer.
Configuration d’avertissements de quota
Lorsque la boîte à lettres d’un utilisateur se rapproche de la limite de son quota de
stockage, vous pouvez avertir les utilisateurs que le quota sera bientôt dépassé. Vous
pouvez décider d’avertir ou pas l’utilisateur de courrier, choisir combien de messages
d’avertissement vous souhaitez envoyer et quand envoyer l’avertissement.
Pour configurer les avertissements de quota :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Quotas.
4 Cliquez sur “Activer les avertissements de quota”.
5 Indiquez le pourcentage maximum de l’espace de stockage avant l’envoi d’un
avertissement.
6 Indiquez la fréquence des avertissements, en nombre de jours.
7 Si vous souhaitez personnaliser l’avertissement de quota, cliquez sur Modifier à côté
du message d’avertissement.
8 Cliquez sur Enregistrer.Chapitre 1 Configuration du service de messagerie 49
Configurer les réactions au dépassement de quota
Lorsqu’un utilisateur de courrier a emmagasiné plus de messages que son quota ne
l’y autorise, le serveur de messagerie reconnaît un dépassement du quota. Il existe
deux types de réactions caractéristiques en cas de dépassement de quota : un avis
de dépassement et la suspension du service de messagerie.
Pour configurer les réactions en cas de dépassement de quota :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Autre.
4 Cliquez sur “Activer les avertissements de quota”.
5 Si vous souhaitez personnaliser l’avertissement de dépassement de quota, cliquez sur
Modifier à côté du message avertissant que le quota a été dépassé.
6 Si vous souhaitez interrompre le service de messagerie pour les utilisateurs ayant
dépassé leur quota, sélectionnez “Désactiver la boîte à lettres d’un utilisateur...”
7 Cliquez sur Enregistrer.
Limitation du courrier indésirable et des virus
Vous pouvez configurer votre service de messagerie de manière à réduire le volume de
messages commerciaux non souhaités, notamment connus sous le terme de courrier
indésirable (ou spam), et de messages porteurs de virus. Il vous est possible de prendre
des dispositions pour bloquer les messages indésirables ou les virus envoyés à vos
utilisateurs de courrier. En outre, vous pouvez sécuriser votre serveur pour empêcher des
utilisateurs mal intentionnés d’utiliser votre service de messagerie ; ces utilisateurs tentent
d’utiliser vos ressources pour envoyer du courrier indésirable à d’autres personnes.
Vous pouvez également prendre des mesures pour empêcher les émetteurs de ces
messages intempestifs d’utiliser votre serveur comme point de relais. Un point de relais
ou relais ouvert est un serveur qui reçoit, puis transmet l’ensemble du courrier adressé
à d’autres serveurs, de manière non sélective. Ce type de relais envoie le courrier d’un
domaine vers un autre, sans aucune distinction. Les émetteurs de courrier indésirable
exploitent les serveurs relais ouverts, afin que leurs propres serveurs SMTP ne figurent
pas sur les listes noires référençant les sources de courrier indésirable. Il est impératif
que votre serveur ne soit pas catalogué comme relais ouvert, car les autres serveurs
pourraient refuser le courrier provenant de vos utilisateurs.50 Chapitre 1 Configuration du service de messagerie
Il existe deux principaux moyens d’empêcher le passage de virus et de courrier
indésirable dans votre système. L’utilisation simultanée de ces deux méthodes vous
permettra d’assurer l’intégrité de votre système de messagerie. Les deux points de
contrôle sont les suivants :
• “Contrôle de la connexion” (ci-après).
• “Contrôle des messages” à la page 53.
Contrôle de la connexion
Cette méthode de prévention contrôle quels serveurs peuvent se connecter à votre
système de messagerie et ce qu’ils doivent faire pour envoyer du courrier via votre
système de messagerie. Pour appliquer un contrôle de la connexion, votre service
de courrier peut :
• exiger l’authentification SMTP ;
• limiter la retransmission SMTP en l’autorisant uniquement pour des serveurs
approuvés ;
• refuser toutes les connexions SMTP en provenance de serveurs non approuvés ;
• refuser le courrier en provenance de serveurs répertoriés sur une liste noire ;
• filtrer les connexions SMTP.
Demande d’authentification SMTP
Si votre service de messagerie exige une authentification SMTP, votre serveur ne peut
pas être utilisé comme relais ouvert par des utilisateurs anonymes. Quiconque souhaite
utiliser votre serveur comme tel doit tout d’abord fournir les nom et mot de passe
associé à un compte d’utilisateur stocké sur votre serveur.
Bien que l’authentification SMTP s’applique principalement au relais de messagerie,
les utilisateurs de votre service de messagerie local doivent également s’authentifier
avant l’envoi de courrier. Cela signifie que vos utilisateurs doivent disposer d’un logiciel
client de courrier gérant l’authentification SMTP, sinon ils ne pourront pas envoyer
de courrier aux serveurs distants. Le courrier envoyé à partir de serveurs externes et
adressé aux destinataires locaux sera encore accepté et distribué.
Pour exiger l’authentification SMTP, reportez-vous aux sections “Activation de
l’authentification SMTP sécurisée” à la page 34 et “Activation de l’authentification
SMTP moins sécurisée” à la page 35.
Limitation du relais SMTP
Votre service de messagerie peut restreindre la retransmission SMTP en autorisant
uniquement les hôtes approuvés à retransmettre le courrier. Vous-même créez la
liste des serveurs autorisés. Les hôtes approuvés peuvent retransmettre le courrier
par l’intermédiaire de votre service de messagerie sans authentification. Les serveurs ne
figurant pas sur cette liste ne sont donc pas en mesure de retransmettre le courrier via
votre service, sans avoir préalablement été authentifiés. Tous les hôtes, qu’ils aient été
approuvés ou non, peuvent distribuer le courrier aux utilisateurs de votre service de
messagerie local sans authentification.Chapitre 1 Configuration du service de messagerie 51
Votre service de messagerie peut consigner des tentatives de connexion effectuées
par des hôtes ne figurant pas sur votre liste de serveurs approuvés.
Pour limiter le relais SMTP :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Relais.
4 Cochez la case “N’accepter les relais SMTP que de ces hôtes et réseaux”.
5 Modifiez la liste d’hôtes.
• Cliquez sur le bouton Ajouter (+) pour ajouter un hôte à la liste.
• Cliquez sur le bouton Supprimer (-) pour effacer de la liste l’hôte actuellement
sélectionné.
• Cliquez sur le bouton Modifier (/) pour modifier l’hôte actuellement sélectionné
dans la liste.
Lorsque vous ajoutez un serveur à la liste, vous pouvez recourir à plusieurs notations.
• Saisissez soit une adresse IP unique, soit le modèle réseau/masque tel que
192.168.40.0/21.
• Saisissez un nom d’hôte, tel que courrier.exemple.com
• Saisissez un nom de domaine Internet, tel que exemple.com
Combinaisons entre authentification SMTP et relais SMTP limité
Le tableau suivant décrit les résultats de différentes combinaisons entre
authentification SMTP et relais SMTP limité.
SMTP nécessite
l’authentification
Relais SMTP
limité Résultat
Activé Désactivé Tous les serveurs de messagerie doivent être authentifiés avant que
votre service de messagerie n’accepte de retransmettre un courrier
quelconque. Les utilisateurs de votre service de messagerie local
doivent également s’ authentifier pour expédier un courrier.
Activé Activé Les serveurs de messagerie autorisés peuvent servir de relais
sans être authentifiés. Les serveurs auxquels vous n’avez pas
accordé d’autorisation peuvent retransmettre du courrier après
s’être authentifiés auprès de votre service de messagerie.
Désactivé Activé Votre service de messagerie ne peut pas être utilisé comme
relais ouvert. Les serveurs de messagerie autorisés peuvent
retransmettre du courrier (sans être authentifiés). Les serveurs
auxquels vous n’avez pas accordé d’autorisation ne peuvent pas
servir de relais sans s’être authentifiés, mais sont en mesure de
distribuer du courrier aux utilisateurs de votre service de
messagerie local. Ces derniers n’ont pas besoin de s’authentifier
pour envoyer du courrier.
Il s’agit de la configuration la plus courante.52 Chapitre 1 Configuration du service de messagerie
Refus des connexions SMTP provenant de serveurs spécifiques
Votre service de messagerie peut refuser les connexions SMTP non autorisées provenant
d’hôtes figurant sur une liste d’hôtes non approuvés que vous avez créée. Tout le trafic
de courrier provenant des serveurs de cette liste est refusé et les connexions SMTP sont
fermées après le renvoi d’une erreur de connexion SMTP refusée (code 554).
Pour refuser les connexions SMTP non autorisées provenant de serveurs
spécifiques :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Relais.
4 Cochez la case “Refuser tous les messages de ces hôtes et réseaux”.
5 Modifiez la liste des serveurs.
Cliquez sur le bouton Ajouter (+) pour ajouter un hôte à la liste.
Cliquez sur le bouton Supprimer (-) pour effacer de la liste l’hôte actuellement
sélectionné.
Cliquez sur le bouton Modifier (/) pour modifier l’hôte actuellement sélectionné dans
la liste.
Lorsque vous ajoutez un serveur à la liste, vous pouvez recourir à plusieurs notations.
• Saisissez soit une adresse IP unique, soit le modèle réseau/masque tel que
192.168.40.0/21.
• Saisissez un nom d’hôte, tel que courrier.exemple.com.
• Saisissez un nom de domaine Internet, tel que exemple.com.
Refus du courrier provenant d’expéditeurs figurant sur une liste noire
Votre service de messagerie peut refuser le courrier provenant de serveurs SMTP placés
dans une liste noire référençant les relais ouverts, liste dressée par un serveur Real-time
Blacklist (RBL). Votre service de messagerie utilise un serveur RBL spécifié par vos soins.
Les RBL sont parfois appelés serveurs “trous noirs”.
Important : le blocage du courrier non sollicité envoyé par des expéditeurs figurant sur
une liste noire peut s’avérer imprécis. Il peut parfois entraîner le refus d’un courrier valide.
Pour refuser le courrier provenant d’expéditeurs mis sur liste noire :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Relais.
4 Cochez la case Utiliser ces serveurs de refus de courrier non désiré.
5 Modifiez la liste des serveurs en ajoutant le nom DNS d’un serveur RBL.
Cliquez sur le bouton Ajouter (+) pour ajouter un serveur à la liste.Chapitre 1 Configuration du service de messagerie 53
Cliquez sur le bouton Supprimer (-) pour effacer de la liste le serveur actuellement
sélectionné.
Cliquez sur le bouton Modifier (/) pour modifier le serveur actuellement sélectionné
dans la liste.
Tapez le nom de domaine du serveur RBL souhaité, tel que rbl.exemple.com.
Filtrage des connexions SMTP
Vous pouvez utiliser le service de coupe-feu de Mac OS X Server pour autoriser ou
refuser l’accès de votre service de messagerie SMTP à des adresses IP spécifiques.
Le filtrage interdit toute communication entre un hôte d’origine et votre serveur de
messagerie. Le service de messagerie ne recevra jamais la connexion entrante et
aucune erreur SMTP ne sera générée et renvoyée au client.
Pour filtrer des connexions SMTP :
1 Dans Admin Serveur, sélectionnez Coupe-feu dans le tableau Ordinateurs et services.
2 Créez un filtre IP de coupe-feu en suivant les instructions se trouvant dans le guide
d’administration des services de réseau et en utilisant les réglages suivants :
• Accès : refusé
• Numéro de port : 25 (ou votre port SMTP entrant, si vous utilisez un port non
standard)
• Protocole : TCP
• Source : l’adresse IP ou la plage d’adresses IP que vous souhaitez bloquer
• Destination : l’adresse IP de votre serveur de messagerie
3 Si vous le souhaitez, vous pouvez consigner les paquets afin de surveiller les abus SMTP.
4 Ajoutez plusieurs nouveaux filtres pour le port SMTP, afin d’autoriser ou de refuser
l’accès à d’autres adresses IP ou plages d’adresses IP.
Pour plus d’informations sur le service de coupe-feu, consultez le guide d’administration
de services réseau
Contrôle des messages
Lorsqu’une connexion de distribution de courrier est établie et que le message
peut être distribué localement (le courrier transmis n’est pas contrôlé), le serveur de
messagerie peut contrôler ce message avant sa distribution. Mac OS X Server utilise
SpamAssassin (spamassassin.apache.org) pour analyser le texte d’un message et
détermine la probabilité qu’il s’agisse de courrier indésirable. Aucun filtre de courrier
indésirable n’identifie parfaitement le courrier non souhaité. C’est pourquoi le filtre de
courrier indésirable dans Mac OS X Server n’efface ni ne retire le courrier indésirable
de la distribution. Mais il marque le courrier comme courrier indésirable potentiel.
L’utilisateur peut alors décider s’il s’agit réellement de messages commerciaux non
sollicités et agir en conséquence. De nombreux clients de messagerie électronique
utilisent même les classements que SpamAssassin ajoute à titre de guide lors du
classement automatique du courrier pour l’utilisateur.54 Chapitre 1 Configuration du service de messagerie
Mac OS X Server utilise ClamAV (www.clamav.net) pour examiner les messages et
rechercher d’éventuels virus. Si vous repérez un élément que vous soupçonnez d’être
un virus, vous pouvez le traiter de différentes façons (voir ci-après). Les définitions de
virus sont mises à jour (si la fonction est activée) via Internet, grâce à un processus
appelé “freshclam”.
Activation du contrôle de courrier indésirable (filtres bayésiens)
Pour pouvoir utiliser le contrôle de messages, celui-ci doit être activé. Lors de
l’activation du contrôle, vous pouvez configurer certains paramètres de contrôle. Le
filtrage de courrier bayésien est un classement de messages basé sur des statistiques.
Tous les messages sont analysés et les statistiques concernant la fréquence des mots
sont enregistrées. Les messages contenant à peu près le même nombre de mots que
les courriers indésirables seront plus fortement marqués pour indiquer que ce sont
peut-être des messages indésirables. Lorsque le message est contrôlé, le serveur
ajoute un en-tête (“X-Spam-Level”) accompagné du taux de probabilité.
Imaginons par exemple que vous disposiez de 400 messages. 200 d’entre eux sont
des messages indésirables et les 200 autres sont du bon courrier. Lorsqu’un nouveau
message arrive, son texte est à la fois comparé au texte des messages indésirables
et à celui du bon courrier. Puis le filtre indique la probabilité qu’il s’agisse de courrier
indésirable ou pas, selon le groupe auquel il s’apparente le plus.
Le filtrage bayésien s’avère être une méthode très efficace pour rechercher le courrier
indésirable, si le filtre dispose des données suffisantes. L’un des points forts de cette
méthode réside dans le fait que plus le nombre de messages que vous recevez et
classez est grand (processus appelé “training”), plus le classement du cycle suivant
sera précis. Même si les personnes qui envoient du courrier indésirable modifient
leurs envois, le filtre en tiendra compte plus tard.
Pour activer le contrôle de courrier indésirable :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Filtres.
4 Sélectionnez “Rechercher les courriers indésirables dans le courrier électronique”.
5 Définissez le niveau de permission (Min, Modéré, La plupart).
L’instrument évaluant la permission définit le nombre de drapeaux de courrier
indésirable pouvant être attribués à un message avant qu’il ne soit traité en tant
que message indésirable. Si vous avez choisi une permission minimum, tout message
pouvant représenter un risque, même minime, sera indiqué et traité comme un
message indésirable. Si vous avez choisi une permission maximum, un résultat
élevé sera nécessaire (c’est-à-dire un nombre élevé de caractéristiques de courrier
indésirable) pour marquer le message comme indésirable.Chapitre 1 Configuration du service de messagerie 55
6 Choisissez la manière de traiter les messages indésirables.
Renvoyés : cette option renverra le message à l’expéditeur. Vous pouvez envoyer
une notification par courrier électronique du message renvoyé sur un compte de
messagerie électronique, qui sera probablement l’administrateur de courrier.
Supprimés : cette option supprimera les messages non distribués. Vous pouvez envoyer
une notification par courrier électronique du message renvoyé sur un compte de
messagerie électronique, qui sera probablement l’administrateur de courrier.
Distribués : cette option distribuera le message même s’il peut s’agir d’un message
indésirable. Vous avez la possibilité d’ajouter du texte dans l’intitulé du message pour
indiquer qu’il s’agit probablement d’un message indésirable ou bien d’encapsuler le
message indésirable dans une pièce jointe au format MIME.
Redirigés : cette option distribuera le message à une personne autre que le
destinataire prévu.
7 Si vous le souhaitez, vous pouvez choisir la fréquence de mise à jour de la base de
données de courrier indésirable.
8 Cliquez sur Enregistrer.
Pour en savoir plus sur les autres options, consultez la section “Filtrage du courrier
selon la langue et l’endroit” à la page 56.
Formation manuelle du filtre de courrier indésirable
Il est important d’apprendre au filtre à faire la distinction entre le courrier indésirable et
le bon courrier. Au début, le filtre ne sera pas très précis lors du marquage du courrier
indésirable, mais vous pouvez le “former” pour le rendre plus efficace. Une formation
précise requiert un grand nombre de messages : au moins 200 messages pour chaque
type de courrier (recommandé).
Pour “former” le filtre :
1 Choisissez une boîte à lettres contenant 200 messages, tous indésirables.
2 Utilisez Terminal et l’outil de formation par ligne de commande du filtre afin d’analyser le
courrier et de rappeler qu’il s’agit de courrier indésirable grâce à la commande suivante :
sa-learn --showdots --spam /*
3 Choisissez une boîte à lettres de 200 messages, tous acceptables.
4 l’outil de formation par ligne de commande du filtre afin d’analyser le courrier
et de rappeler qu’il s’agit de courrier acceptable grâce à la commande suivante :
sa-learn --showdots --ham /*56 Chapitre 1 Configuration du service de messagerie
Si le filtre de courrier indésirable ne peut identifier un message indésirable, continuez
à le former pour qu’il soit plus efficace. Utilisez sa-learn avec l’argument --spam sur
le message mal étiqueté. De même, si vous obtenez un faux message indésirable
(c’est-à-dire un message acceptable marqué comme indésirable), utilisez de nouveau
sa-learn avec l’argument --ham pour continuer à former le filtre.
Formation automatique du filtre de courrier indésirable
Vous devez montrer au filtre de courrier indésirable le courrier qui est indésirable
et celui qui est acceptable. Mac OS X Server propose une méthode de formation du
filtre automatiquement avec l’aide des utilisateurs de courrier. Le serveur exécute une
commande automatisée à 1 h 00 (tâche planifiée), qui analyse deux boîtes de réception
d’utilisateurs spécifiques. Il exécute l’outil sa-learn de SpamAssassin pour le contenu
des boîtes de réception et utilise les résultats pour adapter son filtre de courrier
indésirable.
Pour former automatiquement le filtre de courrier indésirable :
1 Activez le filtrage de courrier indésirable.
Pour plus de détails, consultez la section “Activation du contrôle de courrier indésirable
(filtres bayésiens)” à la page 54
2 Créez deux comptes locaux : courrierindésirable et courrieracceptable
3 Utilisez Gestionnaire de groupe de travail pour les activer.
Si vous avez besoin d’aide, consultez la section “Configuration des réglages de courrier
pour les comptes d’utilisateur” à la page 39.
4 Demandez à vos utilisateurs de messagerie de “rediriger” les messages indésirables
n’ayant pas été indiqués comme indésirables vers “courrierindésirable@”.
5 Demandez à vos utilisateurs de courrier de “rediriger” les vrais messages
de courrier ayant été indiqués par erreur comme étant indésirables vers
“courrieracceptable@”.
6 Tous les jours à 1 h 00, le filtre de courrier indésirable apprendra à reconnaître
le courrier indésirable et le courrier indiqué par erreur comme indésirable mais qui
ne l’est pas.
7 Supprimez les messages des comptes courrierindésirable et courrieracceptable tous
les jours.
Filtrage du courrier selon la langue et l’endroit
Vous pouvez filtrer le courrier selon l’endroitou bien selon la langue. Les messages
rédigés avec des encodages étrangers sont souvent indiqués par erreur comme étant
du courrier indésirable. Vous pouvez configurer votre serveur de messagerie de sorte
qu’il ne marque pas comme indésirable le courrier provenant de certains pays et
rédigés en certaines langues.Chapitre 1 Configuration du service de messagerie 57
Pour accepter du courrier selon la langue et l’endroit :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Filtres.
4 Sélectionnez “Rechercher les courriers indésirables dans le courrier électronique”.
5 Cliquez sur le bouton Modifier (/) situé à côté de Langues acceptées pour modifier la liste.
a Sélectionnez les encodages de langue à autoriser comme courrier acceptable puis
cliquez sur OK.
6 Cliquez sur le bouton Modifier (/) situé à côté d’Endroits acceptés pour modifier la liste.
a Sélectionnez les codes de pays à autoriser comme courrier acceptable puis cliquez
sur OK.
7 Cliquez sur Enregistrer.
Activation du filtrage de virus
Pour pouvoir utiliser le contrôle de messages, celui-ci doit être activé. Lors de
l’activation du contrôle, vous pouvez configurer certains paramètres de contrôle.
Mac OS X Server utilise ClamAV (www.clamav.net) pour examiner les messages et
rechercher d’éventuels virus. Si un virus suspect est repéré, vous pouvez le traiter de
différentes façons (voir ci-après). Les définitions de virus sont mises à jour (si la fonction
est activée) via Internet, grâce à un processus appelé freshclam.
Pour activer le filtrage de virus :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Filtres.
4 Sélectionnez “Rechercher les virus dans le courrier électronique”.
5 Choisissez la manière de traiter les messages indésirables.
Renvoyés : cette options renverra le message à l’expéditeur. Vous pouvez envoyer
une notification par courrier électronique du message renvoyé sur un compte de
messagerie électronique (probablement l’administrateur de courrier) et avertir le
destinataire prévu.
Supprimés : cette option supprimera les messages non distribués. Vous pouvez
envoyer une notification par courrier électronique du message renvoyé sur un
compte de messagerie électronique (probablement l’administrateur de courrier)
ainsi qu’au destinataire prévu.58 Chapitre 1 Configuration du service de messagerie
Mis en quarantaine : cette option distribuera le message à un répertoire pour y
effectuer un analyse plus approfondie. Vous pouvez envoyer une notification
par courrier électronique concernant la mise en quarantaine sur un compte de
messagerie électronique, probablement l’administrateur de courrier.
6 Vous avez la possibilité d’avertir le destinataire prévu si le message a été filtré.
7 Si vous le souhaitez, vous pouvez choisir la fréquence de mise à jour de la base de
données de virus.
Il est recommandé d’effectuer cette mise à jour deux fois par jour. Certains
administrateurs choisissent huit fois par jours.
8 Cliquez sur Enregistrer.
Options et outils de configuration avancés
Mac OS X Server propose des outils performants permettant d’administrer votre
service de messagerie. Ces outils de configuration avancés utilisent la ligne de
commande et requièrent des connaissances sur l’utilisation dans un shell, ainsi que
des notions de base sur les scripts.
cyradm
L’outil cyradm est inclus dans Mac OS X Server. Il s’agit d’un shell d’administration
pour Cyrus, le paquet de service de messagerie IMAP. Il communique avec le module
Cyrus::IMAP::Admin Perl. Cyradm peut être utilisé pour créer, supprimer ou renommer
des boîtes à lettres, ainsi que pour définir des ACL pour les boîtes à lettres (pour les
clients de messagerie compatibles).
Remarques :
• Cyradm est un shell limité : il peut réexpédier le courrier à la manière d’un shell, mais
ne comprend pas les canaux de communication.
• Cyradm peut être utilisé de manière interactive ou bien il peut être piloté, mais le
pilotage Perl avec Cyrus::IMAP::Admin sera plus flexible.
• Les espaces dans les noms de répertoires ou de fichiers doivent être remplacés par “\”,
comme c’est le cas pour les shell.
Pour obtenir le liste complète des commandes de cyradm, consultez sa page man dans
Terminal en tapant :
man cyradmChapitre 1 Configuration du service de messagerie 59
Prise en charge des scripts Sieve
Mac OS X Server est compatible avec les scripts Sieve pour le traitement du courrier.
Sieve est un langage de filtrage de courrier standard Internet pour le filtrage côté serveur.
Les scripts Sieve interagissent avec le courrier entrant avant la distribution finale.
Sieve joue le même rôle que les “règles” de différents programmes permettant de
sélectionner ou de traiter du courrier sur la base de critères définis par l’utilisateur.
En fait, certains clients de messagerie utilisent Sieve pour le traitement du courrier
côté client. Sieve permet entre autres d’envoyer des avis de départs en vacances,
de sélectionner du courrier et de faire suivre du courrier.
Les scripts Sieve de chaque utilisateur sont conservés sur le serveur de messagerie :
/usr/sieve//
Le service de messagerie est propriétaire du répertoire, c’est pourquoi les utilisateurs
n’y ont en principe pas accès et ne peuvent y mettre leurs scripts pour traiter le
courrier. Pour des raisons de sécurité, les utilisateurs et les administrateurs téléchargent
leurs scripts vers un processus Sieve (timsieved) qui transporte les scripts vers le
traitement du courrier pour les utiliser. Il existe plusieurs façons de passer les scripts à
timsieved : les scripts shell Perl (“sieveshell”), les modules de messagerie Web
(“avelsieve”) mais également certains clients de messagerie.
Activation de la prise en charge de Sieve
Pour que Sieve fonctionne, vous devez activer son port de communication. L’extension
de notification d’absence de Sieve s’ajoute par défaut. Tous les scripts doivent être
placés dans l’emplacement de dépôt de scripts central dans /usr/sieve/ et les scripts
Sieve ne peuvent être utilisés pour traiter du courrier dans le cas des alias de courrier
définis dans Gestionnaire de groupe de travail ; vous devez utiliser des alias Postfix.
Pour activer la prise en charge Sieve :
1 Ajoutez l’entrée suivante dans /etc/services/
sieve 2000/tcp #filtrage de courrier Sieve
2 Rechargez le service de messagerie.
Apprentissage de l’écriture de scripts Sieve
Les arguments, les commandes et la syntaxe complète Sieve sont disponibles dans IETF
RFC 3028 :
www.ietf.org/rfc/rfc3028.txt?number=3028
D’autres informations concernant Sieve ainsi qu’un exemple de script est disponible sur :
www.cyrusoft.com/sieve60 Chapitre 1 Configuration du service de messagerie
Exemple de scripts Sieve
Les scripts suivants sont des exemples de scripts habituels que des utilisateurs
pourraient utiliser.
Scripts de notification d’absence
#--------
# Voici un exemple de script concernant les règles d’absence.
# Lisez les commentaires suivant le symbole dièse pour savoir
# ce que fait le script.
#---------
#
# Assurez-vous que l’extension de notification d’absence est utilisé.
require "vacation";
# Définissez le script comme script d’absence
vacation
# Envoyez la réponse d’absence à tout expéditeur seulement une fois tous
les sept jours, indépendamment du nombre de messages envoyés par cet
expéditeur.
:days 7
#Pour tous les messages envoyés à ces destinataires
:addresses ["bob@exemple.com", "robert.utilisateur@serveur.com"]
# Créez un message dont le sujet est le suivant
:subject “Réponse d’absence au bureau”
# Et composez le message de la manière suivante
“Je serai absent jusqu’au 31 décembre. Je ne pourrai répondre que 6 mois
après cette date. Salutations, Bob.”;
# Fin du script
Transfert auto-défini
#--------
# Voici un exemple de script illustrant la manière dont Sieve peut être
utilisé
# pour permettre aux utilisateurs de s’occuper eux-même du transfert de
leur courrier.
# Lisez les commentaires suivant le symbole dièse pour savoir ce que
# fait le script.
#---------
#
# Pas besoin d’ajouter d’extension. ’rediriger’ est intégré.
# Rediriger tous mes messages entrants vers l’adresse indiquée
redirect “mon-autre-adresse@exemple.com”;
# Mais gardez-en une copie sur le serveur IMAP
keep;
# Fin du scriptChapitre 1 Configuration du service de messagerie 61
Tri standard et filtre de courrier indésirable
#--------
# Voici un exemple de script illustrant la manière de mettre côté et de
classer le courrier.
# Lisez les commentaires suivant le symbole dièse pour savoir
# ce que fait le script
#---------
#
# Assurez-vous que les modes de classement et de rejet sont activés
require “fileinto”;
#
# Si cela vient de ma mère...
if header ["De"] : contains ["Maman"]{
# envoyer le message à ma messagerie personnelle
redirect “adresse-maison@exemple.com”;
}
#
# Si l’objet contient un mot clé déterminé...
else if header “Objet” :contains “jonquille” {
# réexpédier vers l’administrateur de courrier
forward “postmaster@serveur.edu”;
}
#
# Si le filtre de courrier indésirable a marqué ce message comme
indésirable...
else if header : contains ["X-Spam-Flag"] ["YES"]{
# le rejeter
discard;
}
#
# Si le filtre de courrier indésirable pense qu’il s’agit probablement d’un
message indésirable
else if header : contains ["X-Spam-Level"] ["***"]{
# mettre le message dans ma boîte de courrier indésirable
fileinto “BOÎTEDERÉCEPTION.CourrierIndésirable”;
}
#
# dans tous les autres cas...
else {
# mettre le message dans ma boîte de réception
fileinto “BOÎTEDERÉCEPTION”;
}
# Fin du script2
63
2 Maintenance du service
de messagerie
Une fois que vous avez configuré votre service de messagerie, il est important d’effectuer
certaines tâches régulières afin que ce service fonctionne efficacement et sans heurts.
L’application Admin Serveur comporte un certain nombre de fonctions qui vous aident
à réaliser ces tâches quotidiennes.
Ce chapitre décrit la maintenance du service de messagerie, de la base de données
et de l’espace de stockage des messages, y compris l’archivage. Il contient également
des informations sur la surveillance du courrier, la journalisation et le courrier non
distribuable.
Démarrage et arrêt du service de messagerie
En règle générale, le service de messagerie se lance automatiquement, une fois que
vous avez suivi toutes les étapes de l’Assistant Serveur. Vous pouvez également utiliser
l’application Admin Serveur pour démarrer et arrêter le service de messagerie en
fonction de vos besoins.
Il se peut que vous ne souhaitiez pas interrompre complètement le service de messagerie,
mais plutôt mettre en attente le courrier sortant ou bien bloquer les connexions du courrier
entrant. Si vous souhaitez seulement désactiver partiellement le service de messagerie,
consultez les sections suivantes :
• “Suspension du service de messagerie sortant” à la page 64
• “Blocage des connexions du courrier entrant” à la page 64
Il n’est pas nécessaire d’arrêter et de démarrer le service de messagerie pour charger
de nouveaux réglages sur le logiciel de messagerie. Si vous souhaitez seulement
configurer de nouveaux réglages, consultez la section suivante :
• “Rechargement du service de messagerie” à la page 65
Pour lancer ou arrêter le service de messagerie :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Assurez-vous qu’au moins un des protocoles de messagerie (SMTP, POP ou IMAP)
est activé.64 Chapitre 2 Maintenance du service de messagerie
5 Cliquez sur Démarrer le service ou sur Arrêter le service dans la barre des menus.
Lorsque le service est activé, le bouton Arrêter le service est disponible.
Si vous envisagez de désactiver le service de messagerie pendant une longue période,
informez les utilisateurs avant de procéder.
Suspension du service de messagerie sortant
Vous pouvez empêcher le service de messagerie d’envoyer de nouveaux courriers
sortants. Procédez ainsi pour isoler un problème ou empêcher des conflits avec un
autre service de messagerie sur votre réseau. En outre, vous pouvez utiliser cette
fonction pour enrayer la propagation de virus ou la retransmission de courrier
indésirable provenant de votre serveur.
La suspension du service de messagerie et la désactivation du service SMTP sont
deux options bien différentes. La désactivation empêche toute connexion d’utilisateur
pour le courrier sortant, alors que la suspension du service de messagerie sortant
met les messages en attente pour les envoyer ultérieurement. Tous les messages sont
conservés dans la file d’attente de courrier sortant pour être inspectés ou supprimés
jusqu’à ce que vous interrompiez la suspension.
Pour suspendre le courrier sortant :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur Retenir le courrier sortant.
5 Cliquez sur Enregistrer.
Blocage des connexions du courrier entrant
Vous pouvez empêcher le service de messagerie de recevoir de nouveaux courriers
entrants provenant de serveurs externes. Procédez ainsi pour isoler un problème ou
empêcher des conflits avec un autre service de messagerie sur votre réseau. En outre, vous
pouvez utiliser cette fonction pour enrayer la propagation de virus ou la retransmission
de courrier indésirable provenant de serveurs externes.
La blocage du service de messagerie entrant et la désactivation du service SMTP sont
deux options bien différentes. La désactivation empêche tout message en attente
d’être envoyé, alors que le blocage du courrier entrant empêche simplement
d’accepter les connexions qui pourraient ajouter un nouveau message à la file
d’attente. Toutes les tentatives d’envoi de courrier sont refusées et retournées à
l’envoyeur.Chapitre 2 Maintenance du service de messagerie 65
Pour bloquer les connexions entrantes :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cliquez sur Bloquer les connexions entrantes.
5 Cliquez sur Enregistrer.
Rechargement du service de messagerie
Il est parfois nécessaire de recharger le serveur de messagerie afin que les modifications
apportées aux réglages du service de messagerie prennent effet, par exemple après
une restauration à partir d’une sauvegarde ou après la modification du fichier d’alias.
Le rechargement du service de messagerie peut être effectué sans interrompre le service
de courrier actuel.
Pour recharger le service de messagerie sortant :
1 Démarrez Terminal.
2 En tant que root, tapez la commande suivante :
postfix reload
Modification des réglages de protocole pour le service
de messagerie entrant
Vous pouvez modifier les réglages de votre service de messagerie entrant en choisissant
POP3, IMAP ou les deux.
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Général.
4 Cochez ou décochez les cases IMAP ou POP en fonction de vos besoins.
Amélioration des performances
Le service de messagerie se doit d’offrir d’excellents temps de réponse sur des périodes
très courtes. Il demeure inactif jusqu’à ce qu’un utilisateur décide de lire ou d’envoyer
un message, puis il transfère immédiatement le message. Il impose ainsi des charges
intenses mais brèves au serveur. En règle générale, le serveur peut traiter plusieurs
centaines d’utilisateurs connectés simultanément, pour autant que d’autres services
ne le sollicitent pas fortement en permanence (ce qui serait le cas avec un serveur
de diffusion QuickTime, par exemple).66 Chapitre 2 Maintenance du service de messagerie
Une sollicitation accrue du serveur par le service de messagerie va de pair avec
l’augmentation du nombre d’utilisateurs connectés. Si les performances de votre
service de messagerie doivent être améliorées, procédez de la manière suivante :
• Ajustez la charge que les utilisateurs peuvent placer sur votre serveur en limitant le
nombre de connexions de courrier. Pour obtenir des instructions, consultez la section
“Activation de l’accès IMAP” à la page 28.
• Modifiez l’emplacement de stockage du courrier vers le disque dur de l’utilisateur
ou l’une de ses partitions. Pour obtenir des instructions, consultez la section
“Spécification de l’emplacement de la base de données et de l’espace de stockage
du courrier” à la page 69.
• Exécutez d’autres services sur un serveur différent, en particulier les services sollicitant
fortement et fréquemment le serveur (une licence Mac OS X Server unique doit être
attribuée à chaque serveur).
Utilisation de la base de données et de l’espace de
stockage du courrier
La base de données de courrier peut effectuer un suivi des messages pour tous les
utilisateurs du service de messagerie. Les messages sont stockés dans des fichiers
distincts. Les opérations suivantes peuvent être effectuées sur la base de données
et les fichiers de courrier :
• visualiser et réparer la base de données du stockage de courrier ;
• réparer les espaces de stockage du courrier d’utilisateur ;
• convertir la base de données de courrier à partir d’une version antérieure
de Mac OS X Server ;
• indiquer l’emplacement dans lequel la base de données et les fichiers de courrier
sont stockés ;
• sauvegarder et restaurer l’espace de stockage du courrier.
Toutes ces tâches sont décrites dans cette section.
Visualisation de l’emplacement de la base de données et de
l’espace de stockage du courrier
Vous pouvez visualiser l’emplacement de l’espace de stockage du courrier et de la base
de données, ainsi que la taille totale de l’espace de stockage du courrier. Il peut s’avérer
nécessaire de garder un suivi de la taille actuelle de l’espace de stockage du courrier,
de manière à mieux planifier les ressources du serveur de messagerie.
Ne modifiez pas ici l’emplacement de la base de données du courrier ou celui de
l’espace de stockage du courrier. Consultez la section “Spécification de l’emplacement
de la base de données et de l’espace de stockage du courrier” à la page 69 si vous
souhaitez modifier ces emplacements.Chapitre 2 Maintenance du service de messagerie 67
Pour visualiser l’emplacement de l’espace de stockage et de la base de données
du courrier :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Sélectionnez l’onglet Base de données.
Réparation de la base de données du courrier
Le service de messagerie consulte sa base de données de listes de boîtes à lettres chaque
fois qu’il essaie de distribuer un message à une boîte de réception d’un utilisateur. Il peut
arriver que la base de données de listes de boîtes à lettres d’un serveur de messagerie
soit corrompue. Si le courrier n’est pas envoyé au bon utilisateur, ou que les messages ne
sont pas envoyés correctement, il est possible que la base de données soit corrompue et
doive être reconstituée.
La reconstitution d’une base de données peut être effectuée pendant le fonctionnement
du serveur de messagerie. Toutefois, la meilleure option serait de bloquer les connexions
entrantes avant la reconstitution, pour s’assurer que le courrier entrant est traité suivant la
base de données mise à jour. Pour obtenir des instructions sur le blocage des connexions
entrantes, consultez la section “Blocage des connexions du courrier entrant” à la page 64.
Pour réparer une base de données de serveur de messagerie corrompue :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Sélectionnez l’onglet Base de données.
4 Cliquez sur Réparer.
Réparation de la base de données du compte d’utilisateur de
courrier
Le service de messagerie met à jour la base de données d’utilisateur des messages
stockés chaque fois qu’un message est ajouté, supprimé ou déplacé. Au cours de
ces mises à jour, il peut arriver que la base de données soit corrompue. Lorsque des
utilisateurs signalent que des messages ont “disparu” ou sont devenus illisibles, il est
possible que la base de données soit corrompue et doive être reconstruite. Réparez
la base de données d’un utilisateur individuel lorsqu’elle a manifestement subi une
corruption ; la reconstitution ne répare que la boîte à lettres affectée.
La reconstruction d’une base de données peut être effectuée pendant le fonctionnement
du serveur de messagerie.68 Chapitre 2 Maintenance du service de messagerie
Pour reconstituer une base de données de courrier d’utilisateur corrompue :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Sélectionnez l’onglet Comptes.
4 Sélectionnez le compte d’utilisateur affecté.
5 Cliquez sur Reconstituer.
Conversion de l’espace de stockage et de la base de données du
courrier à partir d’une version antérieure
Si vous avez utilisé des versions antérieures d’Apple Mail Service, vous devrez convertir
les messages de vos utilisateurs et la base de données de courrier en format actuel. Par
exemple, si vous mettez à niveau Mac OS X Server versions 10.1 ou 10.2 vers la version
10.4, vous devez faire migrer vos base de données et espace de stockage de courrier.
Si vous effectuez une mise à niveau à partir de Mac OS X Server version 10.3, il n’est pas
nécessaire de faire migrer votre installation de courrier.
Pour convertir la base de données de stockage du courrier :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Sélectionnez l’onglet Migration.
4 Cliquez sur Sélectionner et choisissez l’emplacement de l’ancienne base de données du
service de messagerie Apple.
Par défaut, l’emplacement des versions 10.1 et 10.2 était /Bibliothèque/AppleMailServer.
5 Sélectionnez le compte d’utilisateur à faire migrer, puis cliquez sur Faire migrer
l’utilisateur.
6 Si vous souhaitez faire migrer tous les utilisateurs, il vous suffit de cliquer sur Tout
faire migrer.
Le courrier est exporté vers le répertoire de destination par défaut et des boîtes aux
lettres cibles sont créées selon les besoins.
Remarque : pour une conversion correcte de la base de données de courrier, le serveur
doit disposer de suffisamment d’espace disque disponible. Cet espace doit être au
moins égal à la taille du fichier de base de données en cours de conversion. Si l’espace
disque disponible n’est pas suffisant, Admin Serveur ne convertit pas la base de
données et les messages.Chapitre 2 Maintenance du service de messagerie 69
Spécification de l’emplacement de la base de données et de
l’espace de stockage du courrier
Si vous démarrez le service de messagerie pour la première fois et qu’il n’existe aucune
base de données de courrier, vous pouvez indiquer où seront stockés la base de données
de courrier et les fichiers de messages. Par défaut, l’emplacement de la base de données
de courrier est /var/imap/ et celui de l’espace de stockage est /var/spool/imap/.
Remarque : le changement d’emplacement de l’espace de stockage du courrier
d’un système de courrier existant n’entraîne pas le transfert du courrier de l’ancien
emplacement vers le nouveau.
Pour spécifier l’emplacement de stockage du courrier sur le serveur :
1 Si le service de messagerie est déjà en cours d’exécution, arrêtez-le. Pour plus
de détails, consultez le “Démarrage et arrêt du service de messagerie” à la page 63.
Lorsque le service de messagerie démarre pour la première fois, il crée un espace de
stockage vide dans l’emplacement par défaut. Vous pouvez l’ignorer ou le supprimer
après avoir spécifié un autre emplacement de stockage du courrier et après avoir
redémarré le service de messagerie.
2 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
3 Cliquez sur Réglages.
4 Cliquez sur l’onglet Avancé.
5 Cliquez sur Base de données.
Vous voyez alors l’emplacement actuel de la base de données et de l’espace de
stockage du courrier.
6 Cliquez sur Modifier à côté du champ Emplacement de la base de données.
7 Dans le champ Emplacement de la base de données, saisissez le chemin de
l’emplacement auquel vous souhaitez stocker la base de données du courrier.
Vous pouvez rechercher un emplacement en cliquant sur l’option Modifier en regard
du champ d’emplacement.
8 Dans le champ Emplacement de stockage du courrier, saisissez le chemin
de l’emplacement auquel vous souhaitez stocker les fichiers de courrier.
Vous pouvez rechercher un emplacement en cliquant sur Explorer en regard du champ
d’emplacement.70 Chapitre 2 Maintenance du service de messagerie
Création d’emplacements supplémentaires de stockage du
courrier
Le service de messagerie peut s’adapter parfaitement lorsque vous devez modifier
votre stockage. Vous pouvez étendre l’espace de stockage du courrier sur plusieurs
disques ou systèmes de fichiers. De nouvelles partitions peuvent être ajoutées à
l’espace de stockage à tout moment sans nécessiter de temps d’arrêt, ni même de
connaissance spécifique de la part de l’utilisateur.
Pour utiliser les nouveaux emplacements d’espace de stockage du courrier, vous
devrez désigner, dans l’enregistrement d’utilisateur, quelle partition contient l’espace
de stockage de courrier de cet utilisateur. Pour cela, saisissez le chemin de l’espace
de stockage du courrier dans les réglages de courrier de l’utilisateur à l’aide de
Gestionnaire de groupe de travail. Pour plus d’instructions, consultez la section
Mac OS X Server Gestion utilisateur pour la version 10.4 ou ultérieure.
Les partitions de stockage de courrier que vous ajoutez peuvent être des partitions de
disque dur supplémentaires ou bien des systèmes de fichiers montés à distance. Pour
des systèmes de fichiers montés à distance, NFS n’est pas recommandé.
Remarque : le fait de créer de nouveaux emplacements ne place pas automatiquement
le courrier à ces emplacements. Modifiez les enregistrements d’utilisateur dans
Gestionnaire de groupe de travail afin de commencer à distribuer le courrier vers
les nouvelles partitions. Le fait de supprimer un emplacement ne supprime pas
le courrier qui s’y trouve, mais rend inaccessibles tous les dossiers de courrier.
Pour diviser l’espace de stockage de courrier :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur l’onglet Avancé.
4 Cliquez sur Base de données.
Vous voyez alors, dans une liste, l’emplacement actuel de la base de données et de
l’espace de stockage du courrier.
5 Pour ajouter un emplacement, cliquez sur le bouton Ajouter (+) à côté de la case
“Stockages de courrier supplémentaires”.
a Saisissez un nom descriptif pour le nouvel emplacement d’espace de stockage de
courrier (par exemple, “Marketing” ou “Bureau”).
b Saisissez le chemin du nouvel emplacement (tel que /Volumes/espacedestockage2).
c Cliquez sur OK.Chapitre 2 Maintenance du service de messagerie 71
6 Pour modifier un emplacement, cliquez sur le bouton Modifier (/) à côté de la case
“Stockages de courrier supplémentaires”.
a Modifiez le chemin d’accès au nouvel emplacement.
b Cliquez sur OK.
7 Pour supprimer un emplacement, sélectionnez l’emplacement à supprimer et cliquez
sur le bouton Supprimer (-) à côté de la case “Stockages de courrier supplémentaires 0148.
8 Cliquez sur Enregistrer.
Sauvegarde et restauration des messages de courrier
Vous pouvez sauvegarder les données du service de messagerie en effectuant une
copie du dossier de service de messagerie. Si vous devez restaurer ces données, il est
possible de remplacer le dossier du service de messagerie par une copie de
sauvegarde. Vous pouvez sauvegarder des dossiers de stockage individuels ou
l’ensemble de l’espace de stockage du courrier, en fonction de vos besoins. L’outil à
ligne de commande ditto permet de sauvegarder vos messages électroniques. Pour
plus d’informations, consultez la page de manuel (“man”) relative à ditto.
Important : arrêtez le service de messagerie avant de procéder à la sauvegarde ou à la
restauration du dossier du service de messagerie. Si vous sauvegardez le dossier alors
que le service de messagerie est actif, le fichier de base de données de courrier de
sauvegarde risque d’être désynchronisé. Il en va de même si vous procédez à une
restauration alors que le service de messagerie est actif.
Une sauvegarde incrémentielle du dossier de service de messagerie peut s’avérer rapide
et efficace. Si vous sauvegardez les données de courrier de façon incrémentielle, seuls le
fichier de la petite base de données et les fichiers de messages créés ou modifiés depuis
la dernière sauvegarde seront copiés.
Après avoir restauré ce dossier, informez les utilisateurs que les messages stockés sur le
serveur ont été restaurés à partir d’une copie de sauvegarde.
Vous trouverez des informations précieuses sur la sauvegarde des messages de courrier
à l’adresse suivante :
acs-wiki.andrew.cmu.edu/twiki/bin/view/Cyrus/Backup
Surveillance des dossiers et des messages de courrier
Cette section décrit comment effectuer les tâches d’administration courantes pour la
surveillance des messages électroniques. Elle explique comment :
• désigner un compte comme compte d’administrateur de courrier ;
• enregistrer les messages électroniques pour la surveillance et l’archivage.72 Chapitre 2 Maintenance du service de messagerie
Autorisation de l’accès administrateur aux dossiers de courrier
Vous pouvez configurer IMAP pour autoriser l’administrateur de serveur à afficher
la hiérarchie du service de messagerie. Les administrateurs ne peuvent pas afficher le
courrier proprement dit, mais uniquement les emplacements des dossiers des
utilisateurs. Lorsque vous vous connectez en tant qu’administrateur IMAP, vous
voyez tous les dossiers de courrier utilisateur stockés sur le serveur. La boîte à lettres
de chaque utilisateur est affiché par le logiciel client, dans un dossier distinct. Vous
pouvez supprimer les dossiers de boîtes aux lettres inactifs qui appartenaient à des
comptes d’utilisateur supprimés.
Pour configurer l’accès administrateur aux dossiers de courrier :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général et cochez la case Activer IMAP si elle n’est pas encore
cochée.
4 Sélectionnez un utilisateur existant ou utilisez Gestionnaire de groupe de travail pour
créer un utilisateur administrateur IMAP.
5 Si vous n’avez pas créé d’enregistrement utilisateur pour le compte d’administrateur de
courrier, consultez le guide de gestion des utilisateurs.
6 Ouvrez /etc/imapd.conf dans un éditeur de texte.
Si vous n’êtes pas habitué à utiliser un éditeur de texte terminal tel que emacs ou vi,
vous pouvez utiliser TextEdit.
7 Recherchez la ligne “admins:”.
8 Modifiez la ligne afin d’ajouter le numéro UID du compte d’administrateur après les
deux-points.
9 Enregistrez vos modifications.
10 Dans votre application de client de messagerie, créez un compte qui utilise IMAP pour se
connecter à votre service de messagerie à l’aide du nom d’administrateur de courrier.
Pour plus d’informations, consultez la page correspondant à imapd.conf.
Enregistrement des messages électroniques pour la surveillance
et l’archivage
Vous pouvez configurer le service de messagerie afin d’envoyer à un utilisateur ou
groupe spécifié des copies carbone invisibles (Cci) de chaque message entrant ou
sortant. Cela peut s’avérer utile si vous devez contrôler ou archiver des messages.
Les expéditeurs et les destinataires du courrier ne savent pas que des copies de leurs
messages sont archivées.Chapitre 2 Maintenance du service de messagerie 73
Vous pouvez configurer l’utilisateur ou le groupe spécifié afin qu’il reçoive les
copies carbone invisibles via POP, puis configurer une application de courrier client
qui se connectera régulièrement afin de nettoyer le compte en récupérant tous les
nouveaux messages. Il est recommandé de copier et d’archiver régulièrement les
messages directement depuis le répertoire de destination, à l’aide de commandes
shell automatisées. Vous pouvez configurer des filtres dans le client de messagerie
pour isoler certains types de messages. Vous pouvez également archiver tous les
messages pour des raisons légales.
Pour enregistrer tous les messages :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Cochez la case “Copier les messages entrants et sortants dans” et tapez un nom
d’utilisateur ou de groupe.
5 Cliquez sur Enregistrer.
Surveillance du service de messagerie
Cette section décrit l’utilisation de l’application Admin Serveur pour surveiller
les éléments suivants :
• l’activité globale du service de messagerie, notamment le nombre de connexions
de courrier entrantes ou sortantes ;
• le nombre d’utilisateurs actuellement connectés ;
• les comptes de courrier ;
• les historiques du service de messagerie.
Cette section décrit également les sollicitations de Mac OS X Server concernant l’espace
disque utilisé par les historiques, ainsi que la procédure de sollicitation manuelle.
Visualisation de l’ensemble des activités du service de messagerie
Vous pouvez utiliser Admin Serveur pour afficher une vue d’ensemble de l’activité
du service de messagerie. Cette vue d’ensemble indique si le service est en cours
d’exécution, l’heure à laquelle il a démarré, ainsi que les connexions entrantes
et sortantes par protocole.
Pour afficher une vue d’ensemble des activités du service de messagerie :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Vue d’ensemble.74 Chapitre 2 Maintenance du service de messagerie
Affichage de la liste des connexions de courrier
L’application Admin Serveur peut répertorier les utilisateurs actuellement connectés
au service de messagerie. Pour chaque utilisateur, vous disposez alors des informations
suivantes : nom de l’utilisateur, adresse IP de l’ordinateur client, type de compte de
messagerie (IMAP ou POP), nombre de connexions et durée de connexion.
Pour afficher une liste des utilisateurs connectés :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Connexions.
Consultation de la file d’attente du courrier sortant
Il se peut que vous deviez consulter le courrier en attente d’être envoyé. Si vous
possédez un historique des messages non distribués, ou que vous avez interrompu le
courrier sortant, il se peut que la file d’attente comporte un certain nombre d’éléments.
Il est par ailleurs conseillé de contrôler la distribution de courrier pour s’assurer que le
courrier est distribué à la fois aux hôtes locaux et aux hôtes distants.
Lorsque vous consultez la file d’attente, vous voyez le numéro d’identification du
message, l’expéditeur, les destinataires, la date et la taille du message. Vous pouvez
sélectionner un message dans la file d’attente et consulter plus précisément les entêtes de message.
Pour consulter la file d’attente du courrier sortant :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Cliquez sur l’onglet File d’attente du courrier.
4 Pour consulter plus précisément un message individuel, sélectionnez-le.
Effacement de messages dans la file d’attente du courrier sortant
La file d’attente de votre courrier sortant peut contenir un historique des messages non
distribués. Il s’agit de messages qui ne peuvent être envoyés pour un certain nombre
de raisons : adresse du message incorrecte, serveur de destination ne répondant pas ou
encore compte de destination ayant dépassé le quota. Dans ce cas, il est recommandé
d’effacer un certain nombre de messages dans l’historique des messages non distribués.
Pour effacer un message de la file d’attente des messages sortants :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Cliquez sur l’onglet File d’attente du courrier.
4 Sélectionnez le message à effacer.
5 Cliquez sur Supprimer.Chapitre 2 Maintenance du service de messagerie 75
Visualisation des comptes de messagerie
Vous pouvez utiliser l’application Admin Serveur pour afficher la liste des utilisateurs
qui ont utilisé leur compte de courrier au moins une fois. Pour chaque compte, vous
disposez alors des informations suivantes : nom de l’utilisateur, quota d’espace disque,
espace disque utilisé et pourcentage d’espace disque disponible pour l’utilisateur.
Les comptes de courrier qui n’ont jamais été utilisés ne sont pas répertoriés.
Pour afficher une liste de comptes de messagerie :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Comptes.
Affichage des historiques du service de messagerie
Le service de messagerie gère quatre historiques que vous pouvez visualiser via
Admin Serveur.
• Accès au courrier : les informations générales sur le service de messagerie sont
journalisées dans l’historique du serveur.
• Historique IMAP : l’activité propre à IMAP est journalisé dans cet historique.
• Historique POP : l’activité POP spécifique est journalisé dans cet historique.
• Historique SMTP : l’activité SMTP spécifique est journalisé dans cet historique.
• Historiques des listes d’envoi : l’activité de Mailman, y compris service, erreur, échecs
de distribution, publications et inscriptions.
Tous les historiques peuvent être affinés à l’aide de la case de filtre de texte
de la fenêtre.
Pour afficher un historique du service de messagerie :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Historiques.
3 Sélectionnez un type d’historique dans le menu Afficher.
4 Cliquez sur Enregistrer.
Configuration du niveau de détail de l’historique du service
de messagerie
Les historiques du service de messagerie peuvent afficher plusieurs niveaux de détail.
Les trois niveaux de détail sont les suivants :
• Faible (erreurs uniquement)
• Moyen (erreurs et messages)
• Élevé (tous les événements)
Vous pouvez choisir le détail d’historique pour chacune des catégories de services
(filtre de courrier sortant, entrant ou indésirable).76 Chapitre 2 Maintenance du service de messagerie
Pour définir le niveau de détail de l’historique du service de messagerie :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Autre.
4 Sélectionnez le service dont vous voulez définir le détail d’historique.
a SMTP correspond au courrier sortant et aux connexions provenant de serveurs
de messagerie externes.
b POP/IMAP correspond à la récupération de courrier entrant pour les utilisateurs.
c L’historique des virus/courriers indésirables est pour le service de messagerie
indésirable.
5 Sélectionnez un niveau de détail dans le menu Niveau de... de détail de l’historique.
6 Cliquez sur Enregistrer.
Archivage par planification des historiques du service de messagerie
Mac OS X Server archive automatiquement les historiques du service de messagerie
après une période donnée. Chaque historique d’archive est compressé et utilise moins
d’espace disque que le fichier d’historique original. Vous pouvez personnaliser le
planning pour archiver les historiques après une période donnée, mesurée en jours.
Pour archiver les historiques par planification :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Autre.
4 Cliquez sur “Archiver les historiques tous les____ jours.”
5 Saisissez le nombre de jours souhaité.
6 Cliquez sur Enregistrer.
Récupération de l’espace disque utilisé par les archives des
historiques du service de messagerie
Mac OS X Server récupère automatiquement l’espace disque utilisé par les
historiques du service de messagerie dès qu’ils atteignent une certaine taille ou
ancienneté. Si vous êtes familiarisé avec l’utilisation de l’application Terminal et
des outils de ligne de commande UNIX, vous pouvez utiliser l’outil “diskspacemonitor”
pour surveiller à tout moment l’espace disque et supprimer ou déplacer les archives
d’historique. Pour plus d’informations, consultez “diskspacemonitor” dans le guide de
l’administration en ligne de commande .Chapitre 2 Maintenance du service de messagerie 77
Gestion d’un disque saturé
Lorsque le disque sur lequel sont stockés les messages est saturé, le service de
messagerie peut fonctionner de manière irrégulière et les données peuvent être
endommagées. Dans ce cas, vous serez confronté aux comportements suivants :
Comportement de Postfix
Si le système d’exploitation peut exécuter le processus smtpd, Postfix tentera de
fonctionner et d’accepter le message. Le message sera alors refusé avec une erreur
de type “disque saturé”. Dans le cas contraire, son comportement est imprévisible.
Comportement de Cyrus
Si le système d’exploitation peut exécuter un processus imapd ou pop3d, le serveur
tentera d’ouvrir le compte de courrier de l’utilisateur. En cas de réussite, l’utilisateur
pourra accéder normalement au courrier. Toute modification nécessitant des ajouts
à la base de données et entraînant l’augmentation de la taille de cette dernière peut
provoquer le blocage du processus et la corruption de la base de données.
Traitement du courrier non distribuable
Plusieurs raisons peuvent entraîner la non-distribution d’un courrier. Vous pouvez
configurer votre service de messagerie pour transférer le courrier entrant non distribuable,
limiter les tentatives de distribution de courrier sortant problématique, créer des rapports
sur les échecs des tentatives de distribution, ou encore changer les délais du service de
messagerie pour augmenter les chances de réussite de la connexion.
La non distribution de courrier entrant peut être due à la présence de fautes
d’orthographe dans l’adresse ou à un compte d’utilisateur supprimé. Pour le
courrier sortant, la non-distribution peut être due à une adresse erronée ou
à un dysfonctionnement du serveur de messagerie destinataire.
Transfert du courrier entrant non distribuable
Vous pouvez faire en sorte que votre service de messagerie transmette les messages
arrivant à l’attention d’utilisateurs locaux inconnus à une autre personne réelle locale
ou un autre groupe de votre entreprise. Quiconque reçoit un courrier transféré ne lui
étant pas adressé (comportant une faute de frappe dans l’adresse, par exemple) peut
le transférer au destinataire concerné. Si le transfert de ces messages non distribuables
n’est pas explicitement activé, ils sont renvoyés à l’expéditeur.78 Chapitre 2 Maintenance du service de messagerie
Pour configurer le transfert du courrier entrant non distribuable :
1 Ouvrez /etc/postfix/main.cf dans un éditeur de texte.
Si vous n’êtes pas habitué à utiliser un éditeur de texte terminal tel que emacs ou vi,
vous pouvez utiliser TextEdit.
2 Recherchez la ligne “luser_relay.”
3 Supprimez la caractère dièse (“#”) du début de la ligne, s’il apparaît.
4 Modifiez la ligne afin d’ajouter le nom d’utilisateur, l’alias ou le groupe du compte de
destination après le signe égal (“=”).
5 Enregistrez vos modifications.
6 Rechargez le serveur de messagerie.
Pour en savoir plus sur la recharge de Postfix, consultez la section “Rechargement du
service de messagerie” à la page 65.
Copie du courrier entrant non distribuable
Vous pouvez faire en sorte que votre service de messagerie copie les messages arrivant
à l’attention d’utilisateurs locaux inconnus pour une autre personne ou un autre
groupe de votre entreprise, en général l’administrateur du courrier. Vous pouvez utiliser
ce réglage pour garder un suivi des échecs de distribution de courrier comme les refus
de connexion SMTP, le courrier mal adressé, ou bien déterminer la source des courriers
indésirables
Pour conserver une copie du courrier entrant non distribuable :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Général.
4 Sélectionnez “Copier le courrier non distribuable à” et tapez un nom d’utilisateur,
de groupe, ou un alias.
5 Cliquez sur Enregistrer.
Nouvelle tentative d’envoi des messages sortants non distribués
Il arrive parfois que la file d’attente du courrier sortant contienne des messages non
distribués. Ces messages sont correctement adressés, mais pour une raison quelconque
(panne du serveur de destination, coupe-feu bloquant le port sortant pour SMTP, etc.),
les messages ne sont pas envoyés. Vous pouvez tenter de les renvoyer. Normalement,
le serveur de messagerie tentera tout seul de les renvoyer, mais il est conseillé de le
provoquer manuellement au lieu d’attendre.Chapitre 2 Maintenance du service de messagerie 79
Pour tenter de renvoyer un message sortant :
1 Dans Admin Serveur, sélectionnez Courrier dans le volet Ordinateurs et services.
2 Cliquez sur Maintenance.
3 Cliquez sur l’onglet File d’attente du courrier.
4 Sélectionnez le message à renvoyer.
Maintenez enfoncée la touche Maj ou Commande pour sélectionner plusieurs messages.
5 Cliquez sur Réessayer.
Autres sources d’informations
Pour obtenir des informations supplémentaires sur le service de messagerie, consultez
Internet ou la documentation consacrée à ce sujet.
Bibliographie
Pour obtenir des informations d’ordre général sur les protocoles de messagerie
et d’autres technologies, consultez les ouvrages suivants :
• L’ouvrage Internet Messaging, de David Strom et Marshall T. Rose (Prentice Hall, 1998),
fournit une bonne introduction générale au service de messagerie.
• Pour plus d’informations sur les enregistrements MX, consultez la section “DNS and
Electronic Mail” dans DNS and BIND, 3rd edition, de Paul Albitz, Cricket Liu et Mike
Loukides (O’Reilly and Associates, 1998).
• Vous pouvez également consulter Removing the Spam : Email Processing and Filtering,
de Geoff Mulligan (Addison-Wesley Networking Basics Series, 1999).
• Pour en savoir plus sur les normes standard de courrier électronique, reportez-vous
à l’ouvrage Essential email Standards : RFCs and Protocols Made Practical, de Pete
Loshin (John Wiley & Sons, 1999).
• Pour en savoir plus sur Postfix, reportez-vous à Postfix, de Richard Blum (Sams;
1st edition, 2001)
• Pour en savoir plus sur Cyrus, reportez-vous à l’ouvrage Managing IMAP, de Dianna
Mullet, Kevin Mullet (O’Reilly & Associates, 2000)
Internet
Internet propose en outre un très grand nombre d’informations sur les différents
protocoles de courrier, le système DNS et autres rubriques connexes.
Vous trouverez sur le site Web suivant une très bonne présentation générale des
systèmes de courrier :
www.wikipedia.org80 Chapitre 2 Maintenance du service de messagerie
Les documents RFC (Request for Comments) offrent un aperçu d’un protocole ou service
et présentent de manière détaillée comment le protocole doit se comporter. Si vous êtes
novice en tant qu’administrateur de serveur, certaines informations fondamentales
des documents RFC vous seront probablement utiles. Si vous êtes un administrateur
confirmé, vous trouverez tous les détails pratiques et techniques relatifs à un protocole
dans le document RFC correspondant. Vous pouvez rechercher les documents RFC par
numéro sur le site Web suivant :
www.faqs.org/rfcs
Consultez les documents RFC suivants pour obtenir des détails techniques sur le
fonctionnement des protocoles de courrier :
• POP : RFC 1725
• IMAP : RFC 2060
• SMTP : RFC 821 et RFC 822
• Sieve : RFC 3028
Pour plus d’informations sur Postfix, consultez le site suivant :
www.postfix.org
Pour plus d’informations sur Cyrus, consultez le site suivant :
asg.web.cmu.edu/cyrus
Pour plus d’informations sur Sendmail, consultez le site suivant :
www.sendmail.org
Pour en savoir plus sur SquirrelMail, consultez le site Web suivant :
www.squirrelmail.org
Pour en savoir plus sur Sieve, consultez le site suivant :
www.cyrusoft.com/sieve
Pour plus d’informations sur les serveurs permettant de filtrer le courrier indésirable,
consultez le site Web suivant :
www.ordb.org3
81
3 Listes d’envoi
Les listes d’envoi permettent la distribution d’un même message à plusieurs
destinataires. Il existe quelques différences fondamentales entre les listes d’envoi et les
groupes de travail. Tout d’abord, les listes d’envoi ne sont pas liées aux autorisations de
fichier ou de répertoire. En outre, les listes d’envoi peuvent être administrées par une
autre personne que l’administrateur du groupe de travail ou du serveur. Plus important
encore, les abonnés des listes d’envoi n’ont pas besoin d’un compte particulier (accès
aux messages ou aux fichiers) sur le serveur de la liste ; n’importe quelle adresse
électronique peut être ajoutée à la liste. Enfin, les utilisateurs des listes peuvent
généralement s’abonner ou se désabonner eux-mêmes.
Mac OS X Server utilise Mailman version 2.1.2 comme service de listes d’envoi.
Certaines des principales caractéristiques de Mailman incluent
(depuis www.list.org/features.html) :
• une administration par listes basée sur le Web pour presque toutes les tâches,
y compris une configuration par listes, une modération (autorisations de
correspondance) par listes, une gestion des comptes d’utilisateur par listes ;
• une inscription et une annulation d’inscription basées sur le Web, et une gestion de
la configuration de l’utilisateur. Les utilisateurs peuvent momentanément désactiver
leur compte, sélectionner les modes digest, masquer leur adresse électronique aux
autres utilisateurs, etc ;
• une page d’accueil à personnaliser pour chaque liste d’envoi ;
• des caractéristiques de confidentialité pour chaque liste, telles que des inscriptions
fermées, des dossiers privés, des listes d’adhésion privées et des normes de
correspondance adaptées à l’expéditeur ;
• un mode de distribution à configurer (par liste et par utilisateur) ;
• une détection de renvoi intégrée au sein d’une structure extensible ;
• la mise en place automatique des adresses renvoyées (désactiver, annuler l’inscription).
• des filtres anti-spam intégrés ;
• une archivation intégrée basée sur le Web, avec des liens vers des archiveurs externes ;
• un système de passerelles Usenet intégré ;
• un mode de réponses automatiques intégré ;
• des commandes de type gestionnaire de listes de diffusion, conçues pour le courrier
électronique ;82 Chapitre 3 Listes d’envoi
• il est possible de disposer de propriétaires et de modérateurs de listes multiples ;
• ine assistance pour les domaines virtuels ;
• compatible avec la plupart des serveurs et navigateurs Web ainsi qu’avec la plupart
des serveurs SMTP. Requiert Python 2.1.3 ou ultérieur ;
• une architecture pipeline de distribution de courrier flexible ;
• une distribution du courrier très performante, avec une architecture extensible.
Vous trouverez des informations supplémentaires concernant Mailman sur le site Web
suivant : www.list.org
Configuration d’une liste d’envoi
Cette section décrit le processus de configuration d’une liste d’envoi. Pour cela, vous
devez activer le service, définir le nom de la liste et ajouter des abonnés à la liste.
Lorsque vous créez une liste d’envoi pour la première fois, vous devez définir un mot
de passe maître qui vous permettra de contrôler toutes les listes. N’utilisez pas un mot
de passe d’administrateur ou d’utilisateur. Vous devez également définir les adresses
électroniques des autres administrateurs qui possèdent le mot de passe maître.
Activation des listes d’envoi
Pour pouvoir définir des listes d’envoi et des abonnés, vous devez activer le service
de listes et créer la liste d’envoi par défaut de l’administrateur. Lorsque vous activez les
listes d’envoi, vous définissez également un mot de passe qui vous permet d’administrer
toutes les listes du serveur et de créer automatiquement une liste spéciale pour les
administrateurs des listes d’envoi. Les administrateurs de listes d’envoi obtiennent
une copie du mot de passe de la liste principale et les notifications d’erreurs.
Remarque : la liste (appelée “Mailman”) doit exister pour que les listes d’envoi
fonctionnnent correctement. Vous ne devez pas supprimer la liste principale.
Pour activer les listes d’envoi :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Cliquez sur Activer les listes d’envoi.
5 Saisissez le mot de passe de la liste principale.
6 Saisissez les adresses électroniques des administrateurs de la liste.
Vous devez saisir au moins un administrateur, qui recevra les notifications concernant
le service de liste d’envoi. Vous pouvez en ajouter autant que vous le souhaitez.
7 Cliquer sur Enregistrer.
La liste Mailman est créée et elle envoie le mot de passe maître aux administrateurs
que vous avez indiqués.Chapitre 3 Listes d’envoi 83
Création d’une nouvelle liste d’envoi
Les listes d’envoi permettent la distribution d’un même message à plusieurs
destinataires. Une fois que vous avez créé une liste d’envoi, tout courrier électronique
envoyé à une adresse de la liste est envoyé à tous les membres de cette liste. Les listes
d’envoi disposent d’administrateurs de liste qui peuvent modifier les entrées à cette
liste et ses caractéristiques.
L’adhésion aux listes peut être automatisée. Ainsi, les administrateurs de listes n’ont pas
besoin d’ajouter et de supprimer des membres ; les membres le font eux-mêmes.
Pour créer une nouvelle liste :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Cliquez sur le bouton Ajouter (+) sous la sous-fenêtre Listes.
5 Tapez le nom de la liste.
Le nom de la liste d’envoi est le nom du compte de courrier auquel les utilisateurs
de la liste envoient leurs messages. Le nom ne tient pas compte de la casse et ne peut
pas contenir d’espaces.
6 Tapez l’adresse électronique de l’administrateur de la liste.
Si vous saisissez un nom seulement, cela doit être un nom d’utilisateur du serveur.
Si vous saisissez une adresse du style “nomd’utilisateur@domaine”, l’administrateur ne
doit pas nécessairement être un utilisateur local.
7 Si vous le désirez, cliquez sur “Les utilisateurs peuvent s’inscrire”.
8 Choisissez la langue par défaut de la liste :
Vous pouvez choisir entre l’anglais, l’allemand, le japonais, le coréen, le russe ou
l’espagnol. Ce réglage définit le texte généré par la liste selon la langue par défaut.
9 Sélectionnez toute langue supplémentaire prise en charge par la liste.
Ce réglage définit également le texte généré par la liste selon la langue par défaut.
10 Cliquez sur OK.
11 Cliquer sur Enregistrer.
Vous pouvez à présent ajouter des membres à la liste. Pour ajouter des membres, voir
“Ajout de membres” à la page 88.
Si vous avez permis aux utilisateurs de s’inscrire eux-mêmes, ils pourront le faire par
courrier électronique ou à travers la page d’administration Web.84 Chapitre 3 Listes d’envoi
Définition de la taille maximum d’un message
Vous pouvez définir la taille maximum d’un message accepté par la liste. Vous pouvez
par exemple rejeter les pièces jointes importantes en définissant une taille maximum
réduite, ou bien autoriser la collaboration de fichiers en définissant une taille de
message illimitée.
Utilisez Admin Serveur pour régler le taille maximum des messages.
Pour définir la taille maximum des messages d’une liste :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste pour laquelle vous voulez définir la taille des messages.
5 Cliquez sur le bouton Modifier (/) sous la sous-fenêtre Listes.
6 Saisissez la taille maximum des messages (en Ko).
Si vous saisissez 0, la taille maximum est illimitée.
7 Cliquez sur OK.
Création d’une description de liste d’envoi
À partir du nom de la liste, il est parfois difficile de connaître la portée et le contenu du
sujet d’une liste d’envoi. La page d’information de la liste contient une description de la
liste, le contenu du sujet qu’elle renferme et parfois même qui est autorisé à s’y inscrire.
Ces informations sont particulièrement intéressantes pour les listes d’inscription
automatique ; un membre potentiel peut décider de s’inscrire ou pas à partir de la
description de la liste.
Vous pouvez utiliser l’interface basée sur le Web pour définir la description de la liste
d’envoi. Les services Web doivent être activés pour accéder à l’interface basée sur le Web.
Pour créer la description d’une liste :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web. Cela
correspond en général à :
/mailman/admin/
2 Saisissez le mot de passe de la liste principale et cliquez sur “Laissez-moi entrer”.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Assurez-vous que l’option Options générales est sélectionnée dans la section de lien
Catégories de configuration.
4 Saisissez une courte phrase dans la zone de texte de la description.Chapitre 3 Listes d’envoi 85
5 Saisissez quelques lignes à propos de la liste, de ses règles et des attentes de son
contenu dans la zone de texte d’informations.
6 Cliquez sur Appliquer les changements.
Personnalisation du message d’accueil de la liste d’envoi
Lorsque de nouveaux membres adhèrent à une liste d’envoi, que cela soit par
affectation ou par inscription automatique, ils reçoivent un message d’accueil
automatisé. Ce message explique où trouver les archives de liste et comment
annuler l’inscription. Vous pouvez le personnaliser en ajoutant du texte, en décrivant
les connaissances et les règles de la liste ou en apportant toute information que vous
désirez communiquer aux membres.
Vous pouvez utiliser l’interface basée sur le Web pour définir le message d’accueil de la
liste d’envoi. Les services Web doivent être activés pour accéder à l’interface basée sur
le Web.
Pour personnaliser le message d’accueil d’un membre :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web. Cela
correspond en général à :
/mailman/admin/
2 Saisissez le mot de passe de la liste principale.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Assurez-vous que l’option Options générales est sélectionnée dans la section de lien
Catégories de configuration.
4 Activez l’option “Envoyer un message d’accueil aux membres nouvellement inscrits”.
5 Saisissez dans la zone de texte “Texte destiné à la liste placé au début...” le texte que
vous voulez inclure.
6 Cliquez sur Appliquer les changements.
Personnalisation du message d’annulation d’inscription à la liste
d’envoi
Lorsqu’un utilisateur n’est plus inscrit à une liste d’envoi, que cela soit par décision
de l’administrateur de la liste ou bien qu’il ait fait l’annulation lui-même, il reçoit un
message d’annulation d’inscription automatisé. Ce message confirme l’annulation
d’inscription. Vous pouvez le personnaliser en ajoutant toute information que vous
voulez communiquer aux utilisateurs une fois qu’ils ont quitté la liste.
Vous pouvez utiliser l’interface basée sur le Web pour définir le message d’accueil de la
liste d’envoi. Les services Web doivent être activés pour accéder à l’interface basée sur
le Web.86 Chapitre 3 Listes d’envoi
Pour créer le message d’accueil d’un membre :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web.
Cela correspond en général à /mailman/admin/
2 Saisissez le mot de passe de la liste principale.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Assurez-vous que l’option Options générales est sélectionnée dans la section de lien
Catégories de configuration.
4 Activez l’option “Envoyer un message d’au revoir aux membres...”.
5 Saisissez dans la zone de texte “Texte envoyé aux personnes quittant la liste...” le texte
que vous voulez inclure.
6 Cliquez sur Appliquer les changements.
Activation d’un modérateur de liste d’envoi
Vous pouvez créer une liste réduite, dans laquelle les correspondances doivent être
autorisées par un administrateur de liste avant d’être envoyées à la liste. Désignez
des “modérateurs de liste”, qui disposent d’autorisations administratives limitées. Ils ne
peuvent pas modifier les options de la liste, mais ils peuvent autoriser ou rejeter des
demandes d’inscription ou des postages.
Lorsque les modérateurs tapent leur mot de passe dans la page d’administration de la
liste, une page contenant les fonctions de modération à leur disposition apparaît.
Vous pouvez utiliser l’interface basée sur le Web pour définir la modération de la
liste d’envoi. Les services Web doivent être activés pour accéder à l’interface basée
sur le Web.
Pour activer une modération de liste :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web.
Cela correspond en général à /mailman/admin/
2 Saisissez le mot de passe de la liste principale.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Assurez-vous que l’option Options générales est sélectionnée dans la section de lien
Catégories de configuration.
4 Saisissez les adresses du modérateur de liste que vous voulez inclure dans la zone de
texte intitulée “Les adresses électroniques du modérateur de liste”.
5 Cliquez sur Appliquer les changements.Chapitre 3 Listes d’envoi 87
6 Sélectionnez l’option Options de mot de passe dans la section de lien Catégories de
configuration.
7 Tapez un mot de passe dans le champ du mot de passe du modérateur et confirmez-le.
8 Cliquez sur Appliquer les changements.
Définition des options de renvoi de messages de la liste d’envoi
Lorsqu’un message d’une liste n’est pas distribué et qu’il est renvoyé au serveur de la
liste, vous pouvez définir la manière dont le serveur de la liste traitera le renvoi résultant.
Vous pouvez utiliser l’interface basée sur le Web pour définir les options de renvoi de la
liste d’envoi. Les services Web doivent être activés pour accéder à l’interface basée sur
le Web.
Pour définir les options de renvoi :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/admin/
2 Saisissez le mot de passe de la liste principale.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Sélectionnez l’option Traitement des renvois dans la section de lien Catégories
de configuration.
4 Sélectionnez les options de traitement des renvois que vous désirez.
Dans chaque section d’option, un lien renvoie à une page d’aide qui explique en quoi
consiste cette option.
5 Cliquez sur Appliquer les changements.
Constitution d’une liste d’envoi en tant que privée
Il se peut que vous ne vouliez pas afficher certaines listes sur la page d’accès aux listes
basée sur le Web. Vous pouvez constituer une liste en tant que “privée” ; dans ce cas,
elle ne sera pas affichée de cette manière :
/mailman/listinfo
Vous pouvez utiliser l’interface basée sur le Web pour définir les options de confidentialité
d’une liste. Les services Web doivent être activés pour accéder à l’interface basée sur
le Web.
Pour définir les options de confidentialité :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web.
Cela correspond en général à /mailman/admin/
2 Saisissez le mot de passe de la liste principale.88 Chapitre 3 Listes d’envoi
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Sélectionnez Options de confidentialité puis Normes d’inscription dans la section de
lien Catégories de configuration.
4 Désélectionnez “Rendre cette liste publique...” dans la liste de confidentialité.
5 Cliquez sur Appliquer les changements.
Ajout de membres
Utilisez Admin Serveur pour ajouter des membres à une liste d’envoi. Les abonnés
des listes d’envoi n’ont pas besoin d’un compte particulier (accès aux messages ou
aux fichiers) sur le serveur de la liste ; n’importe quelle adresse électronique peut être
ajoutée à la liste. Vous devez posséder une liste existante pour ajouter un abonné.
Si l’abonné est un utilisateur du serveur de courrier, vous pouvez utiliser le bouton
Utilisateurs et groupes pour ajouter un abonné local à la liste.
Pour ajouter des membres :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste à laquelle vous souhaitez ajouter un abonné.
5 Cliquez sur le bouton Ajouter (+) situé sous la sous-fenêtre Membres.
6 Tapez l’adresse électronique du destinataire.
Si vous saisissez plusieurs abonnés, indiquez les adresses électroniques de tous
les destinataires ou bien déposez une liste au format texte dans la case Identifiants
d’utilisateurs. Si les abonnés sont des utilisateurs du serveur de courrier, vous pouvez
utiliser le bouton Utilisateurs et groupes pour ajouter un groupe local à la liste.
7 Attribuez les privilèges utilisateur.
Utilisateurs abonnés à la liste : cela signifie que l’utilisateur recevra le courrier envoyé
à l’adresse de la liste.
Utilisateurs pouvant poster dans la liste : cela signifie que la liste acceptera le courrier
envoyé par l’utilisateur.
Utilisateurs pouvant administrer la liste : cela signifie que l’utilisateur possède des
autorisations pour administrer la liste.
8 Cliquez sur OK.Chapitre 3 Listes d’envoi 89
Administration des listes d’envoi
Les listes d’envoi peuvent être administrées par un membre de liste désigné, appelé
“administrateur de liste” ou “gestionnaire de liste”. Les administrateurs de liste peuvent
ajouter ou supprimer des abonnés et désigner d’autres administrateurs de liste.
Ils peuvent aussi désigner des “modérateurs de liste” qui auront des autorisations
administratives très limitées. Ils ne peuvent pas modifier les options de la liste, mais
ils peuvent autoriser ou rejeter des demandes d’inscription ou des postages.
Mailman utilise une interface basée sur le Web ainsi qu’un système administratif basé sur
le courrier électronique. Les services Web doivent être activés pour accéder à l’interface
basée sur le Web. Il existe des dizaines d’options de configuration disponibles pour les
listes d’envoi de Mailman qui ne sont pas accessibles via Admin Serveur. Pour obtenir
une interface d’administration basée sur le Web, consultez :
/mailman/listinfo
Pour obtenir des informations et accéder à une liste spécifique, consultez :
/mailman/listinfo/
Pour obtenir la documentation de ces fonctions pour les utilisateurs, les administrateurs
de liste et les administrateurs de serveur, consultez le site suivant :
www.list.org/docs.html
Affichage des listes d’envoi d’un serveur
Vous pouvez afficher les listes publiques (non privées) qui sont en cours d’exécution
sur le serveur. Elles seront affichées à travers du portail informatif basé sur le Web
du serveur. Les services Web doivent être activés pour accéder à l’interface basée sur
le Web.
Pour voir les listes :
m Ouvrez un navigateur Web et tapez l’URL de la liste.
/mailman/listinfo
Affichage de la page d’information d’une liste d’envoi
Chaque liste possède une page d’information située sur le serveur et qui donne
quelques informations élémentaires sur la liste, explique comment correspondre
avec elle, comment s’y inscrire et comment accéder à vos préférences d’inscription.
Vous accédez à la page d’information de la liste à l’aide d’un navigateur Web.
Les services Web doivent être activés pour accéder à l’interface basée sur le Web.
Pour voir la page d’information de la liste :
m Ouvrez un navigateur Web et tapez l’URL de la liste.
/mailman/listinfo/90 Chapitre 3 Listes d’envoi
Désignation d’un administrateur de liste
Lorsque vous configurez une liste d’envoi, désignez au moins un utilisateur pour
l’administrer. L’administrateur peut accéder aux autres pages de réglages de listes de
toutes les listes du serveur. Vous pouvez désigner plusieurs administrateurs de listes et
permettre à tout membre de devenir administrateur, et vice-versa. Vous pouvez ajouter,
supprimer ou modifier un administrateur de liste en suivant ces instructions.
Les administrateurs de listes ne doivent pas nécessairement être des utilisateurs
(ni être administrateur, ni un utilisateur régulier) du serveur. Ils sont répertoriés en
tant qu’adresses électroniques. Donner des autorisations d’administrateur de liste à un
membre ne lui donne aucune autre autorisation sur le serveur de la liste d’envoi outre
de pouvoir créer et supprimer des listes et modifier des préférences de liste.
Pour désigner un administrateur de liste :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste qui comprend le membre auquel vous souhaitez donner les
autorisations d’administrateur de liste.
Si l’utilisateur n’est pas encore inscrit à la liste, vous devez tout d’abord l’inscrire.
Pour plus de détails, consultez la rubrique “Ajout de membres” à la page 88
5 Sélectionnez le membre de votre choix.
6 Cochez ou décochez “Admin”, au choix, dans la liste des membres.
7 Cliquez sur OK.
Accès aux options de l’administrateur basées sur le Web
Les administrateurs de liste doivent définir les préférences du comportement de la
liste d’envoi et les demandes de modération en attente d’affichage des listes d’envoi
qui sont en cours d’exécution sur un serveur. Ces tâches, et bien d’autres encore,
s’effectuent à travers le portail d’administration Web du serveur. Les services Web
doivent être activés pour accéder à l’interface basée sur le Web.
Admin Serveur ne donne pas accès à tout l’éventail de préférences dont dispose une
liste d’envoi. Il est préférable que les administrateurs de listes utilisent l’interface basée
sur le Web pour effectuer toutes les tâches de configuration les plus élémentaires. Vous
trouverez des informations sur les options disponibles via l’interface Web à l’adresse
suivante : www.list.org/docs.htmlChapitre 3 Listes d’envoi 91
Pour accéder aux options basées sur le Web d’une liste :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/admin/
2 Saisissez le mot de passe de la liste principale.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Modifiez les configurations de la liste comme vous le souhaitez.
Désignation d’un modérateur de liste
Lorsque vous configurez une liste d’envoi, vous pouvez désigner un autre utilisateur
pour la contrôler.
Pour désigner un modérateur de liste :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste qui comprend le membre de votre choix.
5 Cliquez sur le bouton Modifier (/) sous la sous-fenêtre Listes.
Maintenez enfoncée la touche Maj ou Commande afin de sélectionner plusieurs
abonnés.
6 Cochez ou décochez la case “Utilisateurs pouvant administrer la liste” selon
vos besoins.
7 Cliquez sur OK.
Archivage du courrier électronique d’une liste
Tous les messages envoyés à une liste d’envoi peuvent être archivés et consultés
ultérieurement. Les messages sont regroupés par volumes d’archives et rangés par
heure et par date. Vous pouvez décider si les archives d’une liste sont accessibles aux
personnes non inscrites et à quelle fréquence les archives sont mises à jour. Par défaut,
les archives se trouvent à l’emplacement suivant :
/pipermail/
Vous pouvez utiliser l’interface basée sur le Web pour définir les préférences d’archives
de la liste d’envoi. Les services Web doivent être activés pour accéder à l’interface
basée sur le Web.92 Chapitre 3 Listes d’envoi
Pour archiver le courrier électronique d’une liste :
1 Saisissez l’URL de la page d’administration de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/admin/
2 Saisissez le mot de passe de la liste principale.
Ce n’est pas le mot de passe de l’utilisateur. Le mot de passe de la liste principale a été
défini à l’activation des listes d’envoi sur le serveur et envoyé à tous les administrateurs
de la liste alors désignés.
3 Sélectionnez “Options d’archivage” dans la section Catégories de configuration.
4 Sélectionnez Oui à côté de “Archiver les messages ?”
5 Choisissez si les archives seront publiques ou privées.
6 Définissez à quelle fréquence débuter un nouveau volume d’archives.
7 Cliquez sur Appliquer les changements.
Affichage des archives de liste d’envoi
Si l’administrateur de la liste a activé l’archivage des messages, vous pouvez rechercher
et accéder aux messages archivés.
Pour afficher les archives d’une liste :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/archives/
2 Sélectionnez l’année et le mois des archives que vous voulez consulter.
Utilisation des membres de la liste d’envoi
Une fois qu’une liste a été créée, vous pouvez y ajouter des utilisateurs ou en
supprimer. Vous pouvez accorder des autorisations d’administration de liste à un
utilisateur ou modifier la possibilité pour un utilisateur de recevoir ou de publier
des messages.
Ajout d’un abonné à une liste existante
Il s’agit de la même procédure que celle permettant d’ajouter un utilisateur à une liste
nouvellement créée.
Pour ajouter un abonné à une liste existante :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste à laquelle vous souhaitez ajouter un abonné.Chapitre 3 Listes d’envoi 93
5 Cliquez sur le bouton Ajouter (+) situé sous la sous-fenêtre Membres.
6 Tapez l’adresse électronique du destinataire.
L’adresse électronique doit coïncider avec l’adresse de retour du destinataire afin
d’expédier les messages n’étant pas autorisés par l’administrateur.
Si l’utilisateur a été ajouté grâce au bouton “Utilisateurs et groupes”, l’adresse électronique
apparaîtra dans la liste sous la forme de “utilisateur@serveur.domaine.com”. Changez si
nécessaire l’adresse électronique dans le panneau des listes d’envoi d’Admin Serveur
pour faire correspondre l’adresse de retour utilisée par le client.
7 Attribuez les privilèges d’abonné.
8 Cliquez sur OK.
Suppression d’un abonné d’une liste
Vous pouvez supprimer un abonné d’une liste d’envoi, de force ou sur demande.
Pour supprimer un membre d’une liste :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Liste d’envoi.
4 Sélectionnez la liste dont vous souhaitez supprimer un abonné.
5 Sélectionnez l’abonné dans la sous-fenêtre Membres.
Maintenez enfoncée la touche Maj ou Commande afin de sélectionner plusieurs abonnés.
6 Cliquez sur le bouton Supprimer (-) situé sous la sous-fenêtre Membres.
7 Confirmez la suppression.
Modification des autorisations de publication pour les abonnés
Il est parfois recommandé de créer une liste de type “annonce uniquement” ; les
destinataires de cette liste ne peuvent pas publier de messages à l’adresse de la liste.
Pour ajouter ou supprimer les autorisations de publication d’un abonné :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste qui comprend le membre que vous souhaitez.
5 Cliquez sur le bouton Modifier (/) situé sous la sous-fenêtre Listes.
Maintenez enfoncée la touche Maj ou Commande afin de sélectionner plusieurs abonnés.
6 Cochez ou décochez la case “Utilisateurs pouvant poster dans la liste”.
7 Cliquez sur OK.94 Chapitre 3 Listes d’envoi
Suspension d’un abonné
Vous pouvez conserver un utilisateur dans une liste d’envoi en l’autorisant à publier
des messages sur une liste sans pouvoir recevoir les messages de la liste. Pour cela,
vous devez suspendre temporairement l’abonnement de l’utilisateur à la liste.
Pour suspendre l’abonnement d’un utilisateur à une liste :
1 Dans Admin Serveur, sélectionnez Courrier dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Listes d’envoi.
4 Sélectionnez la liste qui comprend le membre que vous souhaitez.
5 Cliquez sur le bouton Modifier (/) situé sous la sous-fenêtre Listes.
Maintenez enfoncée la touche Maj ou Commande afin de sélectionner plusieurs abonnés.
6 Cochez ou décochez la case “Utilisateurs abonnés à la liste” selon vos besoins.
7 Cliquez sur OK.
Options de membre de liste
Un abonné peut personnaliser certaines caractéristiques de son inscription
à la liste d’envoi. Sans être désigné comme “administrateur de liste” ou sans avoir
aucune autorisation d’utilisateur sur le serveur, l’utilisateur peut contrôler quelques
caractéristiques de son inscription.
La section suivante donne des instructions sur quelques réglages généraux
que vos utilisateurs peuvent avoir envie de personnaliser. Vous trouvez une liste
complète d’options possibles configurer et d’instructions d’utilisation sur la page
de documentation de Mailman :
www.list.org/docs.html
Inscription à une liste d’envoi par courrier électronique
Vous pouvez vous inscrire aux listes par courrier électronique. Envoyez un message à
l’adresse d’inscription à la liste. Selon les réglages de la liste, il se peut que vous deviez
confirmer votre inscription ou attendre l’autorisation du modérateur. Dans tous les cas,
vous n’êtes pas obligé de vous inscrire à la fois via le courrier électronique et Internet.
Une seule option suffit.
Vous pouvez vous inscrire vous-même, si la liste permet l’inscription automatique.
Pour vous inscrire par courrier électronique :
1 Ouvrez le logiciel de messagerie dans lequel se trouve l’adresse que vous voulez inscrire.Chapitre 3 Listes d’envoi 95
2 Envoyez un courrier électronique à l’adresse d’inscription à la liste, qui correspond en
général à :
NOMDELALISTE-join@DOMAINE
Le sujet et le corps du message seront ignorés.
1 Ouvrez le logiciel de messagerie dans lequel se trouve l’adresse que vous voulez inscrire.
2 Envoyez un courrier électronique à l’adresse d’inscription à la liste, qui correspond en
général à :
NOMDELALISTE-join@DOMAINE
Le sujet et le corps du message seront ignorés.
Inscription à une liste d’envoi par Internet
Vous pouvez vous inscrire aux listes en utilisant l’interface Web. Allez à la page
d’information de la liste et indiquez votre adresse électronique et un mot de passe
pour vos préférences de liste. Selon les réglages de la liste, il se peut que vous deviez
confirmer votre inscription ou attendre l’autorisation du modérateur. Dans tous les cas,
vous ne devez pas vous inscrire à travers Internet et le courrier électronique. Une seule
inscription suffit.
Vous pouvez vous inscrire vous-même, si la liste permet l’inscription automatique.
Pour s’inscrire par Internet :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et votre
nom (le nom est facultatif).
3 Définissez un mot de passe pour l’utilisation de la liste et tapez-le deux fois pour
le confirmer.
Cela ne doit pas être un mot de passe d’ouverture de session ou bien un mot de passe
utilisé dans un autre contexte que l’administration des options de la liste. Il peut parfois
vous être envoyé au format texte.
4 Sélectionnez votre préférence de mode de message résumé.
Si vous choisissez de recevoir un résumé journalier au lieu de correspondre avec
chaque liste de manière séparée, vous recevrez un courrier journalier.
Si vous souhaitez changer votre mode digest après vous être inscrit, consultez la
section “Basculement en mode digest” à la page 97.
5 Cliquez sur S’abonner.96 Chapitre 3 Listes d’envoi
Annulation d’inscription à une liste d’envoi par courrier
électronique
L’annulation d’inscription à une liste d’envoi est un processus similaire à la Inscription
à une liste d’envoi par courrier électronique. Selon les réglages de la liste, il se peut
que vous deviez confirmer votre résiliation d’abonnement ou bien attendre la
réponse du modérateur.
Pour annuler son inscription par courrier électronique :
1 Ouvrez le logiciel de messagerie dans lequel se trouve l’adresse qui reçoit les courriers
de la liste d’envoi.
2 Envoyez un courrier électronique à l’adresse d’inscription à la liste, qui correspond
en général à :
NOMDELALISTE-join@DOMAINE
Le sujet et le corps du message seront ignorés.
3 Suivez les instructions indiquées dans le mail de confirmation.
Annulation d’inscription à une liste d’envoi par Internet
L’annulation d’inscription à une liste d’envoi par Internet est un processus similaire
à Inscription à une liste d’envoi par Internet. Selon les réglages de la liste, il se peut
que vous deviez confirmer votre résiliation d’abonnement ou bien attendre la réponse
du modérateur.
Pour annuler son inscription par Internet :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et cliquez
sur “Annuler l’inscription ou modifier les options”.
3 Cliquez sur Annuler l’inscription.
Définition et modification de votre mot de passe de liste d’envoi
Votre mot de passe de liste d’envoi est utilisé pour modifier les préférences attachées
à une liste donnée. Le mot de passe ne devrait pas être un mot de passe valable. Il est
envoyé périodiquement au format texte depuis les listes auxquelles vous êtes inscrit.
Pour définir ou modifier votre mot de passe :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et cliquez
sur Annuler l’inscription ou modifier les options.Chapitre 3 Listes d’envoi 97
3 Saisissez votre mot de passe et cliquez sur Ouvrir une session.
Ce n’est pas votre mot de passe d’utilisateur. Si vous vous êtes inscrit à travers l’interface
Web, vous avez choisi un mot de passe de liste. Si vous vous êtes inscrit par courrier
électronique ou si vous étiez inscrit via Admin Serveur, votre mot de passe est vide.
4 Recherchez la section de mot de passe de la page d’inscription.
5 Saisissez un nouveau mot de passe dans le champ indiqué puis saisissez-le à nouveau
pour le confirmer.
Si vous voulez modifier votre mot de passe pour toutes les listes auxquelles vous
appartenez sur ce serveur, sélectionnez Appliquer le changement en général.
6 Cliquez sur Changer mon mot de passe.
Désactivation de la distribution du courrier d’une liste
Il se peut que vous souhaitiez désactiver temporairement la distribution des messages
d’une liste d’envoi ; par exemple, il se peut que vous vouliez éviter de recevoir du
courrier en excès lorsque vous êtes en vacances.
Pour désactiver la distribution propre à une liste :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et cliquez
sur Annuler l’inscription ou modifier les options.
3 Saisissez votre mot de passe et cliquez sur Ouvrir session.
Ce n’est pas votre mot de passe d’utilisateur. Si vous vous êtes inscrit à travers l’interface
Web, vous avez choisi un mot de passe de liste. Si vous vous êtes inscrit par courrier
électronique ou si vous étiez inscrit via Admin Serveur, votre mot de passe est vide.
4 Dans la section Distribution du courrier, sélectionnez Désactivé.
Si vous voulez désactiver la distribution à toutes les listes auxquelles vous appartenez
sur ce serveur, sélectionnez Appliquer le changement en général.
5 Cliquez sur Appliquer les changements.
Basculement en mode digest
En mode digest, un seul mail par jour est envoyé, quel que soit le volume du courrier
de la liste. Vous pouvez soit recevoir chaque message, soit recevoir un seul message
digest.
Si la distribution de votre liste est en mode digest Activé, vous allez recevoir un seul
message digest par jour.98 Chapitre 3 Listes d’envoi
Pour basculer en mode digest:
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et cliquez
sur Annuler l’inscription ou modifier les options.
3 Saisissez votre mot de passe et cliquez sur Ouvrir une session.
Ce n’est pas votre mot de passe d’utilisateur. Si vous vous êtes inscrit à travers l’interface
Web, vous avez choisi un mot de passe de liste. Si vous vous êtes inscrit par courrier
électronique ou si vous étiez inscrit via Admin Serveur, votre mot de passe est vide.
4 Dans la section Définir le mode digest, choisissez si vous souhaitez recevoir ou non un
résumé journalier en cliquant sur Activé ou Désactivé.
5 Cliquez sur Appliquer les changements.
Faire basculer les résumés (“digests”) MIME ou en texte clair
Si vous vous inscrivez à une liste d’envoi et que vous recevez des résumés (“digests”)
(un seul mail contenant les courriers de chaque jour), vous pouvez choisir de les
recevoir en résumé MIME (un ensemble de courriers individuels) ou en résumé
au format Texte (un seul message contenant le texte de tous les courriers).
Pour faire basculer les types de message :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et cliquez
sur Annuler l’inscription ou modifier les options.
3 Saisissez votre mot de passe et cliquez sur Ouvrir session.
Ce n’est pas votre mot de passe d’utilisateur. Si vous vous êtes inscrit à travers l’interface
Web, vous avez choisi un mot de passe de liste. Si vous vous êtes inscrit par courrier
électronique ou si vous étiez inscrit via Admin Serveur, votre mot de passe est vide.
4 Dans la section “Obtenir des résumés MIME ou de format texte”, sélectionnez le type de
résumé souhaité.
Si vous voulez définir le type de résumé à toutes les listes auxquelles vous appartenez
sur ce serveur, sélectionnez Appliquer le changement en général.
5 Cliquez sur Appliquer les changements.Chapitre 3 Listes d’envoi 99
Définition des options d’abonné supplémentaires
Les abonnés peuvent modifier d’autres options d’adhésion à la liste, parmi lesquelles :
• leur adresse électronique ;
• leur nom figurant sur la liste ;
• leurs confirmations d’envoi ;
• la gestion de la copie des messages.
Ces options sont disponibles sur votre page d’options d’inscription.
Pour accéder à ces autres options :
1 Saisissez l’URL de la page d’information de la liste dans un navigateur Web.
Cela correspond en général à :
/mailman/listinfo/
2 Dans la section Abonné de la page Web, saisissez votre adresse électronique et cliquez
sur Annuler l’inscription ou modifier les options.
3 Recherchez les options que vous voulez modifier et suivez les instructions à l’écran.
Autres sources d’informations
Vous pouvez consulter les fonctionnalités et les caractéristiques de Mailman à l’adresse
suivante :
www.list.org
Vous trouverez également les informations suivantes à l’adresse www.list.org/docs.html :
• les commandes d’abonné et d’administration basées sur le Web ;
• les commandes d’abonné et d’administration basées sur le courrier électronique ;
• les listes des questions les plus fréquentes. 101
Annexe
Certificats et sécurité
Mac OS X Server gère de nombreux services qui utilisent
SSL pour garantir un transfert de données crypté. Il utilise
un système d’infrastructure de clés publiques pour créer
et conserver les certificats d’identité à utiliser avec des
services compatibles SSL.
Infrastructure de clés publiques
Les systèmes d’infrastructure de clés publiques (PKI, Public Key Infrastructure) permettent
aux deux parties de s’identifier l’une à l’autre lors d’une transaction de données et d’utiliser
des clés de cryptage ainsi que d’autres informations présentes sur les certificats d’identité
afin de crypter et décrypter les messages circulant entre eux.
Le système PKI permet aux différentes parties en communication de mettre en place
des normes de confidentialité, d’intégrité du message et d’authentification du message
original sans échanger aucune information confidentielle au préalable.
La technologie SSL (Secure Socket Layer) se base sur un système PKI pour sécuriser
la transmission de données et l’authentification de l’utilisateur. Il crée un canal de
communication sécurisé initial qui permet une transmission de clés plus rapide et
en toute confidentialité. Mac OS X Server utilise la technologie SSL pour assurer une
transmission cryptée des données pour les services de messagerie, les services Web
et les services de répertoire.
La section suivante vous offre plus d’informations générales concernant les clés dans
un système PKI :
• “Clés publiques et privées”
• “Certificats”
• “Autorités de certificat (CA, Certificate Authority)”
• “Identités”102 Annexe Certificats et sécurité
Clés publiques et privées
Deux clés numériques sont créées à l’intérieur d’un système PKI : la clé publique
et la clé privée. La clé privée n’est distribuée à personne et elle est souvent cryptée
grâce à une phrase clé. En revanche, la clé publique est distribuée aux autres groupes
en communication. Les principales fonctionnalités des clés sont les suivantes :
Les services Web, les services de messagerie et ceux de répertoire utilisent la clé publique
associée à la technologie SSL afin de disposer d’une clé partagée pour toute la durée de
la connexion. Par exemple, un serveur de messagerie envoit sa clé publique à un client
connecté et entamera les négociations afin de parvenir à une connexion sécurisée. Le
client en cours de connexion utilise la clé publique pour crypter une réponse à envoyer
pour négociation. Le serveur de messagerie peut décrypter la réponse grâce à sa clé
privée. Les négociations continuent jusqu’à ce que le serveur de messagerie et le client
puissent crypter les échanges entre les deux ordinateurs grâce à un secret partagé.
Certificats
Les clés publiques sont souvent associées aux certificats. Un utilisateur peut apposer
une signature numérique à des messages à l’aide de sa clé privée et un autre utilisateur
peut vérifier la signature avec la clé publique associée au certificat du signataire, délivré
par une autorité de certificat (CA, Certificate Authority) au sein du système PKI.
Un certificat de clé publique (parfois appelé “certificat d’identité”) est un document
d’un format particulier (Mac OS X Server utilise le format x.509) et qui contient :
• la clé publique d’une paire de clés publique/privée ;
• des informations sur l’identité de l’utilisateur de la clé, par exemple le nom et
les informations de contact ;
• une période de validité (durée pendant laquelle le certificat est considéré comme
valable) ;
• l’URL d’une personne autorisée à annuler le certificat (son “centre d’annulation”) ;
• la signature numérique soit de l’autorité de certificat, soit de l’utilisateur de la clé.
Type de clé Fonctionnalités
Clés publiques • Elles peuvent crypter les messages qui ne peuvent être décryptés
que par le titulaire de la clé privée correspondante.
• Elles peuvent certifier que la signature d’un message est issue
d’une clé privée.
Clés privées • Elles peuvent apposer une signature numérique à un message
ou à un certificat pour assurer une authentification.
• Elles peuvent décrypter les messages cryptés à l’aide d’une clé
publique.
• Elles peuvent crypter des messages qui ne peuvent être
décryptés que par la clé privée en question.Annexe Certificats et sécurité 103
Autorités de certificat (CA, Certificate Authority)
Une autorité de certificat est une entité qui signe et délivre des certificats d’identité
numériques certifiant le groupe identifié. En ce sens, elle représente une tierce partie
sécurisée entre deux transactions.
Dans les systèmes x.509, les autorités de certificat sont hiérarchiques par nature : elles
sont certifiées par d’autres autorités de certificat, jusqu’à arriver à une “autorité racine”. La
hiérarchie des certificats fonctionne toujours du haut vers le bas, le certificat de l’autorité
racine se trouvant au sommet. Une autorité racine est une autorité de certificat qui est
certifiée par toutes les parties intéressées, ou au moins l’une d’entre elles, et qui par
conséquent n’a pas besoin d’être authentifiée par une autre tierce partie sécurisée.
Une autorité de certificat peut être une entreprise qui, pour un tarif, signe et met en
place un certificat de clé publique qui déclare que la clé publique contenue dans
le certificat appartient à son propriétaire, comme enregistré dans le certificat. Dans
un sens, l’autorité de certificat est une “assistance notariale numérique”. Une personne
sollicite un certificat à l’autorité de certificat en indiquant son identité, ses informations
de contact et la clé publique. Une autorité de certificat peut vérifier l’identité d’un candidat
; ainsi, les utilisateurs peuvent authentifier les certificats délivrés par l’autorité de certificat
comme appartenant au candidat identifié.
Identités
Les identités, dans le contexte du gestionnaire de certificats Mac OS X Server, représentent
un certificat signé pour l’ensemble des deux clés d’une paire de clés PKI. Les identités sont
utilisées par le trousseau système et peuvent également être utilisées par plusieurs services
qui prennent en charge la technologie SSL.
Certificats auto-signés
Les certificats auto-signés sont des certificats auxquels la clé privée, appartenant à la
paire de clés incluse dans le certificat, appose une signature numérique. Cela remplace
la signature d’une autorité de certificat. Lorsque vous auto-signez un certificat, vous
attestez que vous êtes bien la personne en question. Aucune tierce partie sécurisée
n’est impliquée.
Gestionnaire de certificats d’Admin Serveur
Le gestionnaire de certificats de Mac OS X Server est intégré dans Admin Serveur pour
vous aider à créer, utiliser et conserver les identités pour les services compatibles SSL.
Le gestionnaire de certificats fournit une gestion intégrée des certificats SSL dans
Mac OS X Server pour tous les services qui permettent l’utilisation de certificats SSL.
Le gestionnaire de certificats permet de créer des certificats auto-signés et des demandes
de signature de certificat (CSR) pour obtenir un certificat signé par une autorité de certificat.
Les services qui prennent en charge SSL ont accès aux certificats, qu’ils soient auto-signés
ou signés par une autorité de certificat.104 Annexe Certificats et sécurité
Les identités qui ont été créées et stockées dans des fichiers OpenSSL au préalable
peuvent également être importées dans le gestionnaire de certificats ; tous les services
qui prennent en charge SSL y ont alors accès.
Le gestionnaire de certificats d’Admin Serveur ne vous permet pas de signer et de
délivrer des certificats en tant qu’autorité de certificat, ni en tant qu’autorité racine.
Si vous avez besoin d’une de ces fonctions, vous pouvez utiliser l’Assistant de certification
d’Apple dans /Applications/Utilitaires/. Il permet d’activer ces fonctions, et bien d’autres.
Les certificats auto-signés et signés par l’autorité de certificat dans l’Assistant de
certification d’Apple peuvent être utilisés dans le gestionnaire de certificats : il suffit
d’importer le certificat.
Pour chaque certificat, le gestionnaire de certificats affiche les attributs ci-après :
• le nom du domaine pour lequel le certificat a été délivré ;
• ses dates de validité ;
• l’autorité qui l’a signé (comme par exemple l’entité autorité de certificat ; si le certificat
est auto-signé, il est affiché “Auto-signé”).
Préparation des certificats
Avant de pouvoir utiliser SSL dans les services de Mac OS X Server, les certificats
doivent être créés ou importés. Vous pouvez créer votre propre certificat auto-signé,
élaborer une demande de signature de certificat (CSR) à envoyer à une autorité de
certificat ou bien importer un certificat créé au préalable avec OpenSSL.
Demande d’un certificat à une autorité de certificat
Le gestionnaire vous permet de créer une demande de signature de certificat (CSR)
à envoyer à l’autorité de certificat que vous avez choisie.
Pour demander un certificat signé :
1 Dans Admin Serveur, sélectionnez le serveur qui contient des services qui prennent
en charge SSL.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Certificats.
4 Cliquez sur le bouton Ajouter (+).
5 Remplissez les champs d’information sur l’identité.
Le nom commun correspond au nom de domaine complet du serveur qui utilisera
les services compatibles SSL.
6 Saisissez les dates de validité de début et de fin.
7 Sélectionnez une taille de clé privée (1024 bits est la taille par défaut).
8 Saisissez une phrase clé pour la clé privée.Annexe Certificats et sécurité 105
9 Cette phrase clé doit être plus sécurisée qu’un mot de passe normal.
Il est recommandé d’utiliser au moins 20 caractères, d’inclure des changements de
casse, des chiffres et/ou des signes de ponctuation, de ne pas répéter les caractères
et de ne pas utiliser de termes présents dans le dictionnaire.
10 Cliquez sur “Demander un certificat signé....”
11 Suivez les instructions à l’écran pour demander un certificat signé à l’autorité de
certificat que vous avez choisie.
Par exemple, il se peut que vous ayez besoin de réaliser cette opération en ligne ou
de saisir l’adresse électronique.
12 Cliquez sur Envoyer la demande.
13 Cliquez sur Enregistrer.
14 Lorsque l’autorité de certificat répond à votre message, elle inclura celui-ci dans le texte
d’un message.
15 Veillez à nouveau à ce que l’identité soit ouverte dans l’onglet Certificats.
16 Cliquez sur “Ajouter un certificat signé”.
17 Copiez les caractères dans la zone de texte depuis “==Begin CSR==” jusqu’à “==End CSR==”.
18 Cliquez sur OK.
19 Cliquez sur Enregistrer.
Création d’un certificat auto-signé
Chaque fois que vous créez une identité dans le gestionnaire de certificats, vous
créez un certificat auto-signé. Le gestionnaire de certificats crée une paire de clés
publique/privée dans le trousseau système ayant la taille de clé que vous avez
spécifiée (512 - 2048 bits). Puis il crée le certificat auto-signé correspondant dans
le trousseau système.
Tandis que le certificat auto-signé est créé, une demande de signature de certificat
(CSR) est également élaborée. Elle n’est pas stockée dans le trousseau mais elle est
écrite sur le disque à /etc/certificats/cert.nom.commun.tld.csr, où “nom.commun.tld”
correspond au nom commun du certificat qui a été délivré.
Pour créer un certificat auto-signé :
1 Dans Admin Serveur, sélectionnez le serveur qui contient des services qui prennent
en charge SSL.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Certificats.
4 Cliquez sur le bouton Ajouter (+).
5 Remplissez les champs d’information sur l’identité.
Le nom commun correspond au nom de domaine complet du serveur qui utilisera
les services compatibles SSL.106 Annexe Certificats et sécurité
6 Saisissez les dates de validité de début et de fin.
7 Sélectionnez une taille de clé privée (1024 bits est la taille par défaut).
8 Saisissez une phrase clé pour la clé privée.
9 Cette phrase clé doit être plus sécurisée qu’un mot de passe normal.
Il est recommandé d’utiliser au moins 20 caractères, d’inclure des changements de casse,
des chiffres et/ou des signes de ponctuation, de ne pas répéter les caractères et de ne
pas utiliser de termes présents dans le dictionnaire.
10 Cliquer sur Enregistrer.
Importation d’un certificat
Vous pouvez importer dans le gestionnaire de certificats une clé privée et un certificat
OpenSSL élaborés préalablement. Ces éléments sont stockés et disponibles dans la liste
des identités ; ils sont disponibles pour les services compatibles SSL.
Pour importer un certificat de style OpenSSL existant :
1 Dans Admin Serveur, sélectionnez le serveur qui contient des services qui prennent
en charge SSL.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Certificats.
4 Cliquez sur le bouton Importer.
5 Saisissez le nom de fichier et le chemin du certificat existant.
Sinon, recherchez son emplacement.
6 Saisissez le nom et le chemin du fichier de la clé privée.
Sinon, recherchez son emplacement.
7 Saisissez la phrase clé de la clé privée.
8 Cliquez sur Importer.
Gestion des certificats
Une fois qu’ils sont créés et signés, il n’y a plus grand chose à faire avec les certificats.
Ils ne sont modifiables qu’à travers Admin Serveur et ne peuvent pas être modifiés une
fois signés par l’autorité de certificat. En revanche, les certificats auto-signés peuvent être
modifiés. Il est conseillé de supprimer les certificats si les informations qu’ils contiennent
(informations de contact, etc.) ne sont plus correctes ou si vous pensez que la paire de
clés a pu être mise en péril de quelque façon que ce soit.Annexe Certificats et sécurité 107
Modification d’un certificat
Une fois qu’un certificat a été signé par une autorité de certificat, il ne peut pas
être modifié.
En revanche, un certificat auto-signé peut être modifié. Tous les champs du certificat
(dont le nom de domaine et la phrase clé de la clé privée, la taille de la clé privée, etc.)
peuvent être modifiés. Si l’identité a été exportée vers le disque depuis le trousseau
système, il faudra l’exporter à nouveau.
Pour modifier un certificat :
1 Dans Admin Serveur, sélectionnez le serveur qui contient des services qui prennent
en charge SSL.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Certificats.
4 Sélectionnez l’identité de certificat à modifier.
Il doit s’agir d’un certificat auto-signé.
5 Cliquez sur le bouton Modifier (/).
6 Cliquer sur Enregistrer.
Suppression d’un certificat
Lorsqu’un certificat a expiré ou a été mis en péril, il est nécessaire de le supprimer.
Pour supprimer un certificat :
1 Dans Admin Serveur, sélectionnez le serveur qui contient des services qui prennent
en charge SSL.
2 Cliquez sur Réglages.
3 Sélectionnez l’onglet Certificats.
4 Sélectionnez l’identité de certificat à supprimer.
5 Cliquez sur le bouton Supprimer (-).
6 Cliquer sur Enregistrer.
Utilisation des certificats
Dans Admin Serveur, les divers services tels que les services Web, les services de messagerie
et bien d’autres affichent une liste locale de certificats à l’administrateur, qui peut choisir
parmi eux. Ces services ont des présentations différentes ; par conséquent, la liste locale
peut changer d’emplacement. Consultez le guide de l’administrateur au sujet du service
que vous tentez d’utiliser avec un certificat. 109
Glossaire
Glossaire
Ce glossaire définit les termes et détaille les abréviations que vous pouvez rencontrer
lorsque vous utilisez l’aide en ligne ou toute autre documentation Mac OS X Server.
Les références à des termes définis ailleurs dans ce glossaire apparaissent en italiques.
ACL ou liste de contrôle d’accès Liste conservée par un système et qui définit
les droits des utilisateurs et des groupes pour l’accès aux ressources du système.
administrateur de liste Administrateur d’une liste d’envoi. Les administrateurs de liste
peuvent ajouter ou supprimer des abonnés d’une liste d’envoi et désigner d’autres
administrateurs de liste. Ils ne sont pas nécessairement administrateurs de l’ordinateur
local ou du domaine.
adresse Nombre ou tout autre identifiant qui se limite à identifier un ordinateur
sur un réseau, un ensemble de données stockées sur un disque ou un emplacement
sur la mémoire d’un ordinateur. Voir aussi adresse IP, adresse MAC.
adresse IP Adresse numérique unique identifiant un ordinateur sur Internet.
adresse IP statique Adresse IP affectée de manière permanente à un ordinateur
ou un périphérique.
adresse MAC Adresse de contrôle d’accès aux données multimédias (Media Access
Control). Adresse matérielle qui identifie exclusivement chaque nœud d’un réseau.
Pour les périphériques d’AirPort, l’adresse MAC est appelée identifiant AirPort.
agent d’accès au courrier Voir MAA.
agent d’utilisateur de courrier Voir MUA.
agent de transfert de courrier Voir MTA.
alias Autre adresse électronique sur votre domaine qui permet de rediriger les messages
entrants vers un utilisateur existant.
alphanumérique Qui contient des caractères qui incluent des lettres, des nombres
et des signes de ponctuation (tels que _ et ?).110 Glossaire
authentification Processus de certification de l’identité d’un utilisateur, typiquement
basé sur la validation d’un nom et d’un mot de passe utilisateur. L’authentification
précède généralement le processus d’autorisation déterminant le niveau d’accès de
l’utilisateur à une ressource. Par exemple, le service de fichiers autorise l’accès total
aux dossiers et fichiers que possède un utilisateur authentifié.
authentification APOP Extension au protocole de courrier POP3. Elle garantit que le
nom d’utilisateur et le mot de passe sont cryptés avant d’être utilisés pour s’authentifier
auprès d’un serveur de messagerie.
autorisations Réglages qui définissent le type d’accès aux éléments partagés dont
bénéficient les utilisateurs dans un système de fichiers. Vous pouvez attribuer quatre
types d’autorisations d’accès à un point de partage, un dossier ou un fichier : lecture/
écriture, lecture seule, écriture seule et aucune (pas d’accès). Voir aussi privilèges.
autorité de certificat Autorité qui délivre et gère les certificats numériques afin
d’assurer la transmission des données de manière sécurisée sur un réseau public.
Voir aussi infrastructure de clés publiques et certificat.
autorité de certification Voir autorité de certificat.
bidouilleur Personne qui apprécie la programmation et explore les différentes
manières de programmer des nouvelles fonctionnalités et d’augmenter les capacités
d’un système informatique. Voir aussi pirate.
bit Unité d’information ayant une valeur de 0 ou de 1.
caractère Synonyme d’octet.
caractère générique Plage de valeurs possibles pour tout segment d’une adresse IP.
certificat Parfois appelé “certificat d’identité” ou “certificat de clé publique”. Fichier d’un
format particulier (Mac OS X Server utilise le format x.509) qui contient la clé publique
d’une paire de clés publique/privée, les informations sur l’identité de l’utilisateur, par
exemple son nom et ses informations de contact, et soit la signature numérique, soit
une autorité de certificat (CA), soit l’utilisateur de la clé.
certificat d’identité Voir certificat.
certificat de clé publique Voir certificat.
clé privée L’une des deux clés asymétriques utilisées dans un système sécurisé PKI.
La clé privée n’est pas distribuée et est en général cryptée à l’aide d’une phrase clé
par son propriétaire. Elle peut apposer une signature numérique à un message ou à
un certificat pour assurer une authentification, ou bien décrypter les messages cryptés
à l’aide de la clé publique correspondante. Enfin, elle peut crypter des messages qui ne
peuvent être décryptés que par la clé privée en question.Glossaire 111
clé publique L’une des deux clés asymétriques utilisées dans un système sécurisé PKI.
La clé publique est distribuée aux autres groupes en communication. Elle peut crypter
des messages qui peuvent être décryptés uniquement par le détenteur de la clé privée
correspondante, et peut vérifier la signature qui figure sur un message provenant d’une
clé privée correspondante.
client Ordinateur (ou un utilisateur de l’ordinateur) qui demande des données ou des
services depuis un autre ordinateur ou serveur.
contrôle d’accès Méthode pour contrôler quels ordinateurs peuvent accéder à un
réseau ou à des services réseau.
copie de sauvegarde Ensemble de données qui est stocké dans le but d’être récupéré
au cas où la copie originale des données serait égarée ou deviendrait inaccessible.
coupe-feu Logiciel destiné à protéger les applications réseau exécutées sur votre
serveur. Le service de coupe-feu IP, intégré au logiciel Mac OS X Server, examine les
paquets IP entrants et les refuse ou les accepte en fonction des filtres établis.
cryptage Opération consistant à occulter des données et à les rendre illisibles
sans connaissances particulières. Généralement utilisé pour les communications
confidentielles et sécurisées. Voir aussi décryptage.
cryptographie de clé publique Méthode de cryptage des données qui utilise une
paire de clés, l’une publique et l’autre privée, que l’on obtient auprès d’une autorité
de certification. L’une des clés est utilisée pour crypter les messages, et l’autre pour
les décrypter.
décryptage Opération consistant à récupérer des données cryptées grâce à des
connaissances particulières. Voir aussi cryptage.
DNS Domain Name System. Base de données distribuée qui fait correspondre des
adresses IP à des noms de domaines. Un serveur DNS, appelé également “serveur
de noms”, conserve une liste des noms et des adresses IP associées à chaque nom.
Domain Name System Voir DNS.
domaine Partie du nom de domaine d’un ordinateur sur Internet. Il n’inclut pas la
désignation du domaine de premier niveau (par exemple .com, .net, .us, .uk). Le nom
de domaine “www.exemple.com” est constitué du sous-domaine ou nom d’hôte “www”,
du domaine “exemple” et du domaine de premier niveau “com”.
domaine DNS Nom unique d’un ordinateur, utilisé dans le système DNS (Domain
Name System) pour convertir les adresses IP et les noms. également appelé nom
de domaine.112 Glossaire
domaine local Domaine de répertoires accessible uniquement à partir de l’ordinateur
sur lequel il réside.
domaine virtuel Autre domaine pouvant être utilisé dans les adresses électroniques
des utilisateurs de votre messagerie. Également, liste de tous les noms de domaine
dont votre serveur de courrier est responsable.
enregistrement d’échange de courrier (enregistrement MX) Voir enregistrement MX.
enregistrement MX Enregistrement d’échange de courrier. Entrée d’un tableau DNS
qui détermine l’ordinateur gérant le courrier pour un domaine Internet. Lorsqu’un
serveur de courrier doit remettre des messages à un domaine Internet, il demande
l’enregistrement MX du domaine concerné. Le serveur envoie les messages à
l’ordinateur spécifié dans l’enregistrement MX.
Ethernet Technologie courante de mise en réseau locale dans laquelle les données
sont transmises en unités, appelées paquets, via des protocoles tels que TCP/IP.
FAI Fournisseur d’accès à Internet. Entreprise qui commercialise un accès à Internet
et qui offre généralement des services d’hébergement Web pour les applications de
commerce électronique, ainsi que des services de messagerie.
file d’attente Espace d’attente ordonné dans lequel les éléments attendent d’être
traités par le système. Voir aussi file d’attente d’impression.
fournisseur d’accès à Internet Voir FAI.
gigaoctet Voir Go.
Go Gigaoctet. 1 073 741 824 (2
30
) octets.
hôte Autre nom d’un serveur.
hôte de courrier Ordinateur qui fournit le service de messagerie.
identifiant Ethernet Voir adresse MAC.
IMAP Internet Message Access Protocol. Protocole client/serveur de courrier permettant
aux utilisateurs de stocker leur courrier sur le serveur de courrier plutôt que de le
télécharger sur l’ordinateur local. Le courrier demeure sur le serveur jusqu’à ce que
l’utilisateur décide de l’effacer.
infrastructure de clé publique Méthode d’échange de données via un réseau public
non sécurisé, tel qu’Internet, en utilisant la cryptographie de clé publique.
interface de ligne de commande Méthode d’interface avec l’ordinateur (par exemple,
pour exécuter des programmes ou modifier des autorisations de systèmes de fichiers)
qui s’opère en tapant des commandes de texte à une invite de shell.Glossaire 113
Internet Ensemble de réseaux d’ordinateurs interconnectés, qui communiquent via
un protocole commun (TCP/IP). Internet (notez la majuscule) est le système public
le plus étendu au monde de réseaux d’ordinateurs interconnectés.
Internet Message Access Protocol (IMAP) Voir IMAP.
Internet Protocol Voir IP.
IP Internet Protocol. Également désigné par IPv4. Méthode utilisée conjointement
avec le protocole TCP (Transmission Control Protocol) pour envoyer des données d’un
ordinateur à un autre via un réseau local ou via Internet. Le protocole IP envoie les
paquets de données, alors que le protocole TCP se charge du suivi de ces paquets.
IPv4 Voir IP.
IPv6 “Internet Protocol version 6”. Le protocole de communication de nouvelle
génération qui remplace IP (également appelé IPv4). IPv6 permet d’avoir un plus
grand nombre d’adresses réseau et peut réduire les charges de routage sur Internet.
Kerberos Système d’authentification réseau sécurisé. Kerberos utilise des tickets, délivrés
pour un utilisateur, un service et une période déterminés. Une fois l’utilisateur authentifié,
celui-ci peut accéder à des services supplémentaires sans devoir ressaisir de mot de passe
(signature unique) pourvu que ces services aient été configurés pour accepter les tickets
Kerberos. Mac OS X Server utilise Kerberos v5.
kilo-octet Voir Ko.
Ko Kilo-octet. 1 024 (2
10
) octets.
LDA (Local Delivery Agent) Agent de distribution locale. Agent du service de messagerie
qui transfère les messages de l’espace de stockage de courrier entrant vers la boîte de
réception du destinataire. Le LDA est responsable de la gestion de la distribution locale
des messages ; il doit également mettre le courrier à la disposition de l’application de
courrier de l’utilisateur.
LDAP Lightweight Directory Access Protocol. Protocole client/serveur standard pour
accéder à un domaine de répertoires.
Lightweight Directory Access Protocol Voir LDAP.
ligne de commande Texte que vous saisissez à une invite de shell lorsque vous utilisez
une interface de ligne de commande.
liste d’envoi Service de messagerie permettant de distribuer un même message
électronique à plusieurs destinataires. Les abonnés à la liste d’envoi ne doivent pas
nécessairement être des utilisateurs de votre serveur de courrier. En outre, les listes
d’envoi peuvent être administrées par une autre personne qu’un administrateur de
groupe de travail ou de serveur. Les utilisateurs peuvent généralement s’abonner
ou se désabonner des listes.114 Glossaire
liste de contrôle d’accès Voir ACL.
MAA (Mail Access Agent) Agent d’accès au courrier. Service de messagerie qui
communique avec le programme de courrier d’un utilisateur afin de télécharger
les messages ou les en-têtes vers l’ordinateur local de l’utilisateur.
Mac OS X La dernière version du système d’exploitation d’Apple. Mac OS X allie
la fiabilité d’UNIX à la facilité d’emploi de Macintosh.
Mac OS X Server Plate-forme de serveur puissante, capable de gérer immédiatement
les clients Mac, Windows, UNIX et Linux et offrant un ensemble de services de réseau
et de groupes de travail extensible, ainsi que des outils perfectionnés de gestion
à distance.
mégaoctet Voir Mo.
Mo Mégaoctet. 1 048 576 (2
20
) octets.
MTA Mail Transfer Agent. Service de messagerie qui envoie le courrier sortant, reçoit
le courrier entrant à l’attention des destinataires locaux et fait suivre le courrier entrant
des destinataires non locaux vers d’autres MTA.
MUA Mail User Agent ou agent d’utilisateur de courrier. Processus de courrier sur
l’ordinateur local d’un utilisateur, qui fonctionne avec le MAA pour télécharger des
messages et des en-têtes vers l’ordinateur local de l’utilisateur. On parle généralement
“d’application de messagerie” ou “d’application de courrier électronique”.
nœud Emplacement destiné au traitement. Cela peut être un ordinateur ou un autre
périphérique, comme par exemple une imprimante. Chaque nœud possède une adresse
réseau unique. Dans Xsan, un nœud correspond à tout ordinateur connecté à un réseau
de stockage.
nom abrégé Abréviation du nom d’un utilisateur. Le nom abrégé est utilisé par Mac OS X
pour les répertoires de départ, l’authentification et les adresses électroniques.
nom canonique Nom “réel” d’un serveur, si vous lui avez attribué un “surnom” ou un
alias. Le serveur courrier.apple.com, par exemple, peut avoir comme nom canonique
SrvCourrier473.apple.com.
nom complet Voir nom long.
nom complet Forme longue d’un nom d’utilisateur ou de groupe. Voir aussi nom
d’utilisateur.Glossaire 115
nom d’hôte Nom exclusif d’un serveur, historiquement appelé nom d’hôte UNIX. Le
nom d’hôte de Mac OS X Server est d’abord utilisé pour l’accès client aux répertoires de
départ NFS. Un serveur établit son nom d’hôte à partir du premier nom disponible dans
les sources suivantes : le nom indiqué dans le fichier /etc/hostconfig (NOMD’HÔTE=unnom-d’hôte) ; le nom donné à l’adresse IP principale par le serveur DHCP ou BootP ;
le premier nom renvoyé par une requête DNS inverse (adresse vers nom) à l’adresse IP
principale ; le nom de domaine local DNS multidiffusion ; le nom “hôte local”.
nom d’hôte local Nom qui désigne un ordinateur sur un sous-réseau local. Il peut être
utilisé sans système DNS global afin de résoudre les noms en adresses IP. Il est constitué
de lettres minuscules, de chiffres ou de traits d’union (sauf en tant que dernier caractère),
et se termine par “.local” (par exemple, factures-ordinateur.local). Bien que le nom soit
défini par défaut à partir du nom d’ordinateur, l’utilisateur peut définir ce nom dans la
sous-fenêtre Réseau des Préférences Système. Il peut être modifié facilement et peut
être utilisé partout où un nom DNS ou un nom de domaine complet est utilisé. Il peut
uniquement être résolu sur le même sous-réseau que l’ordinateur qui l’utilise.
nom d’utilisateur Nom complet d’un utilisateur, parfois qualifié de réel. Voir aussi nom
abrégé.
nom de domaine Voir nom DNS.
nom de l’ordinateur Nom par défaut utilisé pour les enregistrements des services SLP
et SMB/CIFS. L’Explorateur réseau du Finder utilise SLP pour trouver les ordinateurs qui
utilisent le partage de fichiers personnels et le partage de fichiers Windows. Il peut
être configuré pour relier des sous-réseaux en fonction des réglages du routeur réseau.
Lorsque vous activez le partage de fichiers personnels, les utilisateurs voient le nom de
l’ordinateur dans la zone de dialogue Se connecter au serveur, dans le Finder. Il s’agit
initialement de “Ordinateur de ” (par exemple, “Ordinateur de
Pierre”), mais ce nom peut être modifié. Le nom de l’ordinateur est utilisé pour explorer
les serveurs de fichiers réseau, les files d’attente d’impression, la détection Bluetooth,
les clients Apple Remote Desktop, ainsi que toute autre ressource réseau qui identifie
les ordinateurs par nom d’ordinateur plutôt que par adresse réseau. Le nom de
l’ordinateur est également la base du nom d’hôte local par défaut.
nom DNS Nom unique d’un ordinateur, utilisé dans le système DNS (Domain Name
System) pour convertir les adresses IP et les noms. également appelé nom de domaine.
octet Unité de mesure de données élémentaire, qui équivaut à huit bits (ou chiffres
binaires).
Open Relay Behavior-modification System Voir ORBS.116 Glossaire
open-source Terme désignant le développement coopératif de logiciels par la
communauté Internet. Le principe de base consiste à impliquer le maximum de
personnes dans l’écriture et la mise au point du code en publiant le code source
et en encourageant la formation d’une large communauté de développeurs qui
feront part de leurs modifications et améliorations.
ORBS Open Relay Behavior-modification System, système de modification de
comportement de relais ouvert. Service Internet qui référence sous forme de liste noire
les serveurs connus pour être des relais ouverts ou des serveurs supposés comme tels
pour les expéditeurs de courrier indésirable. Les serveurs ORBS sont également appelés
serveurs “trou noir”.
permutation circulaire Stratégie d’allocation de réserve de stockage Xsan. Dans
un volume composé de plusieurs réserves de stockage, Xsan alloue de l’espace aux
enregistrements successifs dans chacune des réserves de stockage disponibles tour
à tour.
pirate Utilisateur malveillant qui tente d’accéder sans autorisation à un système
informatique afin de perturber le fonctionnement d’ordinateurs ou de réseaux
ou bien de voler des informations. À comparer avec bidouilleur.
point de relais Voir relais ouvert.
polluriel Courrier commercial non sollicité. Voir spam.
POP Post Office Protocol. Protocole destiné à récupérer le courrier entrant. Une fois
qu’un utilisateur a récupéré son courrier POP, ce dernier est stocké sur l’ordinateur
de l’utilisateur et, généralement, supprimé automatiquement du serveur de courrier.
port Sorte de logement virtuel de courrier. Un serveur utilise les numéros de port
pour déterminer quelle est l’application qui devrait recevoir les paquets de données.
Les coupe-feu utilisent les numéros de port pour déterminer si des paquets de
données sont autorisés à traverser un réseau local. “Port” désigne en général soit
un port TCP, soit un port UDP.
Post Office Protocol Voir POP.
privilèges Droit d’accéder à des zones restreintes d’un système ou d’effectuer
certaines tâches (telles que des tâches de gestion) dans le système.
privilèges d’accès Voir autorisations.
RBL Realtime Blackhole List, liste noire. Service Internet qui référence sous forme de
liste noire les serveurs connus pour être des relais ouverts ou des serveurs supposés
comme tels pour les expéditeurs de courrier indésirable.
Realtime Blackhole List, liste noire Voir RBL.Glossaire 117
relais Dans QuickTime Streaming Server, un relais reçoit un flux entrant puis le redirige
vers un ou plusieurs serveurs d’enchaînement. Les relais peuvent réduire l’utilisation
de la bande passante Internet et sont utiles pour les diffusions avec de nombreux
spectacteurs à différents emplacements. En termes de courrier Internet, un relais est
un serveur SMTP de courrier qui envoie le courrier entrant à un autre serveur SMTP,
mais pas à sa destination finale.
relais ouvert Serveur recevant et transférant automatiquement le courrier vers
un autre serveur. Les émetteurs de courrier indésirable exploitent les serveurs relais
ouverts, afin que leurs propres serveurs de messagerie ne figurent pas sur les listes
noires référençant les sources de courrier indésirable.
répertoire Également appelé dossier. Liste de fichiers et/ou d’autres répertoires
organisée hiérarchiquement.
réseau étendu Voir WAN.
réseau local Voir LAN (Local area network).
sauvegarder Fait de créer une copie de sauvegarde.
Secure Sockets Layer Voir SSL.
serveur de noms Serveur d’un réseau qui tient à jour une liste des noms de domaines
et des adresses IP associées à chaque nom. Voir aussi DNS, WINS.
services de répertoire Services fournissant au logiciel système et aux applications
un accès uniforme aux domaines de répertoire et autres sources d’informations sur
les utilisateurs et les ressources.
signature numérique Signature électronique qui peut servir à confirmer l’identité
de l’expéditeur d’un message.
Simple Mail Transfer Protocol Voir SMTP.
SMTP Simple Mail Transfer Protocol. Protocole utilisé pour envoyer et transférer du
courrier. Sa capacité à placer les messages entrants en file d’attente est limitée, il n’est
donc généralement utilisé que pour envoyer les messages, POP ou IMAP étant utilisés
pour les recevoir.
sous-domaine Parfois appelé nom d’hôte. Partie du nom de domaine d’un ordinateur
sur Internet. Il n’inclut pas la désignation du domaine ou du domaine de premier
niveau (TLD, Top-Level Domain) (par exemple .com, .net, .us, .uk). Le nom de domaine
“www.exemple.com” est constitué du sous-domaine “www”, du domaine “exemple”
et du domaine de premier niveau “com”.118 Glossaire
sous-réseau IP Partie d’un réseau IP, pouvant être un segment de réseau physiquement
indépendant, partageant une adresse réseau avec d’autres parties du réseau et identifiée
par un numéro de sous-réseau.
spam courrier non sollicité ; courrier indésirable.
SSL Secure Sockets Layer. Protocole permettant d’envoyer sur Internet des informations
cryptées et authentifiées. Les versions plus récentes de SSL sont appelées TLS (Transport
Level Security).
TCP Transmission Control Protocol. Méthode utilisée avec le protocole IP (Internet
Protocol) pour envoyer, via Internet, des données sous forme d’unités de messages
entre ordinateurs. Le protocole IP se charge de gérer le transfert des données, alors que
le protocole TCP effectue le suivi individuel des unités de données (appelées “paquets”).
Chaque message est fractionné en plusieurs unités afin d’assurer un routage efficace à
travers Internet.
téraoctet Voir To.
texte en clair Texte qui n’a pas été crypté.
To Téraoctet. 1 099 511 627 776 (2
40
) octets.
type de fiche Catégorie spécifique de fiches, comme les utilisateurs, les ordinateurs
et les montages. Un domaine de répertoire peut contenir un nombre quelconque
d’enregistrements, quel que soit leur type.
UDP User Datagram Protocol. Méthode de communication utilisant le protocole IP
pour envoyer une unité de données (appelée datagramme) d’un ordinateur à un autre
sur un réseau. Les applications réseau qui ont de toutes petites unités de données
à échanger peuvent utiliser le protocole UDP à la place du protocole TCP.
utilisateur virtuel Autre adresse électronique (nom abrégé) d’un utilisateur. Similaire
à un alias, mais impliquant la création d’un nouveau compte d’utilisateur.
WAN Réseau étendu. Réseau reliant des sites géographiquement dispersés, par
opposition au réseau local (LAN, Local Area Network), installé au sein d’un même
groupe de bâtiments. L’interface WAN est généralement celle connectée à Internet.119
Index
Index
A
activation
contrôle 54
administrateur de liste
à propos de 89, 94
désignation 90
Admin Serveur
service de messagerie, démarrage et arrêt 63
service de messagerie, rechargement 65
affichage
comptes d’utilisateur 75
utilisateurs connectés 74
agent
de distribution local (LDA) 16
de transfert de courrier (MTA) 16
utilisateur de courrier (MUA) 18
aide 10
en ligne 10
alias
de compte d’utilisateur 41
authentification
APOP 30
du service de messagerie 34
IMAP 31, 32
Kerberos 30
B
base 69
base de données de courrier 66–71
à propos de 18
emplacement 18
sauvegarde 71
BerkeleyDB 18
C
Cci (copies carbone invisibles) 72
ClamAV 57
compte postmaster 26
comptes d’utilisateur 42
adresses électroniques 42
postmaster 26
réglages 24
supprimés, suppression du courrier 72
comptes de courrier spéciaux
postmaster 26
contrôle 53
copies carbone invisibles 72
coupe-feu
envoi de courrier à travers 37
courrier entrant
configuration 25
courrier indésirable 49–53
authentification SMTP ??–51
formation du filtre 55, 56
liste de serveurs non approuvés 52
retransmission SMTP restreinte 51
serveurs SMTP refusés 52
courrier non distribuable 77
transfert 77
courrier non sollicité
courrier sortant
configuration 26, 33
CRAM-MD5 34
cyradm (outil de tierce partie) 58
D
DNS
enregistrements MX 20
utilisation avec les services de messagerie 21
documentation 11
documents RFC (Request for Comments) 80
domaines virtuels 43
E
échangeur de courrier (MX) 20
écriture de scripts Sieve
activation de la prise en charge 59
apprentissage 59
exemples 60–61
emplacement du courrier
sortant 18
enregistrements d’échange de courrier (MX)
Voir enregistrements MX
enregistrements MX 20, 25, 44, 45
espace de stockage du courrier120 Index
sauvegarde 71
F
filtrage
des connexions SMTP 53
selon la langue 56
selon le lieu 56
virus 57
filtres
bayésiens 54
courrier indésirable 49–52
freshclam 57
G
guides d’administration du serveur 11
H
historiques
archivage 76
récupération de l’espace disque utilisé 76
service de messagerie 75–76
hôte virtuel 45–47
I
IMAP (Internet Message Access Protocol) 31
accès administrateur 72
à propos de 17, 28
réglages 33
L
limitation de la taille des messages entrants 37
liste d’envoi
activation 82
administration 89–99
ajout d’abonnés à une liste existante 92
ajout d’un abonné 88
configuration 82–88
désignation d’un administrateur de liste 90
modification des autorisations 93
suppression d’un abonné 93
suspension d’un abonné 94
M
Mac OS X Server
configuration 10
Mailman 81
MX (échangeur de courrier) 20
N
noms d’utilisateur
en tant qu’adresses électroniques 42
P
planification du service de messagerie 23
POP
à propos de 17
réglages 31
transport sécurisé 31
Post Office Protocol (POP)
Voir POP
premiers pas avec Mac OS X Server 10
présentation générale
de la configuration 25–27
des outils 24
protocoles
IMAP 17
POP 17
service de messagerie 16
Q
quotas 47–49
gestion 47
R
réglages
d’utilisateur 26
des performances 65
du client de messagerie 39
réglages du serveur
limitation de la taille des messages entrants 37
suspension du courrier sortant 64
relais
SMTP limité 50
via un autre serveur 36
répertoire d’attente
emplacement 18
ressources
service de messagerie 79–80
S
sauvegarde
base de données de courrier 71
espace de stockage du courrier 71
Scripts Sieve 59
serveur
“trous noirs” 52
de retransmission 36
figurant sur une liste noire 52
RBL 52
service de messagerie
Cci (copies carbone invisibles) 72
démarrage et arrêt 27, 63
historiques 75–76
plus d’informations 79
prévention du courrier indésirable 49–53
protocoles, changement 65
rechargement 65
ressources 79–80
surveillance 73–75
suspension du courrier sortant 64Index 121
transfert de courrier non distribuable 78
service DNS
enregistrements MX 20, 25, 44, 45
service de messagerie et 20, 25
SMTP (Simple Mail Transfer Protocol) 16
à propos de 16
authentification 50, 51
réglages 33
transport sécurisé 36
spam
Voir courrier indésirable
SSL (Secure Sockets Layer)
service de messagerie et 22
utilisation avec les services de messagerie 22
stockage des messages 66–71
surveillance
comptes d’utilisateur 75
utilisateurs connectés 74
T
transport
activation de SSL 31
U
utilisateurs supprimés, effacement de courrier 72
AirPort Express
Opstillingsvejledning2
Indholdsfortegnelse
4 Kapitel 1: Introduktion
5 Om AirPort Express
7 Om AirPort-softwaren
7 Hvad du har brug for
9 Tilslutte AirPort Express
10 Statusindikatorerne på AirPort Express
11 Hvad er det næste?
12 Kapitel 2: Brug af AirPort Express
12 Bruge AirPort Express med en bredbåndsforbindelse til Internet
14 Bruge AirPort Express sammen AirTunes til at afspille iTunes-musik på dit stereoanlæg
15 Bruge AirPort Express på et eksisterende trådløst netværk til at streame
musik til stereoanlægget
20 Bruge AirPort Express til at dele en USB-printer
21 Udvide rækkevidden af et eksisterende AirPort Extreme- eller AirPort Express-netværk
23 Bruge AirPort Express med dit AirPort Extreme-netværk
24 Kapitel 3: Indstille AirPort Express
26 Bruge AirPort-værktøj
28 Oprettelse af et nyt trådløst netværkIndholdsfortegnelse 3
28 Konfiguration og deling af Internetadgang
29 Tilslutning til et eksisterende trådløst netværk
30 Udvide rækkevidden af et eksisterende AirPort Extreme-
eller AirPort Express-netværk
31 Angivelse af avancerede indstillinger
33 Kapitel 4: AirPort Express, når du er på farten
36 Kapitel 5: Tip og fejlfinding
42 Overvejelser ved placering af AirPort Express
43 Forhold, der kan skabe forstyrrelser for AirPort
44 Kapitel 6: Yderligere oplysninger, service og support
44 Kilder på Internet
44 Hjælp på skærmen
45 Garantiservice
45 Sådan finder du serienummeret på AirPort Express
46 Appendiks: Specifikationer for AirPort Express
47 Gode råd om sikkerhed til AirPort Express
48 Undgå våde steder
48 Foretag ikke selv reparationer
49 Om håndtering
50 Regulatory Compliance Information4
1
1 Introduktion
Tillykke med købet af AirPort Express. Læs denne håndbog, så
du kan komme i gang med at bruge den.
Du kan bruge AirPort Express til at dele din bredbåndsforbindelse til Internet med
trådløse computere på netværket, afspille iTunes-musik på stereoanlægget og meget
mere.
AirPort Express leveres med AirTunes, så du kan afspille iTunes-musik på eksterne
højttalere.
Med AirPort Express kan du:
 Oprette et trådløst netværk i dit hjem og derefter oprette forbindelse til Internet og
dele forbindelsen med op til ti computere samtidigt. En hel familie kan have
forbindelse til Internet på samme tid.
 Slutte AirPort Express til dit stereoanlæg eller dine forstærkede højttalere og bruge
AirTunes til at afspille iTunes-musik på stereoanlægget fra en Macintosh med et
AirPort- eller AirPort Extreme-kort eller en kompatibel trådløs Windows XP- eller
Windows 2000-computer.
 Indstille en trådløs forbindelse til dit Ethernet-netværk. AirPort- og AirPort Extremeudstyrede Macintosh-computere eller Windows XP- eller Windows 2000-computere
kan derefter få adgang til hele netværket uden kabelforbindelser.Kapitel 1 Introduktion 5
 Udvide rækkevidden af netværket ved at tilføje AirPort Express på det eksisterende
trådløse AirPort Extreme- eller AirPort Express-netværk. Dette kaldes WDS eller
Wireless Distribution System - trådløst distributionssystem.
 Slutte en USB-printer til AirPort Express. Alle kompatible computere på AirPortnetværket - både trådløse og kabelforbundne - kan udskrive til printeren.
 Oprette specielle beskrivelser, så du kan lagre indstillinger til op til fem forskellige
placeringer. Tage AirPort Express med på farten og hurtigt oprette forbindelse til
bredbåndsnetværk, f.eks. i et hotelværelse.
Om AirPort Express
AirPort Express har tre porte, der er placeret i bunden:
 En Ethernet-port (G) til tilslutning af et DSL- eller kabelmodem eller til tilslutning af
et eksisterende Ethernet-netværk
 Analog og optisk digitalt minijackstik til lyd (-), så du kan slutte AirPort Express til et
stereoanlæg eller forstærkede højttalere6 Kapitel 1 Introduktion
 En USB-port (d), så du kan slutte en kompatibel printer til AirPort Express
Ved siden af portene er der en nulstillingsknap, der bruges til fejlfinding af
AirPort Express. Statusindikatoren på siden af AirPort Express viser den aktuelle status.
Statuslampe
Nulstillingsknap
Linjeudgang
(Analogt og optisk
digitalt minijackstik)
Ethernet-port
USB-port
Netstik Kapitel 1 Introduktion 7
Om AirPort-softwaren
AirPort Express fungerer sammen med den AirPort-software, der findes på
AirPort Express-cd'en.
Hvad du har brug for
Hvis du vil indstille AirPort Express med en Macintosh, skal du have følgende:
 En Macintosh-computer med et AirPort- eller AirPort Extreme-kort installeret
 Mac OS X v10.4 eller en nyere version
AirPort-værktøj
AirPort-værktøj hjælper dig med at indstille AirPort Express, så du kan oprette et
trådløst netværk, oprette forbindelse til Internet og dele en USB-printer. Du kan også
slutte AirPort Express til et eksisterende trådløst AirPort Extreme- eller
AirPort Express-netværk og udvide netværkets rækkevidde med WDS. Brug AirPortværktøj til hurtigt og let at indstille AirPort Express og det trådløse netværk.
AirPort-værktøj er et avanceret værktøj til indstilling og administration af AirPort
Extreme- og AirPort Express-baser. Brug AirPort-værktøj, når du skal justere netværks-,
routing-, sikkerheds- og andre avancerede indstillinger.
AirPort-statusmenuen i menulinjen
Brug AirPort-statusmenuen til hurtigt at skifte mellem AirPort-netværk, overvåge
signalstyrken på det valgte netværk, oprette et computer til computer-netværk og slå
AirPort til og fra. Statusmenuen er tilgængelig på computere, der bruger Mac OS X.
Z8 Kapitel 1 Introduktion
Hvis du vil indstille AirPort Express med en Windows-computer, skal du have
følgende:
 En Windows-computer med 300 MHz processor eller hurtigere
 Windows XP Home eller Professional
Du skal have iTunes for at afspille lyd fra computeren på et stereoanlæg, der er tilsluttet
AirPort Express. Du kan sikre dig, at du har den nyeste version af iTunes, hvis du
besøger www.apple.com/dk/itunes.
Du kan bruge AirPort Express med alle computere, der er forberedt til trådløs
anvendelse, og som overholder standarderne IEEE 802.11b eller 802.11g. Hvis du vil
indstille AirPort Express, skal computeren opfylde de krav, der er anført herover.Kapitel 1 Introduktion 9
Tilslutte AirPort Express
Før du tilslutter AirPort Express, skal du forbinde de rigtige kabler med de porte, du vil
bruge, herunder Ethernet-kablet, der er forbundet med DSL- eller kabelmodemmet
(hvis du vil oprette forbindelse til Internet), lydkablet, der er forbundet med stereoanlægget (hvis du vil afspille musik fra iTunes), og et USB-kabel, der er forbundet med
en kompatibel USB-printer (hvis du vil udskrive til en USB-printer).
Så snart du har forbundet kablerne med de enheder, du har planlagt at bruge, skal du
tilslutte strømforsyningen, hvis det er nødvendigt. Sæt AirPort Express i vægstikket. Der
er ingen afbryderknap.
Netstik10 Kapitel 1 Introduktion
Når du sætter AirPort Express i stikkontakten, blinker statusindikatoren grønt, hvorefter
den lyser orange, mens AirPort Express starter. Så snart den er startet, lyser statusindikatorerne konstant grønt.
Statusindikatorerne på AirPort Express
I følgende tabel forklares rækkefølgen af indikatorerne i AirPort Express og deres
betydning.
Indikator Status/beskrivelse
Slukket AirPort Express er ikke tilsluttet.
Blinker grønt AirPort Express starter.
Bemærk:Hvis du vælger Blink ved aktivitet på lokalmenuen
Statusindikator i vinduet Base i AirPort-indstillinger i AirPortværktøj, blinker statusindikatoren måske grønt for at vise normal
aktivitet.
Konstant grønt AirPort Express er tændt og fungerer korrekt. Hvis du vælger
Blink ved aktivitet på lokalmenuen Statusindikator i vinduet Base
i AirPort-værktøj, blinker statusindikatoren måske grønt for at
vise normal aktivitet.
Blinker orange AirPort Express kan ikke etablere forbindelse til netværket eller
Internet.Se “Statusindikatoren på AirPort Express blinker orange”
på side 39.
Lyser orange AirPort Express er ved at færdiggøre startsekvensen.
Blinker orange og grønt Måske er der et problem med at starte. AirPort Express
genstartes og prøver igen.Kapitel 1 Introduktion 11
Hvad er det næste?
Når du har tilsluttet AirPort Express, skal du bruge AirPort-værktøj til at indstille den til
at bruge Internetforbindelsen, stereoanlægget, USB-printeren eller et eksisterende
netværk.
Se “Brug af AirPort Express” på side 12, hvis du vil se eksempler på alle de måder, du
kan bruge AirPort Express, samt oplysninger om, hvordan du indstiller det trådløse
netværk.
Se derefter “Indstille AirPort Express” på side 24, hvis du vil vide mere om indstilling af
AirPort Express.12
2
2 Brug af AirPort Express
Dette kapitel indeholder beskrivelser af de forskellige måder,
du kan bruge AirPort Express på.
Dette kapitel indeholder eksempler på, hvordan din indstilling kan se ud, afhængigt af
hvordan du bruger AirPort Express. Det indeholder også en kort beskrivelse af, hvordan
du hurtigt får AirPort Express-netværket til at fungere.
Bruge AirPort Express med en bredbåndsforbindelse til Internet
Når du indstiller AirPort Express til at give netværks- og Internetadgang, kan
Macintosh-computere med AirPort- og AirPort Extreme-kort og computere, der er
udstyret med trådløs 802.11b- og 802.11g-teknologi, få adgang til det trådløse AirPortnetværk, så du kan dele arkiver, spille spil og bruge Internetprogrammer, f.eks.
webbrowsere og e-postprogrammer.Kapitel 2 Brug af AirPort Express 13
Sådan ser det ud
Sådan indstilles det
1 Slut DSL- eller kabelmodemmet til AirPort Express via Ethernet-porten (G).
2 Brug AirPort-værktøj til at oprette et nyt netværk. (Se side 24, hvis du ønsker yderligere
oplysninger).
Computere, der bruger AirPort, og computere, der bruger andre trådløse kort eller
moduler, opretter forbindelse til Internet gennem AirPort Express.
Trådløse computere kommunikerer med hinanden gennem AirPort Express.
DSL- eller kabelmodem
Ethernet-port
til Internet
G14 Kapitel 2 Brug af AirPort Express
Bruge AirPort Express sammen AirTunes til at afspille iTunesmusik på dit stereoanlæg
Du kan slutte AirPort Express til stereoanlægget via et fiberoptisk kabel (Toslink-tilmini), et ministereo-til-dobbelt-RCA-kabel eller et ministereo-til-ministereo-kabel,
afhængigt af hvilken type stik der er på stereoanlægget, hvorefter du kan bruge
AirTunes til at spille musik trådløst fra iTunes.
Sådan ser det ud
Optisk digital lydindgang
eller
or
Digitalt fiberoptisk
kabel (toslink-til-mini)
eller
ministereo-til-RCAkabel
Stereomodtager
Computer med iTunes
Linjeudgang
Venstre og
højre lydindgange
af RCA-typenKapitel 2 Brug af AirPort Express 15
Sådan indstilles det
1 Slut AirPort Express til stereoanlægget eller eksterne højttalere via et digitalt fiberoptisk
kabel, analogt ministereo-til-dobbelt-RCA-kabel eller et ministereo-til-ministereokabel
(afhængigt af hvilken type stik der er på stereoanlægget) – stereoanlægget skal være
tilsluttet stereominijackstikket (-).
Bemærk: Du kan ikke bruge forstærkede USB-højttalere med AirPort Express. Brug
forstærkede højttalere med et stereominijackstik.
2 Brug AirPort-værktøj til at oprette et nyt netværk. (Se side 24, hvis du ønsker yderligere
oplysninger).
3 Åbn iTunes på computeren, og vælg stereoanlæg eller højttalere på højttalerlokalmenuen i nederste højre hjørne af iTunes-vinduet.
Trådløse computere, der er inden for rækkevidde af AirPort Express, kan streame musik
trådløst til den vha. iTunes 4.6 eller en nyere version. Der kan kun streames musik fra en
computer ad gangen til AirPort Express. Du kan kun streame musik til en
AirPort Express ad gangen.
Bemærk: Slut ikke AirPort Express til jackstikket på stereoanlægget.
Bruge AirPort Express på et eksisterende trådløst netværk til at
streame musik til stereoanlægget
Du kan også slutte AirPort Express til et trådløst netværk og bruge AirTunes til at
afspille musik på stereoanlægget fra iTunes. Hvis du slutter AirPort Express til det
eksisterende netværk, kan du også anbringe AirPort Express i et andet lokale inden for
netværkets rækkevidde.16 Kapitel 2 Brug af AirPort Express
Sådan ser det ud
Du opretter forbindelse til det trådløse netværk vha. AirPort-statusmenuen i
menulinjen på Macintosh. På en Windows-computer skal du holde markøren over
symbolet for den trådløse forbindelse, indtil du kan se AirPort-netværkets navn (SSID)
og vælge det på listen, hvis der er flere tilgængelige netværk.
DSL- eller
kabelmodem
til Internet
Stereomodtager
Linjeudgang
AirPort Extremebase
til Ethernet-portKapitel 2 Brug af AirPort Express 17
Der er også andre måder, hvorpå du kan slutte AirPort Express til stereoanlægget.
Hvis der er installeret et AirPort Extreme-kort i computeren eller et kompatibelt trådløst
kort til Windows, kan du bruge AirTunes til at afspille iTunes-musik på et stereoanlæg,
der er tilsluttet AirPort Express.
DSL- eller
kabelmodem
til Internet
Stereomodtager
Linjeudgang18 Kapitel 2 Brug af AirPort Express
Du kan også slutte AirPort Express til Internet og give Internetadgang til computere på
netværket. Slut AirPort Express til stereoanlægget, hvorefter computere med AirPort
Extreme- eller kompatible 802.11b- eller 802.11g-kort kan bruge iTunes til at afspille
musik på stereoanlægget.
DSL- eller
kabelmodem
til Internet
Stereomodtager
Ethernet-port LinjeudgangKapitel 2 Brug af AirPort Express 19
Ekstra lydkabel og netledning
Du kan købe AirPort Express-stereotilslutningssættet med Monster Cables (ekstraudstyr), så du kan slutte AirPort Express til stereoanlægget eller de forstærkede
højttalere. Sættet omfatter analoge mini-stereo-til-dual-RCA-stik, et digitalt fiberoptisk
Toslink-kabel og en netledning.
 Slut det analoge kabel til stereoanlægget, hvis det bruger analoge standardkabler.
 Tilslut det digitale fiberoptiske kabel, hvis stereoanlægget har en digital Toslink-port.
 Tilslut netledningen, hvis du indstiller AirPort Express et stykke væk fra en stikkontakt.
Ministereo-til-RCA-kabel
Digitalt fiberoptisk kabel
(toslink-til-mini)
Netledning20 Kapitel 2 Brug af AirPort Express
Bruge AirPort Express til at dele en USB-printer
Hvis du slutter en USB-printer til AirPort Express, kan alle computere på netværket
udskrive til den.
Sådan ser det ud
USB-port
Fælles printer
dKapitel 2 Brug af AirPort Express 21
Sådan indstilles det
1 Slut printeren til USB-porten (d) på AirPort Express vha. et USB-kabel.
2 Brug AirPort-værktøj til at oprette et nyt netværk eller oprette forbindelse til et
eksisterende netværk.
Trådløse computere kan udskrive til printeren fra Mac OS X v10.2.7 eller en nyere
version og fra Windows 2000 eller Windows XP.
Du bruger printeren fra en computer med Mac OS X på følgende måde:
1 Åbn Printerværktøj (ligger i mappen Hjælpeprogrammer i mappen Programmer).
2 Vælg printeren på listen.
Hvis printeren ikke står på listen, skal du klikke på Tilføj og vælge Bonjour på
lokalmenuen. Vælg derefter printeren på listen.
Bruge printeren fra en Windows-computer:
1 Installer Bonjour til Windows fra den cd, der fulgte med AirPort Express.
2 Tilslut printeren som beskrevet i instruktionerne på skærmen.
Udvide rækkevidden af et eksisterende AirPort Extreme- eller
AirPort Express-netværk
Du kan tilslutte en yderligere AirPort Express, hvis du vil udvide rækkevidden af dit
eksisterende AirPort Extreme- eller AirPort Express-netværk. Hvis du føjer en base eller
AirPort Express til et eksisterende netværk, opretter du et såkaldt WDS-system (Wireless
Distribution System).
Hvis AirPort-netværket er forbundet med Internet, kan computerne oprette forbindelse
til AirPort-netværket og dele Internetforbindelsen.22 Kapitel 2 Brug af AirPort Express
Sådan ser det ud
Sådan indstilles det
1 Du skal have et eksisterende AirPort-netværk oprettet af en AirPort Extreme-base eller
en AirPort Express, der er forbundet til Internet. Denne base kaldes hovedbasen og
deler sin Internetforbindelse med AirPort Express.
2 Brug AirPort-værktøj til at oprette forbindelse til netværket og udvide dets rækkevidde.
(Se side 24, hvis du ønsker yderligere oplysninger).
Begge baser deler Internetforbindelsen med klientcomputerne trådløst eller bruger
Ethernet, hvis klientcomputerne er tilsluttet via Ethernet.
Køkken/alrum Spisestue Dagligstue
til Internet
AirPort Extremebase
DSL- eller
kabelmodemKapitel 2 Brug af AirPort Express 23
Bruge AirPort Express med dit AirPort Extreme-netværk
Tegningen herunder viser et trådløst netværk med alle ovenstående eksempler i et
enkelt trådløst netværk.
Sådan indstilles det
 Brug AirPort-værktøj til at oprette et nyt netværk, og udnyt alle fordelene ved
funktionerne i AirPort Express.
DSL- eller
til linjeudgang til USB-port kabelmodem
til Internet
til Ethernetport
Køkken/alrum Dagligstue
AirPort Extremebase24
3
3 Indstille AirPort Express
Dette kapitel indeholder oplysninger om og vejledning i
brugen af AirPort-software til indstilling af AirPort Express.
Brug tegningerne i det foregående kapitel som en hjælp til at beslutte, hvor du vil
bruge AirPort Express, og hvilke funktioner du ønsker at indstille på AirPort-netværket.
Brug derefter vejledningen i dette kapitel til nemt at konfigurere AirPort Express og til
at indstille AirPort-netværket.
Med AirPort-værktøj kan du:
 Indstille et nyt netværk, som trådløse computere kan bruge til at kommunikere med
hinanden. Hvis du indstiller AirPort Express som en base og opretter forbindelse til
Internet, kan trådløse computere også dele Internetforbindelsen.
 Slutte AirPort Express til et eksisterende trådløst netværk, bruge AirTunes til at afspille
iTunes-musik på et stereoanlæg eller forstærkede højttalere og tilslutte en USBprinter, som skal være fælles.
 Slutte AirPort Express til det eksisterende AirPort Extreme- eller AirPort Expressnetværk og udvide rækkevidden af det trådløse netværk ved brug af AirPort Express
som en trådløs forbindelse. Dette kaldes et WDS (Wireless Distribution System). Kapitel 3 Indstille AirPort Express 25
Du kan bruge AirTunes til at afspille musik fra iTunes og dele en USB-printer på enhver
type netværk, du indstiller, uanset om det er et nyt netværk, eller om du opretter
forbindelse til et eksisterende netværk.
Hvis du har mere end en AirPort Express, kan du f.eks. slutte en til stereoanlægget i
dagligstuen og en anden til de forstærkede højttalere i hobbyrummet. Med AirTunes
kan du streame iTunes-musik til begge AirPort Express-baser, afhængig af hvor du er i
huset. Vælg navnet på den AirPort Express-base, du vil bruge, på lokalmenuen med
højttalere i iTunes.
Dette kapitel indeholder en oversigt over brugen af indstillingsassistenten i AirPortværktøj til indstilling af netværket og andre funktioner i AirPort Express. Der findes
mere detaljerede oplysninger om trådløse netværk og om de avancerede funktioner i
AirPort-værktøj i dokumentet “Designing AirPort 802.11n Networks”, som findes på
www.apple.com/dk/support/airport.
Dokumentet indeholder detaljerede oplysninger om nedenstående:
 Brug af AirPort-værktøj med AirPort Extreme 802.11n-basen
 Brug af AirPort-værktøj til at indstille AirPort Express 802.11g-basen
Bemærk: Du kan foretage de fleste netværksindstillings- og konfigurationsopgaver med
indstillingsassistenten i AirPort-værktøj. Hvis du vil foretage avancerede indstillinger,
skal du vælge Manuel indstilling på Basemenuen i AirPort-værktøj. Se “Angivelse af
avancerede indstillinger” på side 31.26 Kapitel 3 Indstille AirPort Express
Bruge AirPort-værktøj
Hvis du vil indstille og konfigurere AirPort Express til at bruge AirPort til trådløst
netværk og Internetadgang, skal du bruge indstillingsassistenten i AirPort-værktøj.
AirPort-værktøj installeres på din computer, når du installerer software fra cd'en
AirPort Express.
På en Macintosh-computer med Mac OS X v10.4 eller en nyere version:
1 Åbn AirPort-værktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer.
2 Vælg basen, og klik på Fortsæt.
3 Følg vejledningen på skærmen for at indstille AirPort Express og det trådløse netværk.
På en computer med Windows XP (med Service Pack 2):
1 Åbn AirPort-værktøj, som ligger i Start > Alle programmer > AirPort.
2 Vælg basen, og klik på Fortsæt.Kapitel 3 Indstille AirPort Express 27
3 Følg vejledningen på skærmen for at indstille AirPort Express og det trådløse netværk.
Indstillingsassistenten stiller en række spørgsmål om den type netværk, du vil bruge,
og de tjenester, du vil indstille. Indstillingsassistenten hjælper dig med at angive de
korrekte indstillinger til det netværk, du indstiller.
Hvis du bruger AirPort Express til at oprette forbindelse til Internet, skal du have en
bredbåndsforbindelse (med DSL- eller kabelmodem) og en konto hos en Internetudbyder eller en Internetforbindelse via et eksisterende Ethernet-netværk. Hvis du
modtog bestemte oplysninger fra din Internetudbyder (f.eks. en fast IP-adresse eller en
klient-id til DHCP), skal du måske angive dem i AirPort-værktøj. Du skal have disse
oplysninger klar, før du indstiller AirPort Express.28 Kapitel 3 Indstille AirPort Express
Oprettelse af et nyt trådløst netværk
Du kan bruge indstillingsassistenten i AirPort-værktøj til at oprette et nyt trådløst
netværk. Indstillingsassistenten fører dig gennem de trin, der er nødvendige for at
navngive netværket, beskytte netværket med en adgangskode og angive andre
indstillinger.
Hvis du planlægger at dele en USB-printer på netværket:
1 Slut printeren eller harddisken til USB-porten på AirPort Express (d).
2 Åbn AirPort-værktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer på
en Macintosh og i Start > Alle programmer > AirPort på en computer med Windows XP.
3 Følg vejledningen på skærmen, hvis du vil oprette et nyt netværk.
Konfiguration og deling af Internetadgang
Hvis du vil dele Internetforbindelsen med trådløse computere på netværket, skal du
indstille AirPort Express til at dele sin Internetforbindelse. Så snart den er indstillet, kan
computerne oprette forbindelse til Internet via AirPort-netværket. Basen opretter
forbindelse til Internet og sender oplysninger til computere over AirPort-netværket.
Før du bruger AirPort-værktøj til at indstille basen, skal du slutte DSL- eller
kabelmodemmet til Ethernet-porten (G) på AirPort Express. Hvis du bruger et
eksisterende Ethernet-netværk med Internetadgang til at oprette forbindelse til
Internet, kan du i stedet slutte AirPort Express til Ethernet-netværket.
Brug indstillingsassistenten i AirPort-værktøj til at angive Internetudbyderens
indstillinger og til at konfigurere, hvordan AirPort Express deler indstillingerne med
andre computere.Kapitel 3 Indstille AirPort Express 29
1 Vælg det trådløse netværk, som skal ændres.
På Macintosh skal du bruge AirPort-statusmenuen i menulinjen. På en computer med
Windows XP skal du holde markøren over symbolet for den trådløse forbindelse, indtil
du kan se AirPort-netværkets navn (SSID) og vælge det på listen, hvis der er flere
tilgængelige netværk.
Standardnavnet på en Apple-base er AirPort NetworkXXXXXX, hvor XXXXXX erstattes
med de sidste seks cifre i AirPort-id'en, også kaldet Media Access Control- eller MACadressen. AirPort-id er trykt på den side af AirPort Express, hvor det elektriske stik sidder.
2 Åbn AirPort-værktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer på
en Macintosh og i Start > Alle programmer > AirPort på en computer med Windows XP.
3 Vælg basen, og klik på Fortsæt.
4 Følg instruktionerne på skærmen for at konfigurere og dele Internetadgangen på
AirPort Express.
Det er hurtigt og nemt at indstille basen og netværket med AirPort-værktøj. Hvis du vil
foretage yderligere indstillinger til netværket, f.eks. begrænse adgangen eller foretage
avancerede DHCP-indstillinger, kan du vælge Manuel indstilling på Basemenuen i
AirPort-værktøj.
Tilslutning til et eksisterende trådløst netværk
Du kan bruge AirPort-værktøj til at oprette forbindelse til et eksisterende trådløst
netværk. Når du slutter AirPort Express til dit stereoanlæg, kan computere på det
trådløse netværk bruge AirTunes til at afspille musik på stereoanlægget fra iTunes. Hvis
du slutter en USB-printer til AirPort Express, kan alle computere på netværket udskrive
til den.30 Kapitel 3 Indstille AirPort Express
Sørg for at slutte lydkablet til stereoanlægget og USB-kablet til printeren, før du bruger
AirPort-værktøj.
1 Åbn AirPort-værktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer på
en Macintosh og i Start > Alle programmer > AirPort på en computer med Windows.
2 Følg vejledningen på skærmen for at slutte AirPort Express til det trådløse netværk.
Udvide rækkevidden af et eksisterende AirPort Extreme- eller
AirPort Express-netværk
Du kan udvide rækkevidden af et eksisterende trådløst AirPort Extreme- eller
AirPort Express-netværk ved at indstille det som et WDS. Trådløse computere kan
oprette forbindelse til netværket og dele Internetforbindelsen, dele arkiver og spille
netværksspil. Hvis du slutter AirPort Express til dit stereoanlæg, kan computere på det
trådløse netværk bruge AirTunes til at afspille musik på stereoanlægget fra iTunes. Hvis
du slutter en USB-printer til AirPort Express, kan alle computere på netværket udskrive
til den.
m Åbn AirPort-værktøj, og følg instruktionerne på skærmen for at udvide rækkevidden af
AirPort Extreme- eller AirPort Express-netværket.
Hvis du udvider rækkevidden af et trådløst netværk med WDS, kan det have indflydelse
på netværkets samlede ydeevne.Kapitel 3 Indstille AirPort Express 31
Angivelse af avancerede indstillinger
Hvis du vil foretage avancerede indstillinger, kan du bruge AirPort-værktøj til at indstille
AirPort Express manuelt. Du kan konfigurere avancerede baseindstillinger, f.eks.
avancerede sikkerhedsindstillinger, indstillinger til lukkede netværk, varighed af DHCPlease, adgangskontrol, strømstyring, brugerkonti m.m.
Du angiver avancerede indstillinger på følgende måde:
1 Vælg det trådløse netværk, som skal ændres.
På Macintosh skal du bruge AirPort-statusmenuen i menulinjen. På en computer med
Windows XP skal du holde markøren over symbolet for den trådløse forbindelse, indtil
du kan se AirPort-netværkets navn (SSID) og vælge det på listen, hvis der er flere
tilgængelige netværk.
Standardnavnet på en Apple-base er AirPort NetworkXXXXXX, hvor XXXXXX erstattes
med de sidste seks cifre i AirPort-id'en, også kaldet Media Access Control- eller MACadressen. AirPort-id er trykt på den side af AirPort Express, hvor det elektriske stik sidder.
2 Åbn AirPort-værktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer på
en Macintosh og i Start > Alle programmer > AirPort på en computer med Windows XP.
3 Hvis der er mere end en base på listen, skal du vælge den base, du vil konfigurere. Hvis
du ikke kan se den base, du vil konfigurere, skal du klikke på Søg igen for at søge efter
tilgængelige baser og derefter vælge den ønskede base.
4 Vælg Manuel indstilling på Basemenuen. Indtast adgangskoden, hvis du bliver bedt om
det.32 Kapitel 3 Indstille AirPort Express
Dokumentet “Designing AirPort 802.11n Networks”, som findes på www.apple.com/dk/
airport, indeholder flere oplysninger og instruktioner til manuel indstilling med AirPortværktøj.
Dokumentet indeholder detaljerede oplysninger om nedenstående:
 Brug af AirPort-værktøj med AirPort Extreme 802.11n-basen
 Brug af AirPort-værktøj til at indstille AirPort Express 802.11g-basen4
33
4 AirPort Express, når du er på farten
AirPort Express kan lagre indstillinger til forskellige lokaliteter,
så du nemt kan flytte den fra sted til sted.
AirPort Express kan lagre op til 5 forskellige konfigurationer, også kaldet beskrivelser. En
beskrivelse indeholder indstillinger til AirPort Express, f.eks. højttalernavn og
adgangskode til iTunes, samt netværksoplysninger, f.eks. netværksnavn og adgangskode.
Beskrivelser kan være nyttige, hvis du flytter AirPort Express fra et sted til et andet. Du
kan f.eks. have en beskrivelse for AirPort Express derhjemme, hvor du bruger AirTunes
til at afspille musik på dit stereoanlæg fra iTunes og oprette forbindelse til Internet ved
brug af PPPoE. Du kan have en anden beskrivelse til brug med AirPort Express på et
hotel, hvor du opretter forbindelse til Internet ved brug af DHCP.34 Kapitel 4 AirPort Express, når du er på farten
Brug AirPort-værktøj, som ligger i mappen Hjælpeprogrammer i mappen Programmer
på Macintosh og i Start > Alle programmer > AirPort på en computer med Windows XP,
til at oprette, redigere, omdøbe og slette beskrivelser.
Sådan opretter du en ny beskrivelse:
1 Åbn AirPort-værktøj, vælg din AirPort Express på listen, og vælg derefter Manuel
indstilling på Basemenuen.
2 Skriv evt. en adgangskode til basen.
3 Vælg Administrer beskrivelser på Basemenuen.Kapitel 4 AirPort Express, når du er på farten 35
4 Klik på Tilføj for at oprette en ny beskrivelse. Giv beskrivelsen et navn, og klik derefter
på OK.
5 Angiv indstillinger som f.eks. netværksnavn, navn på eksterne højttalere, adgangskoder
og Internetforbindelsesmetode.
6 Når du har angivet disse indstillinger, skal du klikke på Opdater.
Når du har en beskrivelse på listen, findes lokalmenuen Beskrivelser nederst i AirPortværktøjs vindue.
Du redigerer en eksisterende beskrivelse på følgende måde:
1 Åbn AirPort-værktøj, vælg din AirPort Express på listen, og vælg derefter Manuel
indstilling på Basemenuen.
2 Indtast en adgangskode, hvis det er nødvendigt.
3 Vælg på lokalmenuen Beskrivelser den beskrivelse, du vil redigere.
4 Rediger indstillinger til beskrivelsen. Når du er færdig med at redigere indstillingerne,
skal du klikke på Opdater for at arkivere beskrivelsen og gøre den aktiv på
AirPort Express.36
5
5 Tip og fejlfinding
Du kan hurtigt løse de fleste problemer med AirPort Express
ved at følge de råd, der findes i dette kapitel.
AirPort Express-softwaren kan ikke finde den korrekte AirPort-hardware
Sørg for, at der er installeret et AirPort-kort eller AirPort Extreme-kort i den computer,
du bruger. Hvis du for nylig har installeret et AirPort-kort, skal du slukke computeren og
sørge for, at det er korrekt installeret. Sørg for, at AirPort-antennen er sluttet korrekt til
kortet (du kan høre et klik, når antennen tilsluttes korrekt). Sørg for, at den anden ende
af kortet er sluttet korrekt til stikket i pladsen til AirPort-kortet.
Hvis du bruger en Windows-computer, skal du sørge for, at det trådløse kort eller
modul er installeret korrekt. Se i den dokumentation, der fulgte med computeren, når
du vil kontrollere forbindelsen.Kapitel 5 Tip og fejlfinding 37
Du kan ikke afspille musik på dit stereoanlæg fra iTunes
Kontroller følgende:
 Kontroller, at AirPort Express er sat i en stikkontakt, er inden for din computers
rækkevidde, og at du har anvendt de rigtige kabler. Du skal eventuelt oprette
forbindelse til AirPort Express-netværket.
 Sørg for at vælge AirPort Express på lokalmenuen med højttalere i iTunes.
 Kontroller, at du bruger iTunes 4.6 eller en nyere version.
Du kan ikke høre musikken blive afspillet
Hvis musikken afspilles (statuslinjen øverst i iTunes-vinduet flytter sig), men du ikke kan
høre noget, skal du kontrollere følgende:
 Hvis du forsøger at afspille musik gennem højttalere, der er tilsluttet en
AirPort Express, og du har valgt afkrydsningsfeltet “Slå justering af lydstyrke på
eksterne AirTunes-højttalere fra i iTunes" i vinduet Lyd i iTunes-indstillinger, skal du
sørge for, at de eksterne højttalerne er valgt på lokalmenuen nederst i iTunesvinduet, og at der ikke er skruet ned for lydstyrken på de eksterne højttalere.
Du har glemt adgangskoden til netværket eller AirPort Express
Du kan nulstille adgangskoden til AirPort-netværket eller AirPort Express ved at nulstille
AirPort Express. Følg disse instruktioner:
1 Brug enden af en udrettet papirclips til at trykke på og holde nulstillingsknappen inde i
et sekund.
2 Vælg dit AirPort-netværk.
 På en Macintosh skal du bruge AirPort-statusmenuen i menulinjen til at vælge det
netværk, der er oprettet af AirPort Express (netværksnavnet ændres ikke).38 Kapitel 5 Tip og fejlfinding
 På en computer med Windows 2000 eller Windows XP skal du holde markøren over
symbolet for den trådløse forbindelse, indtil du kan se AirPort-netværkets navn (SSID)
og vælge det på listen, hvis der er flere tilgængelige netværk.
3 Åbn AirPort-værktøj (i mappen Hjælpeprogrammer i mappen Programmer på en
Macintosh og i Start > Alle programmer > AirPort på en computer med Windows XP
eller Windows 2000).
4 Vælg AirPort Express, og klik på Konfigurer.
5 Foretag følgende ændringer i den viste dialog:
 Nulstil AirPort Express-adgangskoden.
 Slå kryptering til, hvis du vil beskytte AirPort-netværket med en adgangskode. Hvis
du slår kryptering til, skal du skrive en ny adgangskode til AirPort-netværket.
6 Klik på OK.
AirPort Express genstartes for at indlæse de nye indstillinger.
AirPort Express svarer ikke
Prøv at trække stikket ud af stikkontakten, og sæt det i igen.
Hvis AirPort Express holder helt op med at svare, skal du måske nulstille den. Dette
sletter alle de indstillinger, som du har foretaget, og i stedet benyttes standardindstillingerne for AirPort Express. Kapitel 5 Tip og fejlfinding 39
Statusindikatoren på AirPort Express blinker orange
Ethernet-kablet er måske ikke tilsluttet korrekt, AirPort Express er måske uden for et
AirPort-netværks rækkevidde, eller der kan være et problem med Internetudbyderen.
Hvis du har oprettet forbindelse til Internet via et DSL- eller kabelmodem, har
modemmet måske tabt forbindelsen til netværket eller Internet. Selvom modemmet
tilsyneladende fungerer korrekt, kan du prøve at afmontere modemmets strømforsyning, vente et par sekunder og derefter tilslutte den igen. Sørg for, at
AirPort Express er sluttet direkte til modemmet via Ethernet, før du tilslutter
modemmets strømforsyning igen.
Hvis AirPort Express er indstillet i et WDS (Wireless Distribution System), kan WDSforbindelsen være afbrudt.
Bemærk: Hvis AirPort Express er indstillet som en trådløs klient, og det netværk, som
den opretter forbindelse til, er beskyttet af en adgangskontrolliste (ACL), skal
AirPort Express stå på adgangskontrollisten for at kunne oprette forbindelse til
netværket.
Hvis du vil vide mere om, hvorfor lampen blinker orange, kan du åbne AirPort-værktøj,
vælge basen og derefter vælge Manuel indstilling på Basemenuen. Skriv om
nødvendigt adgangskoden til basen, og klik derefter på Status for base for at se
oplysninger om den blinkende lampe.
Du nulstiller AirPort Express til fabriksindstillingerne på følgende måde:
m Brug enden af en udrettet papirclips til at trykke på og holde nulstillingsknappen inde i
ti sekunder.
AirPort Express starter igen med følgende indstillinger:40 Kapitel 5 Tip og fejlfinding
 AirPort Express modtager IP-adressen vha. DHCP.
 Netværksnavnet er Apple Network XXXXXX (hvor X er et bogstav eller et tal).
 AirPort Express-adgangskoden nulstilles til public.
Hvis du brugte AirPort-værktøj til at oprette beskrivelser til AirPort Express, bevares de,
når du nulstiller AirPort Express.
Hvis du får brug for at nulstille AirPort Express til fabriksindstillingerne og fjerne
eventuelle beskrivelser, du har indstillet:
1 Tag AirPort Express ud af stikket.
2 Brug enden af en papirclips, der er foldet ud, til at trykke på og holde
nulstillingsknappen inde, mens du tilslutter AirPort Express.
Vent, indtil statuslampen blinker, og nulstil derefter basen.
Printeren svarer ikke
Hvis du har sluttet en printer til USB-porten på AirPort Express, og computerne på
AirPort-netværket ikke kan udskrive, kan du prøve at gøre følgende:
1 Sørg for, at printeren er tilsluttet og tændt.
2 Kontroller, at kablerne er sluttet korrekt til printeren og til USB-porten på AirPort Express.
3 Sørg for, at printeren er valgt på printerlisten på klientcomputerne. Hvis du vil gøre
dette på en Macintosh, der bruger Mac OS X v10.3 eller en nyere version:
 Åbn Printerværktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer.
 Klik på Tilføj, hvis printeren ikke står på listen.
 Vælg Bonjour på lokalmenuen.
 Vælg printeren, og klik på Tilføj.Kapitel 5 Tip og fejlfinding 41
Du vælger printer på en computer, der bruger Windows XP eller Windows 2000, på
følgende måde:
 Åbn “Printere og faxenheder” i menuen Start.
 Vælg printeren. Hvis printeren ikke står på listen, skal du klikke på Tilføj printer og
derefter følge vejledningen på skærmen.
4 Sluk for printeren, vent nogle sekunder, og tænd den derefter igen.
Du kan få flere oplysninger om, hvordan du indstiller en printer på en Windowscomputer, i “Bruge printeren fra en Windows-computer:” på side 21.
Du vil opdatere AirPort-softwaren
Apple frigiver regelmæssigt opdateringer til AirPort-softwaren.
Du opdaterer software i basen på følgende måde:
1 Åbn AirPort-værktøj, der ligger i mappen Hjælpeprogrammer i mappen Programmer.
2 Vælg “Søg efter opdateringer” på menuen AirPort-værktøj.
3 Klik på Hent for at hente alle tilgængelige firmwareopdateringer, eller klik på Vis info
for at vælge bestemt firmware til basen.
4 Når firmwaren er hentet, skal du klikke på Opdater for at installere den på basen. Hvis
du opdaterer flere baser, skal du klikke på Vis info for at vælge de baser, der skal
opdateres.42 Kapitel 5 Tip og fejlfinding
Overvejelser ved placering af AirPort Express
Følgende anbefalinger kan hjælpe med til, at AirPort Express opnår den maksimale
trådløse rækkevidde og den optimale netværksdækning.
 Placer AirPort Express i et åbent område, hvor der er få forhindringer, som f.eks. store
møbler eller vægge. Anbring den ikke i nærheden af metalliske overflader.
 Hvis du anbringer AirPort Express bag møbler, skal der mindst være 2,5 cm frit
mellem AirPort Express og kanten af møblet.
 Undgå at anbringe AirPort Express på steder, der er omgivet af metaloverflader på tre
eller flere sider.
 Hvis du anbringer AirPort Express i et underholdningscenter med dit stereoudstyr,
skal du undgå at omgive AirPort Express fuldstændigt med lyd-, video- og
strømkabler. Anbring AirPort Express, så kablerne er på den ene side. Sørg for, at der
er så meget afstand som muligt mellem AirPort Express og kablerne.
 Hvis du anbringer AirPort Express bag stereoudstyret, skal du anbringe den på en af
siderne. Undgå at anbringe den lige bag ved stereoanlægget.
 Forsøg at anbringe AirPort Express mindst 8 m fra mikrobølgeovne og trådløse 2,4
GHz telefoner eller andre kilder til forstyrrelse.Kapitel 5 Tip og fejlfinding 43
Forhold, der kan skabe forstyrrelser for AirPort
Jo længere væk kilden til forstyrrelse er, desto mindre sandsynligt er det, at den skaber
problemer. Følgende elementer kan medføre forstyrrelse af AirPort-kommunikation:
 Mikrobølgeovne
 DSS-radiosignaler (Direct Satellite Service)
 Det originale koaksiale kabel, der fulgte med visse typer parabolantenner. Kontakt
producenten af udstyret for at få nogle nyere kabler.
 Visse elektriske enheder som højspændingsledninger, elektriske jernbanespor og
elværker
 Trådløse telefoner, der virker inden for 2,4 GHz-båndet. Hvis der er problemer med
telefonen eller AirPort-kommunikationen, skal du ændre den kanal, som basen eller
AirPort Express bruger.
 Tilstødende baser, der bruger kanaler i nærheden. Hvis f.eks. base A er indstillet til
kanal 1, bør base B indstilles til kanal 4 eller højere.44
6
6 Yderligere oplysninger,
service og support
Du kan finde yderligere oplysninger om brugen af
AirPort Express på din harddisk, på Internet og i hjælpen på
skærmen.
Kilder på Internet
Du kan se de nyeste oplysninger om AirPort Express på www.apple.com/dk/
airportexpress.
Hvis du vil registrere AirPort Express (hvis du ikke gjorde det, da du installerede
softwaren på AirPort Express-cd'en), skal du gå til www.apple.com/register.
Oplysninger om service og support til AirPort, forskellige fora med produktoplysninger
og feedback samt den nyeste software fra Apple findes på www.apple.com/dk/
support/airport.
På www.apple.com/support findes oplysninger om support uden for USA. Vælg land på
lokalmenuen.
Hjælp på skærmen
m Hvis du vil vide mere om brugen af AirPort, skal du åbne AirPort-værktøj og vælge
Hjælp > Hjælp til AirPort-værktøj.Kapitel 6 Yderligere oplysninger, service og support 45
Garantiservice
Hvis produktet er beskadiget eller ikke fungerer korrekt, skal du følge vejledningen i
dette hæfte, i hjælpen og i ressourcerne på Internet.
Hvis enheden stadig ikke fungerer, kan du på www.apple.com/dk/support få
oplysninger om, hvordan du får service i henhold til garantien.
Sådan finder du serienummeret på AirPort Express
Serienummeret er trykt på bagsiden af AirPort Express.46
Appendiks
Specifikationer for AirPort Express
Specifikationer for AirPort
 Datafrekvens ved trådløs overførsel: Op til 54 megabit pr. sekund (Mbps)
 Rækkevidde: Op til 45 meter ved normal brug (varierer med omgivelserne)
 Frekvens: 2,4 GHz
 Sendestyrke: 15 dBm (nominelt)
 Standarder: 802.11 DSSS 1 og 2 Mbps-standard, 802.11b- og 802.11g-specifikation
Grænseflader
 RJ-45 Ethernet LAN-stik til indbygget 10/100Base-T (G)
 USB-printerport (Universal Serial Bus) (d)
 Analogt/digitalt optisk 3,5 mm stik
 AirPort Extreme
Specifikationer for omgivelser
 Driftstemperatur: 0° C til 35° C
 Opbevaringstemperatur: –25° C til 60° C
 Relativ luftfugtighed (drift): 20% til 80%
 Relativ luftfugtighed (opbevaring): 10% til 90%, ikke kondenserende
 Højde (drift): Maks. 3.048 m
 Højde (opbevaring): Maks. 4.572 mAppendiks Specifikationer for AirPort Express 47
Størrelse og vægt
 Højde: 94 mm
 Bredde: 75 mm
 Tykkelse: 28,5 mm
 Vægt: 188 gram
Hardware-adresser
AirPort har to hardwareadresser trykt på siden af kabinettet:
 AirPort-ID: Adressen bruges til at identificere AirPort Express på et trådløst netværk.
 Ethernet-ID: Dette er også kendt som MAC-adressen. Det kan være nødvendigt at
opgive denne adresse til din Internetudbyder for at slutte AirPort Express til Internet.
Gode råd om sikkerhed til AirPort Express
 Du kan kun afbryde strømmen til AirPort Express ved at tage den ud af stikkontakten.
 Når du tænder eller slukker for AirPort Express, skal du altid holde den i siderne. Sørg
for, at du ikke rører ved metalbenene på stikket.
 AirPort Express er en stærkstrømskomponent, og du bør under ingen omstændigheder åbne den, heller ikke når AirPort Express er taget ud af stikket. Hvis du har brug
for service til AirPort Express, kan du se i “Yderligere oplysninger, service og support”
på side 44.
 Tving aldrig et stik ind i portene. Hvis stikket ikke kan sættes i porten uden besvær,
passer det sikkert ikke til porten. Sørg for, at du bruger det rigtige stik, og hold stikket
korrekt i forhold til porten.48 Appendiks Specifikationer for AirPort Express
 Hvis du bruger netledningen (ekstraudstyr), skal du sørge for, at AirPort Express ikke
hænger i netledningen.
 Når du bruger AirPort Express, vil kabinettet normalt blive varmt. AirPort Expresskabinettet fungerer som en kølende overflade, der overfører varme fra enhedens
inderside til den køligere luft uden for.
Undgå våde steder
 Hold AirPort Express væk fra væskekilder f.eks. drinks, håndvaske, badekar,
brusekabiner osv.
 Beskyt AirPort Express mod direkte sollys og regn eller anden fugt.
 Pas på ikke at spilde mad eller væske på AirPort Express. Hvis du gør det, skal du tage
AirPort Express ud af stikkontakten, før du fjerner det spildte.
Udstyret skal måske sendes til reparation hos Apple, afhængigt af hvad du har spildt,
og hvor megen væske der er kommet ind i udstyret. Se “Yderligere oplysninger,
service og support” på side 44.
Foretag ikke selv reparationer
Advarsel: Reducer risikoen for elektrisk stød eller beskadigelse ved at undlade at
bruge AirPort Express i eller i nærheden af vand eller våde steder.
Advarsel: Forsøg ikke at åbne AirPort Express eller at skille enheden ad. Du risikerer at
få elektrisk stød, og at den begrænsede garanti ikke længere gælder. Udstyret
indeholder ingen komponenter, som brugeren selv kan reparere eller udskifte.Appendiks Specifikationer for AirPort Express 49
Om håndtering
AirPort Express kan blive beskadiget ved forkert opbevaring og håndtering. Pas på ikke
at tabe AirPort Express, når du transporterer enheden.50
Regulatory Compliance Information
FCC Declaration of Conformity
This device complies with part 15 of the FCC rules.
Operation is subject to the following two conditions: (1)
This device may not cause harmful interference, and (2)
this device must accept any interference received,
including interference that may cause undesired
operation. See instructions if interference to radio or
television reception is suspected
Radio and Television Interference
This computer equipment generates, uses, and can
radiate radio-frequency energy. If it is not installed and
used properly—that is, in strict accordance with Apple’s
instructions—it may cause interference with radio and
television reception.
This equipment has been tested and found to comply
with the limits for a Class B digital device in accordance
with the specifications in Part 15 of FCC rules. These
specifications are designed to provide reasonable
protection against such interference in a residential
installation. However, there is no guarantee that
interference will not occur in a particular installation.
You can determine whether your computer system is
causing interference by turning it off. If the interference
stops, it was probably caused by the computer or one of
the peripheral devices.
If your computer system does cause interference to
radio or television reception, try to correct the
interference by using one or more of the following
measures:
 Turn the television or radio antenna until the
interference stops.
 Move the computer to one side or the other of the
television or radio.
 Move the computer farther away from the television or
radio.
 Plug the computer into an outlet that is on a different
circuit from the television or radio. (That is, make
certain the computer and the television or radio are on
circuits controlled by different circuit breakers or
fuses.)
If necessary, consult an Apple Authorized Service
Provider or Apple. See the service and support
information that came with your Apple product. Or,
consult an experienced radio/television technician for
additional suggestions.
Important: Changes or modifications to this product not
authorized by Apple Inc. could void the EMC compliance
and negate your authority to operate the product.
This product was tested for FCC compliance under
conditions that included the use of Apple peripheral
devices and Apple shielded cables and connectors
between system components. It is important that you
use Apple peripheral devices and shielded cables and
connectors between system components to reduce the
possibility of causing interference to radios, television
sets, and other electronic devices. You can obtain Apple
peripheral devices and the proper shielded cables and
connectors through an Apple-authorized dealer. For
non-Apple peripheral devices, contact the manufacturer
or dealer for assistance.
Responsible party (contact for FCC matters only): Apple
Inc., Product Compliance, 1 Infinite Loop M/S 26-A,
Cupertino, CA 95014-2084, 408-974-2000.51
Industry Canada Statement
This Class B device meets all requirements of the
Canadian interference-causing equipment regulations.
Cet appareil numérique de la Class B respecte toutes les
exigences du Règlement sur le matériel brouilleur du
Canada.
VCCI Class B Statement
Europa – erklæring om opfyldelse af EU-krav
Opfylder kravene i de europæiske direktiver 72/23/EEC,
89/336/EEC, 1999/5/EC. Du kan læse mere på webstedet
www.apple.com/euro/compliance.
Den Europæiske Union – oplysninger om
bortskaffelse
Dette symbol betyder, at dit produkt bør bortskaffes
adskilt fra husholdningsaffald i henhold til nationale
love og regulativer. Når dette produkts livscyklus er
forbi, skal du aflevere det på den lokale genbrugsplads.
På nogle genbrugspladser er det gratis at aflevere
produkter. Den indsamling og genbrug af dit produkt,
som sker i forbindelse med bortskaffelsen, hjælper med
at bevare naturens ressourcer, og sikrer, at produktet
genbruges på en måde, som beskytter vores sundhed
og miljø.www.apple.com/airport
www.apple.com/support/airport
© 2007 Apple Inc. Alle rettigheder forbeholdes.
Apple, Apple-logoet, AirPort, AirPort Express, AirPort Extreme, Bonjour, iTunes, Mac, Macintosh og Mac OS
er varemærker tilhørende Apple Inc. og registreret i USA og andre lande. AirTunes er et varemærke tilhørende
Apple Inc.
DK019-0989
MagSafe
Airline Adapter2 English
1 MagSafe Airline Adapter
The MagSafe Airline Adapter works with all Apple portable computers that have the
MagSafe power adapter port. Plug the MagSafe Airline Adapter into the EmPower port
nearest your airline seat. Connect the other end to your computer’s MagSafe port.
Using the MagSafe Airline Adapter provides power for your computer but does not
charge the battery.
Safety
Unplug the MagSafe Airline Adapter before leaving your seat, to avoid tripping over
the cable. Be careful not to spill liquid on the MagSafe Airline Adapter. For general
safety and regulatory information, see the user’s guide that came with your computer.English 3
Other Power Sources
On airlines that have 20 mm power ports, use the 20 mm adapter (included in the kit)
with the MagSafe Airline Adapter.
To attach the 20 mm adapter to the MagSafe Airline Adapter, align the airplane logos
and slide the adapters together. Then insert the 20 mm adapter into a 20 mm port.
When you unplug the MagSafe Airline Adapter from a 20 mm port, remove it by
pulling on the 20 mm adapter, not the MagSafe cable.
EmPower port 20 mm port
WARNING: Never plug the MagSafe Airline Adapter, with or without the 20 mm
adapter or third-party adapter, into an automobile’s cigarette lighter or auxiliary
power socket. Using the MagSafe Airline Adapter in a car won’t provide power to the
computer or charge the battery.4
2 MagSafe Airline Adapter 56 Français
3 MagSafe Airline Adapter
L’adaptateur avion MagSafe Airline Adapter fonctionne avec tous les ordinateurs
portables Apple dotés d’un port pour adaptateur secteur MagSafe. Branchez
l’adaptateur avion MagSafe Airline Adapter dans le port EmPower le plus proche de
votre siège d’avion. Connectez l’autre extrémité au port MagSafe de votre ordinateur.
L’utilisation de l’adaptateur avion MagSafe Airline Adapter vous permet d’alimenter
votre ordinateur sans décharger sa batterie.
Sécurité
Débranchez l’adaptateur avion MagSafe Airline Adapter avant de quitter votre siège
afin d’éviter de trébucher sur le câble. Faites attention à ne pas renverser de liquide sur
l’adaptateur avion MagSafe Airline Adapter. Pour des consignes générales de sécurité
et des informations concernant la réglementation en vigueur, consultez le manuel de
l’utilisateur fourni avec votre ordinateur.Français 7
Autres sources d’alimentation
Sur les compagnies aériennes dont les avions sont équipés de ports d’alimentation
de 20 mm, utilisez l’adaptateur de 20 mm (fourni dans le kit) avec l’adaptateur avion
MagSafe Airline Adapter.
Pour brancher l’adaptateur de 20 mm à l’adaptateur avion MagSafe Airline Adapter,
alignez les logos d’avion et faites glisser les adaptateurs l’un vers l’autre. Insérez ensuite
l’adaptateur de 20 mm dans un port de 20 mm.
Lorsque vous débranchez l’adaptateur avion MagSafe Airline Adapter d’un port de
20 mm, retirez-le en tirant sur l’adaptateur de 20 mm et non sur le câble MagSafe.
Port EmPower Ports d’alimentation
de 20 mm
AVERTISSEMENT : ne branchez jamais l’adaptateur avion MagSafe Airline Adapter
dans un allume-cigare d’automobile ou une prise d’alimentation auxiliaire, avec ou
sans l’adaptateur de 20 mm ou tout adaptateur tiers. L’utilisation de l’adaptateur
avion MagSafe Airline Adapter dans une voiture n’alimente pas l’ordinateur et ne
recharge pas sa batterie.8 Deutsch
4 MagSafe Airline Adapter
Der MagSafe Airline Adapter ist mit allen Apple-Mobilcomputern mit MagSafeAnschluss kompatibel. Schließen Sie den MagSafe Airline Adapter an den EmPowerNetzanschluss in Nähe Ihres Sitzes im Flugzeug an. Verbinden Sie das andere Ende
des Kabels mit dem MagSafe-Anschluss Ihres Computers
Der MagSafe Airline Adapter versorgt Ihren Computer mit Strom, lädt aber nicht
die Batterie auf.
Sicherheit
Ziehen Sie das Kabel des MagSafe Airline Adapters aus dem Anschluss, bevor Sie Ihren
Sitzplatz verlassen, um zu vermeiden, dass Sie über das Kabel stolpern. Achten Sie darauf,
dass keine Flüssigkeit in oder auf den MagSafe Airline Adapter gelangt. Allgemeine
Sicherheitshinweise und -richtlinien finden Sie im Benutzerhandbuch Ihres Computers.Deutsch 9
Andere Stromquellen
Verwenden Sie in Flugzeugen, die einen 20-mm-Netzanschluss bereitstellen, den
(mit diesem Kit gelieferten) 20-mm-Adapter mit dem MagSafe Airline Adapter.
Sie verbinden den 20-mm-Adapter mit dem MagSafe Airline Adapter, indem Sie die
Flugzeugsymbole aneinander ausrichten und die Adapterstecker zusammenschieben.
Schließen Sie dann den 20-mm-Adapter an einen 20-mm-Netzanschluss an.
Wenn Sie den MagSafe Airline Adapter von einem 20-mm-Anschluss trennen, ziehen
Sie am 20-mm-Adapter, nicht am MagSafe-Kabel.
EmPower-Anschluss 20-mm-Anschluss
ACHTUNG: Schließen Sie den MagSafe Airline Adapter niemals – weder mit noch ohne
den 20-mm-Adapter oder den Adapter eines Drittanbieters – an den Zigarettenanzünder oder an einen anderen Netzanschluss im Auto an. Durch den Anschluss des MagSafe Airline Adapters in einem Auto wird weder der Computer mit Strom versorgt, noch
wird die Batterie geladen.10 Español
5 MagSafe Airline Adapter
El adaptador MagSafe Airline Adapter funciona con todos los ordenadores portátiles
de Apple que dispongan de un puerto MagSafe Power Adapter. Enchufe el adaptador
MagSafe Airline Adapter al puerto EmPower más cercano a su asiento. Conecte el otro
extremo al puerto MagSafe de su ordenador.
El adaptador MagSafe Airline Adapter suministra energía a su ordenador pero no
recarga la batería.
Seguridad
Desconecte el adaptador MagSafe Airline Adapter antes de abandonar su asiento para
evitar tropezarse con el cable. Procure no derramar líquidos en el adaptador MagSafe
Airline Adapter. Para obtener más información sobre seguridad y reglamentación,
consulte el manual del usuario que venía con el ordenador.Español 11
Otras fuentes de alimentación
En las aerolíneas que disponen de puertos de alimentación de 20 mm, utilice el
adaptador de 20 mm (incluido en el kit) con el adaptador MagSafe Airline Adapter.
Para conectar el adaptador de 20 mm al adaptador MagSafe Airline Adapter, alinee
los logotipos del avión y junte los dos adaptadores. A continuación, inserte el adaptador
de 20 mm en un puerto de 20 mm.
Cuando desenchufe el adaptador MagSafe Airline de un puerto de 20 mm, retírelo
estirando del adaptador de 20 mm, no del cable MagSafe.
Puerto EmPower Puerto de alimentación
de 20 mm
ADVERTENCIA: No enchufe nunca el adaptador MagSafe Airline Adapter, esté o
no conectado a un adaptador de 20 mm o al adaptador de otro fabricante, al
encendedor de un automóvil o a una fuente de alimentación auxiliar. Utilizar
el adaptador MagSafe Airline Adapter en un automóvil no suministrará energía
al ordenador o recargará la batería.www.apple.com
© 2008 Apple Inc. All rights reserved. Apple, the Apple logo, and MagSafe are trademarks of Apple Inc., registered in
the U.S. and other countries. Other company and product names mentioned herein may be trademarks of their
respective companies.
ZM034-4527-A
Printed in XXXX
Caractéristiques
Exceptionnelle qualité d'image
• L’écran Trinitron de Sony affiche des
images très nettes et précises avec des
couleurs fidèles grâce à ses qualités
exceptionnelles de luminosité, contraste,
convergence, mise au point et
homogénéité du blanc
• Le réglage numérique vous permet
d’ajuster précisément la luminosité, le
contraste, la géométrie, le centrage et la
convergence ainsi que la balance du blanc
• La faible courbure de l’écran diminue la
distorsion et les reflets
Particularités ergonomiques
• Le socle pivotant et inclinable vous permet
de positionner l’écran pour obtenir un
confort visuel idéal
• Les connexions du clavier et de la souris
se font aisément via les connecteurs Apple
Desktop Bus (ADB) intégrés à la base
même du moniteur.
• Facilité d’accès au tableau de réglage
situé à l’avant du moniteur
• Un filtre de haute qualité contre les reflets
et le scintillement
• Taux de rafraîchissement de 75 Hz pour
diminuer la fatigue oculaire due aux
tremblements
• Conforme aux règles d’économie de
l’énergie du EPA EnergyStar grâce au
passage en mode de faible consommation
durant les périodes d’inactivité
• Conforme aux normes MPR II d’émissions
électriques et magnétiques basse
fréquence
Fonctionnalités de pointe
• L’électronique à balayage multiple offre un
niveau supérieur de souplesse à
l’utilisateur
• Possibilité d’afficher différents niveaux de
résolution: de 640 X 480 jusqu’à 1280 X
1024 pixels
• Possibilité de régler le blanc pour une
restitution fidèle de la couleur
• Logiciel permettant le changement de
mode de résolution sans devoir redémarrer
l’ordinateur
Compatibilité et prix
• Fonctionne avec le Power Macintosh, le
Macintosh Quadra, le Macintosh Centris et
le Macintosh Display Card 24AC
• Fourni avec un adaptateur PC pour une
connexion aisée avec un IBM PC
• Doté de techniques de pointe à un prix
raisonnable
Avec l'Apple Multiple Scan 20 Display, les
professionnels de la publication
disposent de la solution idéale pour
l’affichage de graphiques en couleur. Cet
écran double page de haute qualité est
équipé d’un adaptateur PC video grâce
auquel il pourra être accueilli par vos
systèmes MS-DOS, Windows et bien sûr
n’importe quel Macintosh.
A l’heure actuelle, le format double
page est tout aussi indispensable aux professionnels du graphisme et de la publication qu’aux retoucheurs photos ou aux
journalistes. L'Apple Multiple Scan 20
propose une solution Apple complète de
haute qualité pour remplir cette condition;
le système est facile à configurer et vous
permet de faire votre travail comme la
création d’un bulletin d’information ou la
réalisation d’un journal.
Doté du tube cathodique Trinitron
dernier cri de Sony qui présente un espacement de grille de 0,26 mm, l'Apple
Multiple Scan 20 Display restitue des
images couleurs nettes et lumineuses. Il
offre une large gamme de niveaux de résolutions permettant une plus grande
flexibilité. Grâce au logiciel fourni avec cet
écran et sans devoir quitter vos applications
ou redémarrer votre Macintosh, vous
pouvez agrandir les images à l’écran et
augmenter avec souplesse la résolution
jusqu’au format double page. Il supporte
toutes les résolutions depuis 640 X 480
jusqu’à 1.280 X 1.024 pixelssur les ordinateurs Macintosh ou compatibles IBM PC
d’autres distributeurs.
Traduisant le souci constant d’Apple
d’assurer le meilleur confort à l’utilisateur,
l'Apple Multiple Scan 20 Display est facile à
configurer et très agréable à utiliser. En effet,
le connecter à votre système est un jeu
d’enfant: les connecteurs ADB sont intégrés
à la base même du moniteur. Il comprend
aussi l’adaptateur PC pour la connexion à un
PC. L’Apple Multiple Scan 20 Display dispose
d’un filtre antireflet de haute qualité
permettant une forte réduction de la distorsion. L’accès aisé de réglages numé-riques
très précis pour le blanc, la géométrie, le
centrage et la convergence de l’image vous
permet d’obtenir une qualité optimale
de visualisation.
Même avec toutes ces caractéristiques,
l'Apple Multiple Scan 20 Display reste pour
les professionnels du développement de
graphiques et de la mise en page le meilleur
choix à un prix raisonnable.
L'Apple Multiple Scan 20 DisplayApple Computer Benelux B.V.
Buro & Design Center
Esplanade du Heysel 001 - bte 100
1020 Bruxelles
Spécifications techniques
Tube
• Tube cathodique Trinitron d’une diagonale de 20
pouces
Taille de visualisation de l’image: 19,1 pouces
• Espacement de grille: 0,26 mm
Résolution
Ordinateurs Macintosh
• 620 X 480 à 67 Hz: format de présentation
• 832 X 624 à 75 Hz: format de publication
• 1024 X 768 à 75 Hz: format double page
• 1152 X 870 à 75 Hz: format agrandi
• 1280 X 1024 pixels à 75 Hz
Systèmes IBM PC compatibles
• 640 X 480 à 60 Hz (VGA)
• 800 X 600 à 60 Hz (SVGA)
• 1024 X 768 à 60 Hz (SVGA)
• 1280 X 1024 à 60 Hz
Fréquence de balayage
• De 30 à 85 KHz à l’horizontale
• De 50 à 120 KHz à la verticale
Conditionnement de l’écran
• Filtre de haute qualité antireflet et anti-statique
Réglages numériques
• Luminosité
• Contraste
• Centrage et taille à l’horizontale
• Centrage et taille à la verticale
• Convergence
• Rotation
• Pincushion
• Gamme de points blancs: 5000°K, 6500°K, 9300°K
• Commutateur marche/arrêt
Connecteurs
• Connecteur DSub à 15 broches pour systèmes
Macintosh
• Adaptateur HD à 15 broches pour PC
Circuit de démagnétisation
• Automatique à l’allumage
Alimentation électrique
• Voltage: 90 à 132 V AC et 198 à 264 V AC
• Fréquence: 43 à 63 Hz, monophasé
• Consommation: 165 W maximum en fonctionnement,
et moins de 15 W en mode économique
Conditions d’utilisation
• Température d’utilisation: 10 à 40 °C
• Taux d’humidité: 90% maximum sans condensation
• Altitude maximale: 0 à 3.048 mètres
Poids et dimensions
• Hauteur: 47,5 cm
• Largeur: 47,5 cm
• Profondeur: 50 cm
• Poids de l’écran: 29,7 kg
• Poids total emballé: 36 kg
Normes de conformité
• FCC Part 15 Class A
• CE Mark (y compris CISPR 22 Class B)
• DOC Class A
• MPR II
• VCCI
• EPA EnergyStar
• UL 1950
• CSA 950
• EN60950
Configuration requise
• Power Macintosh, Macintosh Quadra, Macintosh
Centris ou Macintosh Display Card 24 AC
L'Apple Multiple Scan 20 Display
Configuration disponible
L'Apple Multiple Scan 20 Display
• Apple Multiple Scan 20
• Logiciel Apple Multiple Scan
• Adaptateur PC
• Câble Captive video
• Câble ADB jumper
• Câble Power jumper
• Manuel d'utilisation
• Garantie limitée
© 1994 Apple Computer, Inc. Tous droits réservés. Apple, le logo Apple, Macintosh, Macintosh Quadra, Macintosh Centris et Power Macintosh sont des marques
d’Apple Computer, Inc. enregistrées aux Etats-Unis et autres pays. Apple Desktop Bus et Macintosh Centris sont des marques d’Apple Computer, Inc. MS-DOS est une
marque déposée de Microsoft Corporation et Windows est une marque de Microsoft Corporation. Trinitron est une marque déposée de Sony Corporation.
Les produits non Apple sont mentionnés à titre d’information; ils ne sont ni conseillés ni approuvés par Apple Computer. Apple Computer décline toute responsabilité
quant à la sélection, la fiabilité ou l’utilisation de ces produits. Tous les accords, contrats et garanties sont passés directement entre les vendeurs et les utilisateurs
potentiels.
Septembre 1995. Les spécifications des produits décrits dans cette brochure sont susceptibles d’être modifiées sans préavis.
Mac OS X Server
Administration
des images systËme
Pour la version 10.3 ou ultÈrieure Apple Computer, Inc.
© 2003 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’une copie
valide du logiciel Mac OS X Server peut reproduire
cette publication pour les besoins de l’apprentissage
de l’utilisation de ce logiciel. Aucune partie de cette
publication ne peut être reproduite ou transmise à des
fins commerciales, notamment pour la vente de copies
ou la fourniture de services de support payants.
L’utilisation de ce logo à des fins commerciales
via le clavier (Option-1) pourra constituer un acte
de contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, AirPort, AppleShare, iBook, iMac,
Mac, Macintosh, Mac OS, PowerBook, Power Mac et
Xserve sont des marques d’Apple Computer, Inc.,
déposées aux États-Unis et dans d’autres pays.
Remarque : Apple améliore continuellement les
performances et le design de ses produits. Il se peut que
certaines illustrations de ce manuel soient légèrement
différentes de votre version du logiciel.
F022-1325 3
1 Table des matières
Chapitre 1 7 À propos de l’administration de l’image système
7 NetBoot et l’installation en réseau
8 Description de NetBoot
8 Images disque
9 Points de partage NetBoot
9 Fichier d’informations client
10 Fichiers masqués
10 Dossiers d’image NetBoot
12 Fichier Property list
14 Protocole BSDP (Boot Server Discovery Protocol)
14 Serveur BootP
14 TFTP et les fichiers d’initialisation
14 Utilisation d’images stockées sur d’autres serveurs
15 Sécurité
15 Avant de configurer NetBoot
15 Tout ce que vous devez savoir
15 Configuration requise pour les ordinateurs client
17 Configuration matérielle requise pour le réseau
17 Configuration requise pour les services réseau
17 Planification de la capacité
18 Vue d’ensemble de la configuration
Chapitre 2 21 Création d’images d’initialisation et d’installation
21 Création d’images d’initialisation Mac OS X
21 Création d’une image d’initialisation Mac OS X
23 Installation de l’environnement Classic dans une image disque Mac OS X
24 Configuration de Format de répertoire pour une image d’initialisation
24 Ajout d’un paquet de mise à jour du système d’exploitation à une image
d’initialisation Mac OS X
24 Création d’une image d’initialisation Mac OS X à partir d’un système existant
25 Synchronisation d’une image avec un volume source mis à jour
26 Choix du protocole utilisé pour fournir une image
26 Compression des images pour gagner de l’espace disque4 Table des matières
26 Modification du mode d’allocation des fichiers masqués par les clients NetBoot de
Mac OS X
27 Création d’images d’initialisation Mac OS 9
27 Installation d’une image d’initialisation Mac OS 9
27 Modification d’une image d’initialisation Mac OS 9
30 Configuration de plusieurs images Mac OS 9
30 Déverrouillage d’une image
30 Création d’images d’installation
30 Création d’une image d’installation du système d’exploitation
32 Ajout de logiciels aux images d’initialisation et d’installation
32 À propos des paquets
32 Création de paquets
33 Ajout de paquets à une image d’initialisation ou d’installation
33 Création d’une image d’installation pour application uniquement
34 Automatisation de l’installation d’une image
35 Affichage du contenu d’un paquet
35 Installation de mises à jour Mac OS
Chapitre 3 37 Configuration du service NetBoot
37 Configuration de NetBoot
37 Configuration du service NetBoot
38 Démarrage de NetBoot et des services associés
39 Activation d’images
39 Choix de l’emplacement de stockage des images
39 Choix de l’emplacement de stockage des fichiers masqués
40 Utilisation d’images stockées sur d’autres serveurs NFS
41 Déplacement d’images vers des serveurs “headless”
41 Spécification de l’image par défaut
42 Configuration d’une image pour l’initialisation sans disque
42 Limitation des clients NetBoot par filtrage des adresses
43 Modification des options avancées de NetBoot
Chapitre 4 45 Configuration des clients
45 Gestion des ordinateurs client
45 Mise à jour du tableau de bord Démarrage
45 Configuration de clients sans disque
46 Sélection d’une image d’initialisation NetBoot (Mac OS X)
46 Sélection d’une image d’initialisation NetBoot (Mac OS 9)
47 Sélection d’une image d’installation NetBoot (Mac OS X)
47 Sélection d’une image d’installation NetBoot (Mac OS 9)
48 Démarrage à l’aide de la touche NTable des matières 5
Chapitre 5 49 Gestion du service NetBoot
49 Contrôle et surveillance de NetBoot
49 Désactivation du service NetBoot
50 Désactivation d’images d’initialisation ou d’installation individuelles
50 Affichage d’une liste de clients NetBoot
50 Vérification de l’état du service NetBoot et des services associés
51 Affichage de l’historique du service NetBoot
51 Performances et équilibrage de la charge
51 Images d’initialisation
51 Répartition des images d’initialisation sur plusieurs serveurs
52 Répartition des images d’initialisation sur les disques d’un serveur
53 Équilibrage de l’accès à l’image d’initialisation
53 Distribution de fichiers masqués
54 Optimisation NetBoot avancée
Chapitre 6 55 Résolution de problèmes
55 Conseils généraux
55 Un ordinateur client NetBoot ne démarre pas.
56 Vous utilisez Gestionnaire Macintosh et un utilisateur ne parvient pas à se connecter
à un client NetBoot
56 Le bouton Créer d’Utilitaire d’images de réseau n’est pas activé
56 Les contrôles et les champs sont désactivés dans Utilitaire d’images de réseau
56 Impossible de configurer une image pour utiliser l’initialisation statique (NetBoot
version 1.0)
Glossaire 57
Index 591
7
1 À propos de l’administration de
l’image système
Ce chapitre explique comment démarrer des ordinateurs
client à l’aide d’un système d’exploitation installé sur un
serveur et comment installer des logiciels sur ces
ordinateurs via le réseau.
NetBoot et l’installation en réseau
Les fonctionnalités NetBoot et installation en réseau de Mac OS X Server sont des
outils efficaces pour la gestion du système d’exploitation et des logiciels d’application
dont vos clients Macintosh (ou même d’autres serveurs) ont besoin pour démarrer et
effectuer leur travail. Plutôt que passer d’un ordinateur à l’autre pour installer le système
d’exploitation ou les logiciels à partir de CD-ROM, vous pouvez préparer une image
d’installation qui sera automatiquement installée sur chaque ordinateur au démarrage.
Vous pouvez également choisir de ne pas installer de logiciels sur les clients, mais plutôt
de les faire démarrer (ou “initialiser”) directement à partir d’une image stockée sur le
serveur. Les clients n’ont même pas besoin d’avoir de disques durs.
Grâce à NetBoot et l’installation réseau, vous pouvez démarrer vos ordinateurs client
à partir d’une configuration Mac OS normalisée adaptée à leurs opérations spécifiques.
Dans la mesure où les ordinateurs client démarrent à partir de la même image, vous
pouvez rapidement mettre à jour le système d’exploitation pour l’ensemble du groupe,
en mettant à jour une image d’initialisation unique.
Une image d’initialisation est un fichier dont l’aspect et le fonctionnement sont semblables
à ceux d’un disque ou d’un volume pouvant être monté. Les images d’initialisation NetBoot
contiennent le logiciel système requis pour servir de disque de démarrage aux ordinateurs
client sur le réseau. Une image d’installation est une image d’initialisation particulière qui
démarre le client pour l’installation des logiciels à partir de l’image, après quoi le client peut
démarrer à partir de son disque dur. Les images d’initialisation et d’installation constituent
des types particuliers d’images disque. Celles-ci sont des fichiers qui se comportent de la
même façon que les volumes disque.8 Chapitre 1 À propos de l’administration de l’image système
Vous pouvez configurer plusieurs images d’initialisation ou d’installation afin de satisfaire
aux besoins de différents groupes de clients ou pour fournir plusieurs copies de la même
image afin de mieux répartir la charge de démarrage du client.
Vous pouvez utiliser NetBoot avec les services de gestion client de Mac OS X afin d’offrir
un environnement de travail personnalisé pour chaque utilisateur d’un ordinateur client.
Pour plus d’informations sur les services de gestion client, consultez le guide de gestion
des utilisateurs.
Vous pouvez utiliser les applications Mac OS X Server ci-dessous pour configurer et
gérer NetBoot et l’installation en réseau :
• Utilitaire d’images de réseau pour créer des images disques Mac OS X. Installé avec le
logiciel Mac OS X Server dans le dossier /Applications/Server.
• Admin Serveur pour activer et configurer le service NetBoot ainsi que les services de
support. Installé avec le logiciel Mac OS X Server dans le dossier /Applications/Server.
• PackageMaker pour créer des fichiers de paquet que vous utilisez pour ajouter des
logiciels complémentaires aux images disque. Sur le CD-ROM Outils d’administration,
dans le dossier Utilities.
• Property List Editor pour éditer les listes de propriétés telles que NBImageInfo.plist.
Sur le CD-ROM Outils d’administration, dans le dossier Utilities.
• Admin de bureau NetBoot, application facultative pour modifier les images disque
système Mac OS 9 et l’image disque des applications.
Si vous possédez toujours des clients Mac OS 9, vous avez besoin d’une copie du
CD-ROM NetBoot pour Mac OS 9 (disponible séparément). Ce CD-ROM inclut une image
disque système Mac OS 9.2.2 préconfigurée ainsi que l’application Admin de bureau
NetBoot.
Description de NetBoot
Cette section décrit l’implémentation de NetBoot sur Mac OS X Server, avec notamment
des informations sur les protocoles, fichiers, structures de répertoires et configurations.
Images disque
Les images disque en lecture seule contiennent le logiciel système et les applications
utilisés par les ordinateurs client via le réseau. Le nom d’une image disque porte
généralement l’extension “.img” ou “.dmg”. L’Utilitaire de disque, fourni avec Mac OS X et
Mac OS 9.2.2, peut monter des fichiers d’image disque comme des volumes sur le bureau.
Vous devez configurer les images disque Mac OS 9 et Mac OS X de façon légèrement
différente.Chapitre 1 À propos de l’administration de l’image système 9
Vous pouvez recourir à Utilitaire d’images de réseau pour créer des images disque
Mac OS X, en utilisant un disque d’installation Mac OS X ou un volume système existant
comme source. Consultez la section “Création d’une image d’initialisation Mac OS X” à
la page 21.
Une image disque Mac OS 9 préconfigurée est fournie sur un CD-ROM nommé
NetBoot pour Mac OS 9, disponible séparément. Celui-ci contient des versions de l’image
Mac OS 9 localisées dans plusieurs langues. Consultez la section “Installation d’une image
d’initialisation Mac OS 9” à la page 27. Pour modifier cette image disque Mac OS 9,
utilisez Admin de bureau NetBoot. Consultez la section “Modification d’une image
d’initialisation Mac OS 9” à la page 27.
Points de partage NetBoot
NetBoot configure des points de partage afin de mettre les fichiers image et masqués
à la disposition des clients.
NetBoot crée des points de partage pour le stockage d’images d’initialisation et
d’installation dans le dossier /Library/NetBoot sur chaque volume que vous activez et les
nomme NetBootSPn, où n est égal à 0 pour le premier point de partage et augmente de
1 pour chaque point de partage supplémentaire. Par exemple, si vous décidez de stocker
les images sur trois disques serveur distincts, NetBoot configure trois points de partage
nommés NetBootSP0, NetBootSP1 et NetBootSP2.
Les points de partage des fichiers masqués client sont également créés dans le dossier
/Library/NetBoot et sont nommés NetBootClientsn.
Vous pouvez créer et activer des points de partage NetBootSPn et NetBootClientsn
complémentaires sur d’autres volumes du serveur à l’aide des réglages généraux du
service NetBoot dans Admin Serveur.
Fichier d’informations client
NetBoot rassemble les informations sur le client la première fois que ce dernier tente
de démarrer à partir du serveur NetBoot. NetBoot stocke ces informations dans le
fichier /var/db/bsdpd_clients.
Avertissement : ne renommez pas un point de partage NetBoot ou le volume sur
lequel il réside. N’utilisez pas le Gestionnaire de groupe de travail pour cesser le partage
d’un point de partage NetBoot sauf si vous désélectionnez d’abord le point de partage
pour les images et les fichiers masqués dans Admin Serveur.10 Chapitre 1 À propos de l’administration de l’image système
Fichiers masqués
De nombreux clients peuvent lire des données à partir de la même image
d’initialisation, mais lorsqu’un client doit écrire des données sur son volume de démarrage
(par exemple des tâches d’impression et autres fichiers temporaires), NetBoot les redirige
automatiquement vers les fichiers masqués du client, lesquels sont distincts des logiciels
système et d’application standard.
Les fichiers masqués préservent l’identité unique de chaque client pendant toute la
durée de l’exécution à partir d’une image NetBoot. Celui-ci gère de façon transparente
les données utilisateur modifiées dans les fichiers masqués, alors qu’il lit les données
non modifiées à partir de l’image système partagée. Les fichiers masqués sont recréés
à chaque démarrage, de sorte que toutes les modifications apportées par l’utilisateur
sur son volume de démarrage sont perdues au redémarrage.
Supposons qu’un utilisateur sauvegarde un document sur son volume de démarrage,
ce document aura tout simplement disparu au redémarrage. Cette fonction permet
de préserver les conditions d’environnement définies par l’administrateur. Il est par
conséquent recommandé aux utilisateurs de créer un compte sur un serveur de fichiers
sur le réseau pour enregistrer leurs documents.
Équilibrage de la charge des fichiers masqués
NetBoot crée un point de partage AFP sur chaque volume du serveur spécifié (voir “Choix
de l’emplacement de stockage des fichiers masqués” à la page 39) et répartit les fichiers
masqués client afin d’équilibrer la charge pour les clients NetBoot. Les performances ne
sont pas améliorées si les volumes sont des partitions du même disque. Consultez la
section “Distribution de fichiers masqués” à la page 53.
Allocation de fichiers masqués pour les clients NetBoot Mac OS X
Lorsqu’un ordinateur client démarre à partir d’une image d’initialisation Mac OS X, il crée
ses fichiers masqués sur un point de partage NetBootClientsn du serveur ou, si aucun
point de partage n’est disponible, sur un disque local du client. Pour plus d’informations
sur la modification de ce comportement, consultez la section “Modification du mode
d’allocation des fichiers masqués par les clients NetBoot de Mac OS X” à la page 26.
Dossiers d’image NetBoot
Un dossier d’image NetBoot contient le fichier image de démarrage, un fichier
d’initialisation utilisé par le programme interne pour lancer le démarrage, ainsi que
d’autres fichiers utiles au démarrage d’un ordinateur client sur le réseau. Le nom d’un
dossier d’image NetBoot porte l’extension “.nbi”.
Le dossier NBI pour Mac OS 9 est légèrement différent de celui pour Mac OS X, dans
la mesure où les composants requis pour le démarrage sont différents. Chapitre 1 À propos de l’administration de l’image système 11
Dossier d’image NetBoot de Mac OS X
Vous pouvez employer Utilitaire d’images de réseau pour configurer les dossiers NBI
de Mac OS X. Cet utilitaire permet de :
• Nommer l’image
• Choisir le type d’image (NetBoot ou Installation en réseau)
• Préciser un ID d’image
• Choisir la langue par défaut
• Spécifier un nom d’utilisateur et un mot de passe par défaut
• Activer l’installation automatique des images
• Ajouter des paquets ou des applications préinstallés
Consultez la section “Création d’une image d’initialisation Mac OS X” à la page 21.
Dossier d’image NetBoot Mac OS 9
Recourez à Admin de bureau NetBoot pour modifier le dossier NBI Mac OS 9. Cet
utilitaire permet de modifier le fichier d’image (NetBoot HD.img), de modifier le nom
de l’image, d’ajuster la taille de l’image et d’ajouter des logiciels à l’image d’application.
Fichier Description
booter Fichier de démarrage
mach.macosx Kernel UNIX
mach.macosx.mkext Pilotes
System.dmg Fichier image de démarrage (peut inclure des applications)
NBImageInfo.plist Fichier Property list
Fichier ou dossier Description
Mac OS ROM Fichier de démarrage
NetBoot HD.img Fichier d’image de démarrage du système
Application HD.img Fichier d’image d’applications
NBImageInfo.plist Fichier Property list
Backup Dossiers créés par Admin de bureau NetBoot (pendant l’exécution)
pour l’image de sauvegarde12 Chapitre 1 À propos de l’administration de l’image système
Fichier Property list
Le fichier de liste de propriétés (NBImageInfo.plist) stocke les propriétés des images.
Ces fichiers pour Mac OS 9 et Mac OS X sont décrits dans les tableaux ci-dessous. Les
valeurs initiales contenues dans NBImageInfo.plist sont définies par les outils utilisés
pour traiter les fichiers image (Admin de bureau NetBoot pour les images Mac OS 9 et
Utilitaire d’images de réseau pour les images Mac OS X) et vous n’avez généralement
pas besoin de modifier le fichier directement. Certaines valeurs sont définies par Admin
Serveur. En revanche, si vous devez modifier un fichier de liste de propriétés, vous
pouvez utiliser TextEdit ou Property List Editor, outils qui résident dans le dossier
Utilities du CD-ROM Outils d’administration de Mac OS X Server.
Liste des propriétés de Mac OS 9
Propriété Type Description
BootFile Chaîne Nom du fichier ROM de
démarrage : Mac OS ROM.
Index Entier Les valeurs de 1 à 4095
indiquent une image locale
unique pour le serveur.
Les valeurs 4096 à 65 535
indiquent une image identique
dupliquée sur plusieurs serveurs
pour l’équilibrage de la charge.
IsDefault Booléen La valeur “True” spécifie ce
fichier image comme image
d’initialisation par défaut sur
le sous-réseau.
IsEnabled Booléen Définit si l’image est disponible
pour les clients NetBoot (ou
Image réseau).
IsInstall Booléen “True” indique une image
Installation réseau ; “False”
indique une image NetBoot.
Name Chaîne Nom de l’image tel qu’il
apparaît dans la tableau de bord
Démarrage (Mac OS 9) ou la
fenêtre Préférences (Mac OS X).
Type Chaîne Classique.
SupportsDiskless Booléen La valeur “True” ordonne
au serveur NetBoot d’allouer
de l’espace pour les fichiers
masqués requis par les clients
non équipés de disque.Chapitre 1 À propos de l’administration de l’image système 13
Liste des propriétés de Mac OS X
Propriété Type Description
BootFile Chaîne Nom du fichier ROM de
démarrage : booter.
Index Entier Les valeurs de 1 à 4095
indiquent une image locale
unique pour le serveur.
Les valeurs 4096 à 65 535
indiquent une image identique
dupliquée sur plusieurs serveurs
pour l’équilibrage de la charge.
IsDefault Booléen La valeur “True” spécifie ce
fichier image comme image
d’initialisation par défaut sur
le sous-réseau.
IsEnabled Booléen Définit si l’image est disponible
pour les clients NetBoot (ou
Image réseau).
IsInstall Booléen “True” indique une image
Installation réseau ; “False”
indique une image NetBoot.
Name Chaîne Nom de l’image tel qu’il
apparaît dans la tableau de bord
Démarrage (Mac OS 9) ou la
fenêtre Préférences (Mac OS X).
RootPath Chaîne Indique le chemin vers l’image
de disque sur le serveur ou celui
vers une image sur un autre
serveur. Consultez la section
“Utilisation d’images stockées
sur d’autres serveurs” à la
page 14.
Type Chaîne NFS ou HTTP.
SupportsDiskless Booléen La valeur “True” ordonne
au serveur NetBoot d’allouer
de l’espace pour les fichiers
masqués requis par les clients
non équipés de disque.
Description Chaîne Texte aléatoire qui décrit
l’image.
Langue Chaîne Code indiquant la langue
à utiliser lors de l’initialisation
à partir de l’image.14 Chapitre 1 À propos de l’administration de l’image système
Protocole BSDP (Boot Server Discovery Protocol)
NetBoot utilise un protocole développé par Apple et reposant sur le protocole DHCP,
appelé BSDP (Boot Server Discovery Protocol). Ce protocole permet la détection des
serveurs NetBoot sur un réseau. Les clients NetBoot obtiennent leur adresse IP via un
serveur DHCP et leurs informations NetBoot via BSDP. Le protocole BSDP offre une prise
en charge intégrée de l’équilibrage de la charge. Consultez la section “Performances et
équilibrage de la charge” à la page 51.
Serveur BootP
NetBoot utilise un serveur BootP (bootpd) pour fournir les informations nécessaires aux
ordinateurs client lorsqu’ils tentent de démarrer à partir d’une image sur le serveur.
Si vous disposez de clients BootP sur votre réseau, ceux-ci peuvent demander une
adresse IP au serveur BootP NetBoot ; cette requête échoue, car le serveur BootP NetBoot
n’a pas d’adresses à proposer. Pour empêcher le serveur BootP NetBoot de répondre aux
demandes d’adresses IP, utilisez Gestionnaire NetInfo pour ouvrir le répertoire NetInfo
local du serveur NetBoot et ajouter une clé nommée bootp_enabled mais pas de valeur
au répertoire /config/dhcp.
TFTP et les fichiers d’initialisation
NetBoot utilise le protocole TFTP (Trivial File Transfer Protocol) pour envoyer les fichiers
d’initialisation du serveur vers le client.
Les fichiers d’initialisation sont configurés par Utilitaire d’images de réseau lorsque vous
créez une image et ils sont stockés sur le serveur dans le répertoire /Library/NetBoot/
NetBootSPn/image.nbi (où n est le numéro du volume et image est le nom de l’image).
Pour Mac OS 9, il existe un seul fichier nommé Mac OS ROM. Pour les images Mac OS X,
il existe trois fichiers : booter, mach.macosx et mach.macosx.mkext. Le répertoire
NetBootSPn est automatiquement configuré sur le volume d’initialisation de votre
serveur si vous activez NetBoot lors de l’installation de Mac OS X Server. Dans le cas
contraire, des points de partage NetBootSPn sont configurés sur chaque volume que
vous choisissez pour stocker des images dans les réglages NetBoot d’Admin Serveur.
Utilisation d’images stockées sur d’autres serveurs
Vous pouvez stocker des images d’initialisation ou d’installation Mac OS X sur des
serveurs NFS autres que le serveur NetBoot proprement dit. Pour plus de détails,
consultez la section “Utilisation d’images stockées sur d’autres serveurs NFS” à la
page 40.Chapitre 1 À propos de l’administration de l’image système 15
Sécurité
Vous pouvez limiter l’accès au service NetBoot au cas par cas en répertoriant les adresses
matérielles (également appelées adresses Ethernet ou MAC) des ordinateurs auxquels
vous souhaitez accorder ou refuser l’accès. Une adresse matérielle d’ordinateur client
est ajoutée automatiquement à la liste de filtrage de NetBoot lorsque le client démarre
à l’aide de NetBoot et il est, par défaut, autorisé à utiliser NetBoot. Vous pouvez en
spécifier d’autres. Consultez la section “Limitation des clients NetBoot par filtrage des
adresses” à la page 42.
Avant de configurer NetBoot
Avant de configurer un serveur NetBoot, tenez compte des considérations et exigences
ci-après.
Tout ce que vous devez savoir
Pour configurer NetBoot sur votre serveur, vous devez être familiarisé avec votre
configuration réseau, notamment les services DHCP offerts. Assurez-vous de satisfaire
aux exigences suivantes :
• Vous êtes l’administrateur du serveur.
• Vous êtes familiarisé avec la configuration du réseau.
• Vous connaissez la configuration DHCP.
Vous pouvez également être amené à travailler avec l’équipe réseau pour modifier les
topologies, les commutateurs, les routeurs et autres réglages du réseau.
Configuration requise pour les ordinateurs client
La plupart des ordinateurs Macintosh pouvant exécuter Mac OS 9.2.2 ou une version
ultérieure peuvent utiliser NetBoot pour démarrer à partir d’une image disque
Mac OS X sur un serveur. À l’heure où nous publions cette documentation, les
ordinateurs Macintosh suivants sont concernés :
• iMac G3 à chargement par fente (les iMac à chargement par tiroir ne sont pas pris
en charge)
• iMac G4
• iBook
• eMac
• Power Mac G5
• Power Mac G4
• Power Mac G4 Cube
• PowerBook G3 (FireWire)
• PowerBook G4
• Xserve16 Chapitre 1 À propos de l’administration de l’image système
Assurez-vous d’installer les dernières mises à jour de programmes internes sur tous vos
ordinateurs client. Ces mises à jour sont disponibles sur le site Web de support d’Apple :
www.apple.com/support/
Les clients Power Mac G5 ne peuvent pas être initialisés à partir d’images préparées
pour des processeurs Power Mac G4 ou antérieurs, pas plus que les processeurs Power
Mac G4 ou antérieurs ne peuvent être initialisés à partir d’images préparées pour des
processeurs Power Mac G5. Si vous possédez les deux types de client, vous devez
configurer deux images distinctes.
Les ordinateurs Macintosh plus anciens, à savoir les ordinateurs iMac à chargement par
tiroir et les ordinateurs Power Macintosh G3 (bleu et blanc), nécessitent des versions plus
anciennes du programme interne (nécessitant la version 1.0 du logiciel NetBoot) et ne
sont plus pris en charge. Mac OS X Server version 10.3 prend uniquement en charge
NetBoot version 2.0.
Mémoire vive requise pour l’ordinateur client
Voici la quantité minimale de mémoire requise pour un ordinateur client qui démarre
à partir d’une image d’initialisation Mac OS 9 ou Mac OS X.
• Démarrage à partir d’une image disque Mac OS 9 : 64 Mo
• Démarrage à partir d’une image disque Mac OS X : 128 Mo
Les ordinateurs client utilisant Installation réseau doivent également disposer de 128 Mo
de RAM.
Mises à jour logicielles pour les images disque système NetBoot
Vous devez utiliser le logiciel système le plus récent lors de la création d’images disque
NetBoot. Les nouveaux ordinateurs Macintosh nécessitent la mise à jour du logiciel
système, de sorte que si vous possédez de nouveaux clients Macintosh, vous devez
mettre à jour vos images d’initialisation.
Pour mettre à jour une image disque Mac OS X, consultez la section “Ajout d’un paquet
de mise à jour du système d’exploitation à une image d’initialisation Mac OS X” à la
page 24.
Pour mettre à jour une image disque Mac OS 9, consultez la section “Modification
d’une image d’initialisation Mac OS 9” à la page 27.
Support Ethernet sur les ordinateurs client
NetBoot est uniquement pris en charge via la connexion Ethernet intégrée. Sur les
ordinateurs client, un seul port Ethernet est géré. Les clients doivent être équipés
de cartes Ethernet d’au moins 100 Mbits.Chapitre 1 À propos de l’administration de l’image système 17
Configuration matérielle requise pour le réseau
Le type de connexion réseau que vous utilisez dépend du nombre de clients que vous
prévoyez d’initialiser via le réseau :
• Carte Ethernet 100 Mo (pour l’initialisation de moins de 10 clients)
• Carte Ethernet commutée 100 Mo (pour l’initialisation de 10 à 50 clients)
• Carte Ethernet Gigabit (pour l’initialisation de plus de 50 clients)
Il s’agit ici d’estimations du nombre de clients pris en charge. Consultez la section
“Planification de la capacité” à la page 17 pour plus de détails sur les configurations
optimales du système et du réseau en fonction du nombre de vos clients.
Configuration requise pour les services réseau
En fonction des types de client que vous souhaitez initialiser ou installer, votre serveur
NetBoot doit également fournir les services ci-après.
Remarque : le service DHCP est indiqué comme facultatif, car bien qu’il soit nécessaire
pour NetBoot, il peut être fourni par un serveur autre que le serveur NetBoot. Les serveurs
marqués comme “obligatoires” doivent être exécutés sur le serveur NetBoot.
NetBoot et AirPort
L’utilisation de la technologie sans fil AirPort avec les clients NetBoot n’est pas prise
en charge par Apple voire même déconseillée.
Planification de la capacité
Le nombre d’ordinateurs client NetBoot pouvant être pris en charge par votre serveur
dépend de la façon de la configuration de votre serveur, du moment où les clients
démarrent habituellement, de l’espace disque du serveur et d’un certain nombre
d’autres facteurs. Lors de la planification de l’évolution des besoins concernant le
serveur et le réseau, tenez compte des facteurs suivants :
Service fourni par le
serveur NetBoot
Pour l’initialisation des
ordinateurs Mac OS X
équipés de disque dur
Pour l’initialisation des
ordinateurs Mac OS X
sans disque dur
Pour l’initialisation des
ordinateurs Mac OS 9
DHCP facultatif facultatif facultatif
NFS obligatoire si pas
de protocole HTTP
obligatoire si pas
de protocole HTTP
AFP obligatoire obligatoire
HTTP obligatoire si pas
de NFS
obligatoire si pas
de NFS
TFTP obligatoire obligatoire obligatoire18 Chapitre 1 À propos de l’administration de l’image système
• Vitesse Ethernet : des connexions 100Base-T ou plus rapides sont exigées aussi
bien pour les ordinateurs client que le serveur. Plus vous augmenterez le nombre de
clients, plus vous serez amené à accroître la vitesse des connexions Ethernet de votre
serveur. Dans l’idéal, vous tirez avantage de la capacité Ethernet Gigabit intégrée au
matériel de votre Mac OS X Server pour vous connecter à un commutateur Gigabit.
De ce commutateur, vous pouvez alors connecter Ethernet Gigabitou Ethernet
100 Mo à chacun de vos clients NetBoot.
• Capacité du disque dur et nombre d’images : les images d’initialisation et d’installation
occupent de l’espace disque sur les volumes serveur, en fonction de la taille et de la
configuration de l’image système et en fonction du nombre d’images stockées.
Les images peuvent être réparties sur plusieurs volumes ou serveurs. Pour plus de
détails, consultez la section “Performances et équilibrage de la charge” à la page 51.
• Capacité du disque dur et nombre d’utilisateurs : si vous possédez un grand nombre de
clients Mac OS 9 ou Mac OS X sans disque, envisagez l’ajout d’un serveur de fichiers
distinct à votre réseau pour le stockage des documents temporaires des utilisateurs.
Comme le logiciel système d’une image disque est inscrit dans une copie d’image
pour chaque client démarrant à partir de cette image disque, vous pouvez obtenir
une vague estimation de l’espace disque requis en multipliant la taille de la copie
d’image par le nombre de clients.
• Nombre de ports Ethernet sur le commutateur : la répartition de clients NetBoot sur
plusieurs ports Ethernet de votre commutateur vous permet d’offrir des performances
nettement plus avantageuses. Chaque port doit être destiné à un segment différent.
Vue d’ensemble de la configuration
Voici une vue d’ensemble des étapes élémentaires de configuration du service NetBoot.
Étape 1 : Évaluation et mise à jour de votre réseau, vos serveurs et vos
ordinateurs client, si nécessaire
Le nombre d’ordinateurs client que vous pouvez prendre en charge avec NetBoot
est déterminé par le nombre de serveurs dont vous disposez, la façon dont ils sont
configurés, la capacité de stockage du disque dur, ainsi que d’autres facteurs. Consultez
la section “Planification de la capacité” à la page 17.
En fonction des résultats de cette évaluation, vous pouvez ajouter des serveurs
ou des disques durs, ajouter des ports Ethernet à votre serveur, ou apporter d’autres
modifications. Vous pouvez également configurer davantage de sous-réseaux pour vos
clients BootP, en fonction du nombre de clients pris en charge.
Vous pouvez également mettre en œuvre des sous-réseaux sur ce serveur (ou d’autres
serveurs), afin de tirer parti du filtrage NetBoot. Consultez la section “Limitation des
clients NetBoot par filtrage des adresses” à la page 42.Chapitre 1 À propos de l’administration de l’image système 19
Si vous envisagez de fournir des environnements de travail personnalisés et des
autorisations à vos clients NetBoot grâce à Gestionnaire de groupe de travail (clients
Mac OS X) et Gestionnaire Macintosh (clients Mac OS 9), vous devez les configurer, puis
importer des utilisateurs de la base de données Utilisateurs et groupes de Mac OS X
Server, avant de créer vos images disque. Assurez-vous de disposer au moins d’un
utilisateur Gestionnaire Macintosh affecté au groupe de travail Accès au système pour
les clients Mac OS 9 et au Gestionnaire de groupe de travail pour les clients Mac OS X.
Étape 2 : Création d’images disque pour les ordinateurs client
Pour commencer, configurez les images disque Mac OS 9 et Mac OS X pour les
ordinateurs client. Une image Mac OS 9 préconfigurée est fournie avec Mac OS X Server
sur le CD-ROM NetBoot pour Mac OS 9, disponible séparément. Cette image Mac OS 9
peut être modifiée. Si vous utilisez de nouveaux ordinateurs client commercialisés
après Mac OS X Server version 10.0.3, vous devez modifier l’image disque Mac OS 9
afin de prendre en charge les nouveaux clients. Consultez la section “Modification
d’une image d’initialisation Mac OS 9” à la page 27.
Utilisez l’Utilitaire d’images de réseau pour créer des images disque Mac OS X.
Consultez la section “Création d’une image d’initialisation Mac OS X” à la page 21.
Pour créer des paquets d’application que vous pouvez ajouter à une image, utilisez
PackageMaker. Les paquets logiciels d’application peuvent être installés en tant que
tels ou avec le logiciel système Mac OS X. Consultez la section “Création de paquets” à
la page 32.
Étape 3 : Configuration DHCP
NetBoot nécessite de disposer d’un serveur DHCP soit sur le serveur local, soit sur un
serveur distant sur le réseau. Assurez-vous de disposer d’une plage d’adresses IP suffisante
pour couvrir le nombre de clients susceptibles d’utiliser NetBoot simultanément.
Si votre serveur NetBoot fournit également un service DHCP, vous obtiendrez de
meilleures performances en configurant votre serveur en tant que passerelle. Autrement
dit, configurez vos sous-réseaux pour utiliser l’adresse IP du serveur en tant qu’adresse IP
du routeur.
Assurez-vous que le service DHCP est démarré.
Étape 4 : Configuration et activation du service NetBoot
Utilisez les réglages NetBoot d’Admin Serveur pour configurer NetBoot sur votre serveur.
Consultez le chapitre 3, “Configuration du service NetBoot”.
Vous pouvez activer le service NetBoot via Admin Serveur. Consultez “Démarrage de
NetBoot et des services associés” à la page 38 et “Activation d’images” à la page 39.20 Chapitre 1 À propos de l’administration de l’image système
Étape 5 : Configuration du filtrage d’adresse Ethernet (facultatif)
Le filtrage NetBoot est effectué via l’adresse matérielle de l’ordinateur client. Celle-ci
est automatiquement enregistrée lors de la première tentative de démarrage du client
correspondant à partir d’une image disque NetBoot. Vous pouvez autoriser ou interdire
les clients en fonction de leur adresse. Consultez la section “Limitation des clients
NetBoot par filtrage des adresses” à la page 42.
Étape 6 : Test de votre configuration NetBoot
Le risque de perdre des données ou de provoquer une interruption du réseau étant
réel (du fait d’une mauvaise configuration DHCP), il est recommandé de tester votre
configuration NetBoot avant de la mettre en œuvre sur tous les clients. Il convient de
tester chaque modèle de Macintosh que vous serez amené à gérer. Pour vous assurer
qu’il ne subsiste aucun problème lié au fichier Boot ROM d’un type de matériel
particulier.
Étape 7 : Configuration de tous les ordinateurs client pour utiliser NetBoot
Après avoir vérifié que NetBoot fonctionne sur tous les types d’ordinateur client, vous
pouvez configurer les clients afin qu’ils démarrent à partir d’images disque NetBoot.
Pour les clients Mac OS 9 : ouvrez le tableau de bord Démarrage, puis sélectionnez
l’image d’un disque de démarrage sur le serveur. Redémarrez ensuite l’ordinateur.
Consultez la section “Sélection d’une image d’initialisation NetBoot (Mac OS 9)” à la
page 46.
Remarque : vous devrez peut-être mettre à jour le tableau de bord Démarrage sur les
ordinateurs client qui exécutent Mac OS 9 à partir de leur disque dur local, afin qu’il
puisse afficher les images disque NetBoot. Consultez la section “Mise à jour du tableau
de bord Démarrage” à la page 45.
Pour les clients Mac OS X, version 10.2 ou ultérieure : ouvrez le volet des Préférences
Système Démarrage, puis sélectionnez l’image d’un disque de démarrage sur le
serveur. Redémarrez ensuite l’ordinateur. Consultez la section “Sélection d’une image
d’initialisation NetBoot (Mac OS X)” à la page 46.
Tout type de client : redémarrez l’ordinateur en maintenant la touche N enfoncée
jusqu’à ce que l’icône NetBoot clignote. Le client démarre alors à partir de l’image par
défaut sur le serveur NetBoot. Consultez la section “Démarrage à l’aide de la touche N”
à la page 48.2
21
2 Création d’images d’initialisation
et d’installation
Ce chapitre présente les instructions pas à pas pour la
préparation d’images d’initialisation ou d’installation
utilisables avec le service NetBoot.
Création d’images d’initialisation Mac OS X
Les instructions de cette section indiquent comment créer des images d’initialisation du
système d’exploitation Mac OS X que vous pouvez utiliser pour démarrer des ordinateurs
client sur le réseau. Pour obtenir de l’aide sur la création d’images Mac OS 9, consultez la
section “Création d’images d’initialisation Mac OS 9” à la page 27.
Création d’une image d’initialisation Mac OS X
Utilisez Utilitaire d’images de réseau pour créer des images NetBoot Mac OS X.
Remarque : vous devez acquérir une licence utilisateur du système d’exploitation
pour chaque client qui démarre à partir d’une image disque NetBoot.
Pour créer une image d’initialisation :
1 Connectez-vous au serveur en tant qu’administrateur.
2 Ouvrez Utilitaire d’images de réseau et cliquez sur Initialisation.
3 Dans le volet Général, tapez un nom pour l’image que vous créez.
Ce nom identifiera l’image dans le volet des préférences de disque de démarrage
sur les ordinateurs client.
4 Tapez un ID d’image.
Pour créer une image unique pour ce serveur, choisissez un ID dans la plage 1 à 4095.
Pour créer une image parmi plusieurs identiques qui seront stockées sur différents
serveurs pour l’équilibrage de la charge, utilisez un ID dans la plage 4096 à 65 535.
Plusieurs images de même type avec un ID identique dans cette plage sont répertoriées
comme une seule image dans le volet des préférences du disque de démarrage d’un
client.22 Chapitre 2 Création d’images d’initialisation et d’installation
5 (Facultatif) Tapez toute information qui vous aidera à caractériser l’image dans le
champ Description. Les clients ne voient pas ce que vous tapez.
6 (Source CD-ROM uniquement) Choisissez la langue par défaut du système. Cette option
est disponible uniquement si vous avez inséré le CD-ROM et que vous l’avez choisi
comme source.
7 Déterminez si l’image doit être distribuée via NFS ou HTTP.
Si vous n’êtes pas certain du choix, optez pour NFS.
8 Cliquez sur Contenu et choisissez la source de l’image.
Vous pouvez choisir un CD-ROM d’installation, un volume d’initialisation monté ou une
image disque. Si vous créez l’image à partir d’un CD-ROM, assurez-vous qu’il est inséré.
Important : si vous avez créé une image disque standard (fichier .dmg) à partir d’un
CD-ROM d’installation du système d’exploitation et que vous souhaitez utiliser cette
image comme source d’une image NetBoot, double-cliquez sur le fichier .dmg dans le
Finder afin de monter l’image, puis sélectionnez-la dans le menu local.
9 (Facultatif) Cliquez sur le bouton Ajouter (+) sous la liste Autres éléments afin d’ajouter
un paquet d’application, un paquet de mise à jour système ou un script à l’image.
10 (Source CD-ROM uniquement) Cliquez sur Utilisateur par défaut, tapez un nom
d’utilisateur, un nom abrégé et un mot de passe (dans les champs Mot de passe et
Confirmer) pour le compte d’utilisateur par défaut du système. Vous pouvez vous
connecter à un client initialisé à l’aide de ce compte.
11 Cliquez sur Créer l’image.
Si le bouton Créer n’est pas activé, assurez-vous d’avoir saisi un nom et un ID pour
l’image, d’avoir choisi une source pour l’image et d’avoir tapé un nom d’utilisateur
par défaut avec un mot de passe d’au moins quatre caractères.
12 Dans la boîte de dialogue Enregistrer sous, choisissez où enregistrer l’image.
Si vous ne souhaitez pas utiliser le nom de l’image que vous avez saisi précédemment,
vous pouvez le changer en tapant un nouveau nom dans le champ Enregistrer sous.
Si vous créez l’image sur le serveur qui la transférera, choisissez un volume dans le
menu local “Transférer depuis le point de partage NetBoot sur”.
Pour enregistrer l’image ailleurs, choisissez un emplacement dans le menu local
Emplacement, ou cliquez sur le triangle en regard du champ Enregistrer sous et
sélectionnez un dossier.
13 Cliquez sur Enregistrer.
Pour examiner la progression, observez le coin inférieur gauche de la fenêtre. Si vous
devez insérer un autre CD, vous y serez invité. Pour créer l’image sans inclure le contenu
d’un autre CD, cliquez sur Finaliser lorsque vous êtes invité à l’insérer.Chapitre 2 Création d’images d’initialisation et d’installation 23
Important : n’ouvrez pas le dossier .nbi dans /Library/NetBoot/NetBootSPn pendant la
création de l’image, car les clients ne pourraient pas utiliser l’image résultante.
À partir de la ligne de commande
Vous pouvez également créer une image d’initialisation à l’aide des commandes de
Terminal. Pour plus d’informations, consultez le chapitre relatif aux images système
dans le guide d’administration des lignes de commande.
Installation de l’environnement Classic dans une image disque
Mac OS X
Vous pouvez installer l’environnement Classic dans une image Mac OS X en copiant
un dossier système Mac OS 9.2.2 dans une image NetBoot “non verrouillée”. Vous devez
également spécifier l’image Mac OS X en tant que volume de démarrage Classic et
démarrer l’environnement Classic à partir de l’image en utilisant le volet des préférences
de Mac OS 9 pour compléter l’intégration.
N’essayez pas d’installer l’environnement Classic dans des images d’installation réseau.
Cette procédure fonctionne uniquement avec les images NetBoot.
Pour installer l’environnement Classic sur une image d’initialisation Mac OS X :
1 Assurez-vous que le fichier d’image disque (.dmg) est déverrouillé.
Si l’icône du fichier présente un petit verrou dans le Finder (dans /Library/NetBoot/
NetBootSPn), connectez-vous au serveur en tant qu’utilisateur root, sélectionnez le
fichier image, choisissez Lire les informations dans le menu Fichier du Finder, puis
désélectionnez la case à cocher Verrouillé.
2 Double-cliquez sur le fichier image afin de le monter.
3 Faites glisser un Dossier Système Mac OS 9 dans l’image disque.
Vous pouvez utiliser le Dossier Système situé sur le CD-ROM NetBoot pour Mac OS 9
(disponible séparément) ou utiliser un autre Dossier Système Mac OS 9 version 9.2.2
précédemment exécuté en tant qu’environnement Classic sous Mac OS X.
4 Dans les Préférences Système de votre serveur, ouvrez le volet des préférences Classic
et sélectionnez l’image disque comme volume de démarrage pour l’environnement
Classic.
5 Cliquez sur Démarrer afin de démarrer l’environnement Classic.
6 Arrêtez l’environnement Classic, puis éjectez le fichier image.
Avertissement : ne modifiez jamais une image disque actuellement utilisée par des
clients NetBoot, car vous risquez de provoquer des comportements inattendus des
clients. Avant de modifier une image disque, assurez-vous que personne n’utilise cette
image ou faites une copie du fichier pour le modifier.24 Chapitre 2 Création d’images d’initialisation et d’installation
Configuration de Format de répertoire pour une image
d’initialisation
Si vous n’utilisez pas DHCP pour fournir aux clients NetBoot les informations relatives
à Open Directory, vous pouvez configurer les informations de format de répertoire et
les copier sur une image d’initialisation.
Pour ajouter à une image d’initialisation les informations de format de répertoire :
1 Ouvrez Format de répertoire (dans /Applications/Utilities) sur un système en cours
d’exécution et configurez les réglages des répertoires en fonction de vos besoins
pour vos ordinateurs client démarrés.
2 Montez l’image d’initialisation et copiez le répertoire /Library/Preferences/DirectoryService/
à partir du système en cours d’exécution que vous venez de configurer, au même
emplacement dans l’image d’initialisation.
Ajout d’un paquet de mise à jour du système d’exploitation à une
image d’initialisation Mac OS X
Vous pouvez ajouter un paquet de mise à jour du système Mac OS X à une image
NetBoot afin que vos clients démarrent à partir du système le plus récent.
Pour appliquer une mise à jour Mac OS X à une image NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Désactivez l’image que vous souhaitez mettre à jour afin d’empêcher tout accès
pendant l’opération.
Cliquez sur Réglages, sur Images, désélectionnez l’option Activé pour l’image,
puis cliquez sur Enregistrer.
3 Ouvrez Utilitaire d’images de réseau et cliquez sur Images.
4 Sélectionnez l’image et cliquez sur Modifier.
5 Sous l’onglet Contenu, cliquez sur le bouton Ajouter (+) et sélectionnez le paquet
de mise à jour du système d’exploitation.
6 Cliquez sur Enregistrer.
7 Activez l’image dans le volet Images des réglages NetBoot d’Admin Serveur.
À partir de la ligne de commande
Vous pouvez également mettre à jour une image d’initialisation à l’aide des commandes
de Terminal. Pour plus d’informations, consultez le chapitre relatif aux images système
dans le guide d’administration des lignes de commande.
Création d’une image d’initialisation Mac OS X à partir d’un
système existant
Si vous avez configuré un ordinateur client pour vos utilisateurs, vous pouvez utiliser
Utilitaire d’images de réseau pour créer une image d’initialisation prenant en compte
la configuration de ce client.Chapitre 2 Création d’images d’initialisation et d’installation 25
Vous devez démarrer à partir d’un volume autre que celui que vous utilisez en tant
que source de l’image (par exemple à partir d’un disque dur FireWire externe ou d’une
deuxième partition sur le disque dur du client). Vous ne pouvez pas créer l’image sur
un volume via le réseau.
Pour créer une image d’initialisation à partir d’un système existant :
1 Démarrez l’ordinateur à partir d’une partition autre que celle que vous utilisez pour
la source de l’image.
2 Copiez Utilitaire d’images de réseau sur l’ordinateur client.
3 Ouvrez Utilitaire d’images de réseau sur le client et cliquez sur Initialisation.
4 Cliquez sur l’onglet Contenu et choisissez la partition que vous souhaitez utiliser dans
la liste locale Source d’image.
5 Tapez les autres informations relatives à l’image dans les autres volets, puis cliquez
sur Créer.
6 Une fois que l’image a été créée sur le client, exportez-la vers le serveur.
Cliquez sur Images, sélectionnez l’image dans la liste, puis cliquez sur Exporter.
À partir de la ligne de commande
Vous pouvez également créer un clone d’image d’initialisation à partir d’un système
existant à l’aide de la commande hdiutil de Terminal. Pour plus d’informations,
consultez le chapitre relatif aux images système dans le guide d’administration des
lignes de commande.
Synchronisation d’une image avec un volume source mis à jour
Si vous créez une image à partir d’un volume système et que vous mettez à jour
ultérieurement le volume d’origine, vous pouvez appliquer automatiquement les
mises à jour à l’image sans avoir à la recréer.
Important : prenez soin de synchroniser l’image avec le volume d’origine approprié.
Le volume d’origine mis à jour doit être un volume local sur le serveur sur lequel
l’image est éditée.
Pour synchroniser une image avec un volume source mis à jour :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Désactivez l’image à mettre à jour afin d’empêcher tout accès pendant la modification.
Cliquez sur Réglages, sur Images, désélectionnez l’option Activé pour l’image, puis cliquez
sur Enregistrer.
3 Ouvrez Utilitaire d’images de réseau (dans /Applications/Server).
4 Choisissez Utilitaire d’images de réseau > Préférences, activez l’option “Ajouter les
éléments et synchroniser lors de la modification”, puis fermez la fenêtre des préférences.
5 Cliquez sur Images, sélectionnez l’image, puis cliquez sur Modifier.26 Chapitre 2 Création d’images d’initialisation et d’installation
6 Cliquez sur Contenu et choisissez le volume source mis à jour dans le menu local
Source d’image.
7 Cliquez sur Enregistrer.
8 Activez l’image à l’aide d’Admin Serveur.
Choix du protocole utilisé pour fournir une image
Vous pouvez utiliser NFS ou HTTP pour envoyer des images du serveur à un client. Vous
pouvez choisir ce protocole lorsque vous créez l’image avec Utilitaire d’images de réseau,
ou ultérieurement lorsque l’image est répertoriée dans Admin Serveur.
Pour choisir le protocole lorsque vous créez l’image, sélectionnez NFS ou HTTP dans
le volet Général d’Utilitaire d’images de réseau.
Pour choisir le protocole d’une image, sélectionnez le service NetBoot dans Admin Serveur,
cliquez sur Réglages, puis choisissez un protocole dans la liste locale en regard de l’image
dans le volet Images.
À partir de la ligne de commande
Vous pouvez également changer le protocole de distribution en modifiant le fichier
NBImageInfo.plist de l’image dans Terminal. Pour plus d’informations, consultez
le chapitre relatif aux images système dans le guide d’administration des lignes
de commande.
Compression des images pour gagner de l’espace disque
Vous pouvez créer des images compressées en définissant une préférence dans
Utilitaire d’images de réseau.
Pour créer des images compressées :
1 Ouvrez Utilitaire d’images réseau.
2 Choisissez Utilitaire d’images de réseau > Préférences et sélectionnez l’option
“Comprimer l’image à la création/modification”.
Assurez-vous que le volume sur lequel vous créez l’image dispose de suffisamment
d’espace libre pour l’image non compressée et celle compressée.
À partir de la ligne de commande
Vous pouvez également compresser des images à l’aide de la commande hdiutil
dans Terminal. Pour plus d’informations, consultez le chapitre relatif aux images
système dans le guide d’administration des lignes de commande.
Modification du mode d’allocation des fichiers masqués par les
clients NetBoot de Mac OS X
Par défaut, un client NetBoot Mac OS X place ses fichiers masqués dans un point de
partage NetBootClientsn sur le serveur. Si aucun point de partage de ce type n’est
disponible, le client tente de stocker ses fichiers masqués sur un disque dur local.Chapitre 2 Création d’images d’initialisation et d’installation 27
Pour les images Mac OS X version 10.3 (et ultérieure) configurées pour une initialisation
sans disque, vous pouvez modifier ce comportement en utilisant un éditeur de texte
afin de spécifier une valeur pour la variable NETBOOT_SHADOW dans le fichier /etc/
hostconfig de l’image. Les valeurs suivantes sont autorisées :
Remarque : cette valeur est définie dans le fichier /etc/hostconfig du fichier .dmg de
l’image, et non dans le fichier hostconfig du serveur.
Création d’images d’initialisation Mac OS 9
Vous ne pouvez pas utiliser Utilitaire d’images de réseau pour créer des images
Mac OS 9. En revanche, vous pouvez utiliser l’image fournie sur le CD-ROM NetBoot
pour Mac OS 9 (disponible séparément).
Installation d’une image d’initialisation Mac OS 9
Pour installer l’image disque Mac OS 9 préconfigurée, connectez-vous en tant que root,
puis ouvrez le fichier NetBoot.pkg sur le CD-ROM NetBoot pour Mac OS 9 (disponible
séparément).
Le programme d’installation place le dossier image Mac OS 9 NetBoot dans le répertoire
/Library/NetBoot/NetBootSPn/DefaultMacOS92.nbi (où n est le numéro du volume).
Modification d’une image d’initialisation Mac OS 9
Pour modifier l’image disque Mac OS 9 préconfigurée ou lui ajouter un logiciel, vous
devez démarrer à partir d’un ordinateur client NetBoot, vous connecter au volume du
serveur NetBoot, puis lancer Admin de bureau NetBoot. Les changements effectués
ne sont pas appliqués tant que l’ordinateur client NetBoot exécutant Admin de bureau
NetBoot n’a pas redémarré.
Valeur de NETBOOT_SHADOW Comportement du fichier masqué sur le client
-NETWORK- (Par défaut) Essayez d’utiliser un point de partage NetBootClientsn
sur le serveur pour le stockage des fichiers masqués. Si aucun point
de partage n’est disponible sur le serveur, utilisez un disque local.
-NETWORK_ONLY- Essayez d’utiliser un point de partage NetBootClientsn sur le
serveur pour le stockage des fichiers masqués. Si aucun point
de partage n’est disponible sur le serveur, ne procédez pas
à l’initialisation.
-LOCAL- Essayez d’utiliser un disque local pour le stockage des fichiers
masqués. Si aucun disque local n’est disponible, utilisez un point
de partage NetBootClientsn sur le serveur.
-LOCAL_ONLY- Essayez d’utiliser un disque local pour le stockage des fichiers
masqués. Si aucun disque local n’est disponible, ne procédez
pas à l’initialisation.28 Chapitre 2 Création d’images d’initialisation et d’installation
Avant de démarrer cette procédure, vérifiez que vous disposez du nom et du mot de
passe d’un utilisateur avec accès en lecture/écriture au volume serveur NetBoot (par
exemple l’administrateur).
La procédure qui suit nécessite plusieurs redémarrages de l’ordinateur client.
Important : soyez particulièrement attentif si votre réseau comporte plusieurs serveurs
NetBoot. Le client peut redémarrer à partir d’une image disque sur un serveur autre
que celui sur lequel vous travaillez.
Si vous utilisez Gestionnaire Macintosh avec des ordinateurs client NetBoot, chaque fois
que vous démarrez ou redémarrez un ordinateur, vous devez vous connecter en tant
qu’administrateur de Gestionnaire Macintosh client appartenant au groupe de travail
Accès au système.
Pour installer des logiciels ou modifier l’image disque Mac OS 9 :
1 Connectez-vous au volume serveur en tant qu’utilisateur avec accès en lecture/écriture
(par exemple en tant qu’administrateur).
2 Via le Sélecteur, connectez-vous à tous les volumes du serveur sur le client.
3 Copiez l’application Admin de bureau NetBoot sur un volume local sur le client, puis
ouvrez l’application.
Admin de bureau NetBoot est fourni sur le CD-ROM NetBoot pour Mac OS 9 (disponible
séparément).
4 Cliquez sur Effectuer une copie privée.
Admin de bureau NetBoot crée une copie de l’image disque. Cette opération peut
durer quelques minutes et ne doit pas être interrompue. Une fois la copie terminée,
votre ordinateur client NetBoot redémarre automatiquement.
Important : une copie d’image disque étant associée à l’ordinateur client NetBoot
utilisé pour la créer, vous devez obligatoirement utiliser le même ordinateur pour
apporter des modifications à cette image. Si vous en changez, vous ne pourrez plus voir
les modifications effectuées et les utilisateurs ne pourront pas les utiliser. Par ailleurs, vous
augmentez le risque de modification de l’image disque par des utilisateurs non autorisés.
5 Si vous installez une nouvelle version de Mac OS ou ajoutez des extensions système,
vous serez sans doute amené à augmenter la taille de l’image disque.
Vérifiez que la taille de l’image est suffisante pour intégrer le nouveau système et les
extensions que vous installez. Le seul moyen de réduire la taille d’une image consiste
à passer par une copie de sauvegarde plus petite.
6 Si vous installez une nouvelle application, vous serez sans doute amené à augmenter
la taille de l’image disque des applications.Chapitre 2 Création d’images d’initialisation et d’installation 29
Assurez-vous que l’image disque dispose de suffisamment d’espace pour installer le
logiciel. N’augmentez cependant pas la taille d’une image plus que nécessaire. Le seul
moyen de réduire la taille d’une image consiste à passer par une copie de sauvegarde
plus petite.
7 Installez le logiciel ou modifiez la configuration du système.
Vérifiez que vous installez les dernières mises à jour du logiciel système.
Si vous installez un logiciel, suivez les instructions fournies avec celui-ci. Si nécessaire,
redémarrez l’ordinateur.
Après avoir installé un logiciel, lancez-le. Le cas échéant, vous pouvez être amené à
taper un numéro d’enregistrement. Si vous ne saisissez aucun numéro maintenant, les
utilisateurs devront en taper un à chaque fois qu’ils ouvriront l’application. Par ailleurs,
la plupart des applications créent un fichier de préférences dans le Dossier Système.
Si vous n’ouvrez pas l’application, les utilisateurs ne pourront probablement pas l’ouvrir,
car aucune préférence n’aura été préalablement créée.
8 Assurez-vous que la corbeille ne contient aucun fichier à conserver (la corbeille est
vidée automatiquement à la fin de l’étape suivante).
Remarque : si vous ne parvenez pas à vider la corbeille parce qu’elle contient des
fichiers en cours d’utilisation, vous devrez probablement redémarrer l’ordinateur.
9 Si nécessaire, utilisez le Sélecteur pour vous reconnecter à tous les volumes serveur.
10 Ouvrez Admin de bureau NetBoot, puis cliquez sur Enregistrer. L’ordinateur redémarre
automatiquement.
Si vous devez apporter d’autres modifications, cliquez sur Quitter, puis retournez
à l’étape 7.
Cliquez sur Éliminer pour supprimer les modifications effectuées sur l’image disque.
11 Redémarrez l’ordinateur client NetBoot, puis connectez-vous de nouveau à tous les
volumes du serveur.
12 Ouvrez Admin de bureau NetBoot.
Si vous souhaitez conserver une copie de sauvegarde de l’ancienne image disque,
laissez l’option Sauvegarder les disques précédents sélectionnée. Les copies de
sauvegarde sont stockées dans le dossier Images de sauvegarde du dossier Images
partagées situé sur le serveur NetBoot.
Remarque : dans la mesure où il n’existe qu’un seul dossier de sauvegarde, l’image
enregistrée à cet instant remplace toute autre image sauvegardée dans ce dossier
lors d’une session précédente.
13 Si vous avez cliqué sur Enregistrer à l’étape 10, cliquez sur Redémarrer. Sinon, cliquez
sur OK.30 Chapitre 2 Création d’images d’initialisation et d’installation
Si vous cliquez sur Redémarrer, Admin de bureau NetBoot enregistre vos modifications,
supprime l’ancienne image disque, puis redémarre l’ordinateur. Les modifications sont
appliquées au redémarrage d’un ordinateur client NetBoot. Si vous cliquez sur OK,
Admin de Bureau NetBoot efface l’ancienne image disque.
Configuration de plusieurs images Mac OS 9
Pour créer plusieurs images disque Mac OS 9, créez des copies de l’image disque
préconfigurée que vous avez installée à partir du CD-ROM NetBoot pour Mac OS 9 dans
le répertoire /Library/NetBoot/NetBootSPn sur n’importe quel volume serveur. Utilisez
ensuite Admin de bureau NetBoot pour modifier à votre gré les images disque Mac OS 9.
Utilisez Admin Serveur pour activer les images disque, puis sélectionnez l’image par
défaut. Consultez “Activation d’images” à la page 39 et “Spécification de l’image par
défaut” à la page 41.
Déverrouillage d’une image
Si une image est verrouillée, vous devez la déverrouiller pour la modifier.
Pour déverrouiller une image d’installation réseau :
1 Connectez-vous en tant qu’utilisateur root.
2 Sélectionnez le fichier image et choisissez Fichier > Lire les informations.
3 Désactivez la case à cocher Verrouillé.
Création d’images d’installation
Les sections suivantes expliquent comment créer des images permettant l’installation
de logiciels sur des ordinateurs client sur le réseau.
Création d’une image d’installation du système d’exploitation
Pour créer une image qui installera le logiciel système sur un ordinateur client,
utilisez Utilitaire d’images de réseau. Vous trouverez cette application dans le dossier
/Applications/Server/.
Pour créer une image d’installation du système d’exploitation :
1 Connectez-vous au serveur en tant qu’administrateur.
2 Ouvrez Utilitaire d’images de réseau et cliquez sur Installation.
3 Dans le volet Général, tapez un nom pour l’image que vous créez.
4 Tapez un ID d’image.
Choisissez un nombre dans la plage de 1 à 4095 pour une image qui sera disponible
sur un seul serveur, ou de 4096 à 65 535 pour une image que vous prévoyez de mettre
à disposition sur plusieurs serveurs, mais que vous souhaitez répertorier une seule fois
dans les préférences de disque de démarrage de l’ordinateur client.Chapitre 2 Création d’images d’initialisation et d’installation 31
5 (Source CD-ROM uniquement) Choisissez la langue par défaut du logiciel. Cette option
est disponible uniquement si vous avez inséré le CD-ROM et que vous l’avez choisi
comme source.
Remarque : il s’agit uniquement de la langue utilisée par le logiciel installé. Le programme
d’installation qui s’exécute apparaît toujours en français (s’il ne s’agit pas d’une installation
automatisée).
6 Déterminez si l’image doit être distribuée via NFS ou HTTP.
Si vous n’êtes pas certain du choix, optez pour NFS.
7 Dans le volet Contenu, choisissez la source de l’image.
Vous pouvez choisir un CD-ROM d’installation, un volume d’initialisation monté
ou une image disque.
8 (Facultatif) Cliquez sur le bouton Ajouter (+) sous la liste afin d’ajouter des applications
ou des scripts de post-installation à l’image.
9 Dans le volet Options d’installation, activez l’option “Vérifier la somme de contrôle de la
destination après l’installation” afin que le programme d’installation vérifie l’intégrité de
l’image après son transfert vers le client, mais avant son installation (cela ne concerne
que les images de la source du volume).
10 Pour que les logiciels soient installés avec une interaction limitée (voire aucune) sur
l’ordinateur client, sélectionnez l’option “Activer l’installation automatique”, puis cliquez
sur Options.
11 Cliquez sur Créer l’image.
Si le bouton Créer n’est pas activé, assurez-vous d’avoir saisi un nom et un ID pour
l’image, ainsi que d’avoir choisi une source d’image.
12 Dans la boîte de dialogue Enregistrer sous, choisissez où enregistrer l’image.
Si vous ne souhaitez pas utiliser le nom de l’image que vous avez saisi précédemment,
vous pouvez le changer en tapant un nouveau nom dans le champ Enregistrer sous.
Si vous créez l’image sur le serveur qui la transfère, choisissez un volume dans le menu
local “Transférer depuis le point de partage NetBoot sur”.
Pour enregistrer l’image ailleurs, choisissez un emplacement dans le menu local
Emplacement, ou cliquez sur le triangle en regard du champ Enregistrer sous et
sélectionnez un dossier.
13 Cliquez sur Enregistrer.
Pour examiner la progression, observez le coin inférieur gauche de la fenêtre. Si vous
devez insérer un autre CD, vous y serez invité. Pour créer l’image sans inclure le contenu
d’un autre CD, cliquez sur Finaliser lorsque vous êtes invité à l’insérer.32 Chapitre 2 Création d’images d’initialisation et d’installation
Ajout de logiciels aux images d’initialisation et
d’installation
Il existe deux approches pour inclure des logiciels complémentaires dans une image :
• Ajouter des applications et fichiers à un système existant avant de créer une image
utilisant ce système comme source (voir “Création d’une image d’initialisation
Mac OS X à partir d’un système existant” à la page 24)
• Ajouter à une image existante des paquets contenant les applications et fichiers (voir
“Création d’une image d’installation pour application uniquement” à la page 33)
À propos des paquets
Si vous prévoyez d’ajouter des logiciels ou d’autres fichiers à une image lors de la
création (plutôt que d’installer les applications ou fichiers sur le volume source avant
de créer l’image), vous devez regrouper les applications ou fichiers dans un fichier
spécial appelé paquet.
Un paquet est un ensemble de fichiers compressés et d’autres informations qui servent
à installer un logiciel sur un ordinateur. Le contenu des paquets se trouve dans un
fichier unique, dont l’extension est .pkg. Le tableau qui suit répertorie les composants
d’un paquet.
Création de paquets
Pour ajouter des applications ou autres fichiers à une image (plutôt que de les installer
d’abord sur le volume source avant de créer l’image), utilisez PackageMaker pour créer
des paquets contenant l’application ou les fichiers. PackageMaker se trouve dans le dossier
Utilities du CD-ROM Outils d’administration Mac OS X Server fourni avec Mac OS X Server.
Fichier du paquet Description
product.pax.gz Fichiers à installer, compressés avec gzip et archivés avec pax.
(Voir les pages “man” pour plus d’informations au sujet de gzip
et de pax.)
product.bom Inventaire : document indiquant l’emplacement où les fichiers
doivent être installés. Utilisé dans les processus de vérification
et de désinstallation.
product.info Contient des informations qui seront affichées au cours
de l’installation.
product.sizes Fichier de texte, contient le nombre de fichiers du paquet.
product.tiff Contient l’icône personnalisée du paquet.
product.status Créé au cours de l’installation, ce fichier indiquera soit “installé”
soit “compressé”.
product.location Indique l’emplacement où sera installé le paquet.
software_version (facultatif) Contient la version du paquet qui sera installée.Chapitre 2 Création d’images d’initialisation et d’installation 33
Pour plus d’informations sur la création de paquets, ouvrez PackageMaker et choisissez
PackageMaker Help, PackageMaker Release Notes ou Package Format Notes dans le
menu Aide.
Une fois que vous avez créé les paquets, ajoutez-les à votre image d’initialisation ou
d’installation à l’aide d’Utilitaire d’images de réseau. Consultez la section “Création
d’une image d’installation pour application uniquement” à la page 33 ou “Ajout de
paquets à une image d’initialisation ou d’installation” à la page 33.
Ajout de paquets à une image d’initialisation ou d’installation
Pour inclure des paquets d’application ou de fichier complémentaires dans une image,
ajoutez-les à l’image via Utilitaire d’images de réseau.
Vous pouvez ajouter des paquets lors de la création d’une image, ou les ajouter à une
image existante.
Pour ajouter des paquets à une nouvelle image créée avec Utilitaire d’images de
réseau, cliquez sur le bouton Ajouter (+) après avoir sélectionné la source de l’image
dans le volet Contenu.
Pour ajouter des paquets à une image, ouvrez Utilitaire d’images de réseau, cliquez
sur Images, puis sélectionnez l’image dans la liste. Cliquez ensuite sur Modifier, puis
sur le bouton Ajouter (+) dans le volet Contenu.
Dans les deux cas, vous pouvez faire glisser les icônes des paquets du Finder vers la
liste Autres éléments de l’onglet Contenu, plutôt que d’utiliser le bouton Ajouter (+).
Remarque : vous ne pouvez pas ajouter de métapaquets à une image à l’aide
d’Utilitaire d’images de réseau.
À partir de la ligne de commande
Vous pouvez également ajouter des paquets à une image d’initialisation ou d’installation
en modifiant l’image et le fichier rc.cdrom.packagePath ou minstallconfig.xml associé
dans le Terminal. Pour plus d’informations, consultez le chapitre relatif aux images
système dans le guide d’administration des lignes de commande.
Création d’une image d’installation pour application uniquement
Pour créer une image d’installation contenant uniquement des logiciels d’application
mais pas de système d’exploitation, désélectionnez l’option Inclure Mac OS X dans le
volet Contenu d’Utilitaire d’images de réseau.
Remarque : vous ne pouvez pas utiliser Utilitaire d’images de réseau pour créer une
image d’installation automatique contenant un métapaquet ou plusieurs paquets
standard. Vous devez pour cela utiliser les commandes de Terminal. Pour plus
d’informations, consultez le chapitre relatif aux images système dans le guide
d’administration des lignes de commande.34 Chapitre 2 Création d’images d’initialisation et d’installation
Pour ajouter des paquets à une image créée avec Utilitaire d’images de réseau,
cliquez sur le bouton Ajouter (+) après avoir sélectionné la source de l’image dans
le volet Contenu.
Vous pouvez faire glisser les icônes des paquets du Finder vers la liste Autres éléments
de l’onglet Contenu, plutôt que d’utiliser le bouton Ajouter (+).
Automatisation de l’installation d’une image
Pour installer le logiciel Mac OS (avec les éventuels paquets ajoutés) avec une interaction
limitée (voire aucune) de la part de l’utilisateur de l’ordinateur client, utilisez Utilitaire
d’images de réseau pour créer une image d’installation automatique. Dans le cas contraire,
l’utilisateur de l’ordinateur client doit répondre aux questions du programme d’installation.
Pour configurer une image du système d’exploitation pour l’installation
automatisée :
1 Ouvrez Utilitaire d’images de réseau et cliquez sur Installation.
2 Indiquez les informations habituelles dans les volets Général et Contenu.
3 Dans le volet Options d’installation, sélectionnez “Activer l’installation automatique”.
4 Cliquez sur le bouton Options.
5 Pour une installation sans intervention, choisissez l’option “Installer sur le volume”
en regard de Volume cible et tapez le nom du volume sur l’ordinateur client sur lequel
le logiciel sera installé.
Pour autoriser l’utilisateur de l’ordinateur client à sélectionner le volume sur lequel
effectuer l’installation, choisissez l’option “L’utilisateur sélectionne”.
6 Pour installer le logiciel sur un disque vide, activez l’option “Effacer le volume cible
avant l’installation”.
7 Pour procéder à l’installation sans confirmation de l’utilisateur de l’ordinateur client,
désactivez l’option “Exiger que l’utilisateur client réponde à un message de confirmation”.
8 Si le logiciel installé nécessite un redémarrage, activez l’option “Redémarrer l’ordinateur
client après l’installation”.
Si le nom indiqué pour le volume d’installation ne correspond pas à celui d’un volume sur
l’ordinateur client, l’utilisateur de l’ordinateur client doit répondre lorsque le programme
d’installation l’invite à spécifier un autre volume cible.
À partir de la ligne de commande
Vous pouvez également configurer une image pour l’installation automatisée en
modifiant le fichier minstallconfig.associé dans le Terminal. Pour plus d’informations,
consultez le chapitre relatif aux images système dans le guide d’administration des
lignes de commande.Chapitre 2 Création d’images d’initialisation et d’installation 35
Affichage du contenu d’un paquet
Pour afficher le contenu d’un paquet, maintenez enfoncée la touche Contrôle lorsque
vous cliquez sur le paquet dans une fenêtre du Finder et sélectionnez Show Package
Contents dans le menu qui apparaît.
Utilisez PackageMaker (dans le dossier Utilities du CD-ROM Outils d’administration
Mac OS X Server) pour créer des paquets de logiciels d’application à utiliser avec
l’installation réseau.
À partir de la ligne de commande
Vous pouvez également répertorier le contenu d’un paquet à l’aide des commandes
de Terminal. Pour plus d’informations, consultez le chapitre relatif aux images système
dans le guide d’administration des lignes de commande.
Installation de mises à jour Mac OS
Pour utiliser l’installation réseau pour installer les mises à jour du système d’exploitation
sur les ordinateurs client, ajoutez le paquet de mise à jour du système à une image
d’installation, de la même façon que vous ajoutez n’importe quel autre paquet. Consultez
la section “Création d’une image d’installation pour application uniquement” à la page 33.
Vous pouvez télécharger les mises à jour de Mac OS sur le site www.apple.com/support3
37
3 Configuration du service NetBoot
Ce chapitre explique comment configurer le service
NetBoot afin de mettre les images d’initialisation et
d’installation à la disposition des clients.
Configuration de NetBoot
Suivez les instructions des sections suivantes pour configurer votre serveur NetBoot.
Configuration du service NetBoot
Vous pouvez utiliser Admin Serveur pour configurer le service NetBoot de Mac OS X Server.
Pour configurer NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur le bouton Réglages, puis sur Général.
3 Cliquez sur Activer en regard des ports réseau que vous souhaitez utiliser pour distribuer
les images.
4 Cliquez dans la colonne Images de la liste Volume afin de choisir l’emplacement
pour le stockage des images.
5 Cliquez dans la colonne Données client de la liste Volume pour chaque volume de
disque local sur lequel vous souhaitez stocker les fichiers masqués utilisés par les
clients Mac OS 9 et les clients sans disque Mac OS X.
6 Cliquez sur Enregistrer, puis sur Images.
7 Cliquez dans la colonne Par défaut de la liste Image afin de sélectionner l’image
par défaut.
8 Activez les images qui doivent être utilisées par vos clients, indiquez si elles sont
disponibles pour les clients sans disque, puis choisissez le protocole permettant
de les distribuer.
Si vous n’êtes pas certain du protocole à utiliser, optez pour NFS.
9 Cliquez sur Enregistrer.38 Chapitre 3 Configuration du service NetBoot
10 (Facultatif) Cliquez sur l’onglet Filtres afin de limiter les clients à un groupe connu.
Pour plus de détails, consultez la section “Limitation des clients NetBoot par filtrage des
adresses” à la page 42.
À partir de la ligne de commande
Vous pouvez également configurer le service NetBoot à l’aide de la commande
serveradmin dans le Terminal. Consultez le chapitre relatif aux images système
dans le guide d’administration des lignes de commande.
Démarrage de NetBoot et des services associés
Le service NetBoot utilise les services AFP, NFS, DHCP, Web et TFTP, en fonction des
types de client que vous tentez d’initialiser (voir “Configuration requise pour les services
réseau” à la page 17). Vous pouvez utiliser Admin Serveur pour démarrer AFP, DHCP, Web
et NetBoot. NFS et TFTP démarrent automatiquement.
Remarque : NetBoot ne démarre pas automatiquement après le redémarrage du serveur
lorsque vous activez le service NetBoot dans l’Assistant réglages lors de la première
installation du logiciel serveur. Seuls les points de partage requis sont configurés.
Pour démarrer le service NetBoot :
1 Ouvrez Admin Serveur.
2 Si vous prévoyez d’initialiser des clients Mac OS 9 ou des clients Mac OS X sans disque,
démarrez le service AFP.
Sélectionnez AFP dans la liste Ordinateurs et services et cliquez sur Démarrer le service.
3 Si votre serveur fournit le service DHCP, assurez-vous que ce service est configuré et en
cours d’exécution. À défaut, le service DHCP doit être fourni par un autre serveur du réseau.
Si votre serveur NetBoot fournit également un service DHCP, vous obtiendrez de
meilleures performances si vous configurez votre serveur en tant que passerelle.
Autrement dit, configurez vos sous-réseaux pour utiliser l’adresse IP du serveur
en tant qu’adresse IP du routeur.
4 Assurez-vous que NetBoot est activé sur un port réseau.
Ouvrez Admin Serveur, sélectionnez NetBoot dans la liste Ordinateurs et services,
puis cliquez sur Réglages.
5 Démarrez le service NetBoot.
Sélectionnez NetBoot dans la liste Ordinateurs et services et cliquez sur Démarrer
le service.
À partir de la ligne de commande
Vous pouvez également démarrer NetBoot et les services associés à l’aide de commandes
dans Terminal. Pour plus d’informations, consultez le chapitre relatif aux images système
dans le guide d’administration des lignes de commande.Chapitre 3 Configuration du service NetBoot 39
Activation d’images
Vous devez activer une ou plusieurs images sur le serveur, afin qu’elles soient disponibles
pour les ordinateurs client démarrant via NetBoot.
Pour activer les images disque :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Images.
3 Cliquez dans la colonne Activer pour chaque image qui doit être vue par les clients.
4 Cliquez sur Enregistrer.
Choix de l’emplacement de stockage des images
Vous pouvez utiliser Admin Serveur pour choisir les volumes sur le serveur que vous
souhaitez utiliser pour le stockage des images d’initialisation et d’installation.
Pour choisir des volumes pour le stockage des fichiers image :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Général.
3 Dans la liste des volumes, située dans la partie inférieure de la fenêtre, cliquez sur la
case à cocher dans la colonne Images de chaque volume que vous souhaitez utiliser
pour stocker les fichiers image.
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également spécifier qu’un volume doit être utilisé pour stocker des fichiers
image via la commande serveradmin dans le Terminal. Pour plus d’informations,
consultez le chapitre relatif aux images système dans le guide d’administration des
lignes de commande.
Choix de l’emplacement de stockage des fichiers masqués
Lorsqu’un client sans disque démarre, des fichiers masqués temporaires sont stockés
sur le serveur. Vous pouvez utiliser Admin Serveur pour spécifier les volumes du serveur
utilisés pour le stockage des fichiers temporaires.
Pour utiliser un volume pour le stockage des fichiers masqués :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Général.
Avertissement : ne renommez pas un point de partage NetBoot ou le volume
sur lequel il réside. N’utilisez pas le Gestionnaire de groupe de travail pour cesser
le partage pour un point de partage NetBoot sauf si vous désélectionnez d’abord
le point de partage pour les images et les fichiers masqués dans Admin Serveur.40 Chapitre 3 Configuration du service NetBoot
3 Dans la liste des volumes, située dans la partie inférieure de la fenêtre, cliquez sur la
case à cocher dans la colonne Données client des volumes que vous souhaitez utiliser
pour stocker les fichiers masqués.
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également spécifier qu’un volume doit être utilisé pour stocker
des fichiers masqués via la commande serveradmin dans le Terminal. Pour plus
d’informations, consultez le chapitre relatif aux images système dans le guide
d’administration des lignes de commande.
Utilisation d’images stockées sur d’autres serveurs NFS
Vous pouvez stocker des images d’initialisation ou d’installation sur des serveurs NFS
autres que le serveur NetBoot proprement dit.
Pour stocker une image sur un serveur NFS distinct :
1 Si vous ne l’avez pas encore fait, créez l’image sur le serveur NetBoot. Un dossier image
(.nbi) est ainsi créé pour l’image dans le répertoire /Library/NetBoot/NetBootSPn du
serveur NetBoot.
2 Copiez le fichier image (.dmg) du dossier .nbi du serveur NetBoot dans un répertoire
partagé (exporté) sur l’autre serveur. Conservez le dossier .nbi et les autres fichiers qu’il
contient sur le serveur NetBoot.
3 Ouvrez le fichier NBImageInfo.plist correspondant à l’image dans un éditeur de texte ou
dans Property List Editor et définissez la valeur de la propriété RootPath afin qu’elle
pointe vers le nouvel emplacement de l’image, à l’aide de la syntaxe suivante :
hôte:chemin:image
où hôte est le nom ou l’adresse IP du serveur NFS, chemin est l’emplacement de
l’image sur le serveur et image est le nom du fichier image (.dmg).
Si le point de montage spécifié par chemin permet l’initialisation, vous n’avez pas
besoin de spécifier image.
Par exemple :
• serveur3:/Images/OSX/Jaguar:Jag_10_2.dmg pointe vers le fichier image
Jag_10_2.dmg dans /Images/OSX/Jaguar sur l’hôte serveur3
• 172.16.12.20:/Images/OS_X/Jaguar spécifie un point de montage permettant
l’initialisation, sur un serveur identifié par son adresse IP.
Avertissement : ne renommez pas un point de partage NetBoot ou le volume
sur lequel il réside. N’utilisez pas le Gestionnaire de groupe de travail pour cesser
le partage pour un point de partage NetBoot sauf si vous désélectionnez d’abord
le point de partage pour les images et les fichiers masqués dans Admin Serveur.Chapitre 3 Configuration du service NetBoot 41
Si l’image est présente sur le serveur distant, vous pouvez créer le dossier .nbi sur le
serveur NetBoot en dupliquant un dossier .nbi existant et en modifiant les valeurs du
fichier NBImageInfo.plist correspondant.
Déplacement d’images vers des serveurs “headless”
Utilisez la fonctionnalité Export d’Utilitaire d’images de réseau pour déplacer des
images vers un autre serveur, notamment des serveurs sans affichage ou sans clavier.
Pour copier une image sur un autre serveur :
1 Ouvrez Utilitaire d’images de réseau et cliquez sur Images.
2 Sélectionnez l’image dans la liste et cliquez sur Exporter, puis indiquez les informations
cible.
Important : pour éviter les problèmes relatifs aux autorisations des fichiers, n’utilisez
ni Terminal, ni le Finder pour copier des images d’initialisation ou d’installation via le
réseau sur d’autres serveurs.
Spécification de l’image par défaut
L’image par défaut est celle utilisée lorsque vous démarrez un ordinateur client en
maintenant enfoncée la touche N. Consultez la section “Démarrage à l’aide de la
touche N” à la page 48. Si vous avez créé plusieurs images disque de démarrage, vous
pouvez utiliser les réglages du service NetBoot dans Admin Serveur pour sélectionner
l’image de démarrage par défaut.
Important : si vous possédez des clients sans disque, configurez leur image
d’initialisation comme celle par défaut.
Si vous disposez de plusieurs serveurs NetBoot sur le réseau, un client utilise l’image
par défaut sur le premier serveur qui répond. Il n’existe aucun moyen de contrôler
l’image par défaut utilisée lorsque plusieurs images sont disponibles.
Pour spécifier l’image d’initialisation par défaut :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Images.
3 Cliquez sur le bouton dans la colonne Par défaut en regard de l’image.
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également spécifier l’image par défaut à l’aide de la commande
serveradmin dans le Terminal. Pour plus d’informations, consultez le chapitre relatif
aux images système dans le guide d’administration des lignes de commande.42 Chapitre 3 Configuration du service NetBoot
Configuration d’une image pour l’initialisation sans disque
Vous pouvez utiliser Admin Serveur pour mettre une image à la disposition des
ordinateurs client qui ne sont pas équipés de disques durs locaux. La configuration
d’une image pour l’initialisation sans disque ordonne au serveur NetBoot d’allouer
de l’espace pour les fichiers masqués du client.
Pour rendre une image disponible pour l’initialisation sans disque :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Images.
3 Cliquez sur la case dans la colonne Sans disque en regard de l’image dans la liste.
4 Cliquez sur Enregistrer.
Important : si vous possédez des clients sans disque, configurez leur image
d’initialisation comme celle par défaut.
Pour obtenir de l’aide pour indiquer l’emplacement de stockage des fichiers masqués
du client, consultez la section “Choix de l’emplacement de stockage des fichiers
masqués” à la page 39.
À partir de la ligne de commande
Vous pouvez également configurer une image pour une initialisation sans disque
à l’aide de la commande serveradmin dans le Terminal. Pour plus d’informations,
consultez le chapitre relatif aux images système dans le guide d’administration des
lignes de commande.
Limitation des clients NetBoot par filtrage des adresses
La fonctionnalité de filtrage du service NetBoot permet de limiter l’accès au service
NetBoot en fonction de l’adresse matérielle Ethernet (adresse MAC) de l’ordinateur
client. L’adresse du client est ajoutée automatiquement à la liste de filtrage lors du
premier démarrage à partir d’une image sur le serveur et l’accès est autorisé par défaut,
de sorte qu’il n’est généralement pas nécessaire de saisir manuellement les adresses
matérielles.
Pour limiter l’accès des clients au service NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Filtres.
3 Sélectionnez “N’autoriser que les clients ci-dessous” ou “Ne refuser que les clients
ci-dessous”.
4 Sélectionnez “Activer le filtrage NetBoot”.
5 Utilisez les boutons Ajouter (+) et Supprimer (-) pour configurer la liste des adresses
client.Chapitre 3 Configuration du service NetBoot 43
Pour rechercher une adresse MAC, tapez le nom DNS du client dans le champ Nom de
l’hôte et cliquez sur le bouton Rechercher.
Pour rechercher l’adresse matérielle d’un ordinateur utilisant Mac OS X, examinez le
volet TCP/IP des préférences Réseau de l’ordinateur ou exécutez Informations système
Apple. Sur un ordinateur Mac OS 9, ouvrez le tableau de bord TCP/IP, puis choisissez
Fichier > Lire les informations.
Modification des options avancées de NetBoot
Vous pouvez contrôler les autres options NetBoot en exécutant le programme bootpd
directement et en modifiant les paramètres de configuration dans NetInfo. Pour plus
d’informations, consultez la page “man” relative à bootpd.
Pour afficher la page “man” relative à bootpd :
1 Ouvrez Terminal.
2 Tapez man bootpd.4
45
4 Configuration des clients
Ce chapitre explique comment configurer le démarrage
des ordinateurs client ou l’installation de logiciels à partir
d’images sur un serveur.
Gestion des ordinateurs client
Consultez la section “Configuration requise pour les ordinateurs client” à la page 15
pour obtenir une liste de tous les ordinateurs Macintosh pris en charge et connaître
la configuration système requise pour les clients utilisant NetBoot.
Mise à jour du tableau de bord Démarrage
Vous devez remplacer le tableau de bord Démarrage des ordinateurs client exécutant
Mac OS 9 afin qu’il puisse afficher les images disque NetBoot disponibles.
La version 9.2.6 du tableau de bord Démarrage se trouve sur le CD-ROM NetBoot pour
Mac OS 9 (disponible séparément).
m
Faites glisser cette nouvelle version dans le Dossier Système de chaque ordinateur
client Mac OS 9 fonctionnant localement.
Configuration de clients sans disque
NetBoot permet de configurer des ordinateurs client sur lesquels aucun système
d’exploitation n’est installé localement, voire même sur des ordinateurs non équipés
de disque dur. Ces clients “sans système” ou “sans disque” peuvent démarrer à partir
d’un serveur NetBoot en recourant à la touche N (consultez “Démarrage à l’aide de la
touche N” à la page 48).
Après le démarrage de l’ordinateur client, utilisez le tableau de bord Démarrage (sous
Mac OS 9) ou le volet des préférences (sous Mac OS X) pour sélectionner l’image disque
NetBoot comme disque de démarrage par défaut de ce client. Ainsi, plus besoin
d’appuyer sur la touche N pour démarrer le client à partir du serveur.46 Chapitre 4 Configuration des clients
La suppression du système d’exploitation sur les ordinateurs clients vous offre un
contrôle plus étendu sur l’environnement des utilisateurs. Si vous forcez le démarrage
du client à partir du serveur et utilisez la gestion des clients pour refuser l’accès au
disque dur local de l’ordinateur client, vous empêchez ainsi les utilisateurs d’enregistrer
des fichiers sur leur disque dur local.
Sélection d’une image d’initialisation NetBoot (Mac OS X)
Si votre ordinateur fonctionne sous Mac OS X, version 10.2 ou ultérieure, ouvrez le volet
des Préférences Système Démarrage pour sélectionner une image d’initialisation NetBoot.
Pour sélectionner une image de démarrage NetBoot sous Mac OS X :
1 Dans les Préférences Système, sélectionnez le volet Démarrage.
2 Sélectionnez l’image disque réseau à utiliser pour démarrer l’ordinateur.
3 Cliquez sur Redémarrer.
L’icône NetBoot apparaît, puis l’ordinateur démarre à partir de l’image sélectionnée.
Sélection d’une image d’initialisation NetBoot (Mac OS 9)
Si votre ordinateur fonctionne sous Mac OS 9, ouvrez le tableau de bord Démarrage
pour sélectionner une image d’initialisation NetBoot.
Remarque : vous devez mettre à jour le tableau de bord Démarrage sur les ordinateurs
client qui exécutent Mac OS 9 à partir de leur disque dur local, afin qu’il affiche les
images disque NetBoot disponibles. Consultez la section “Mise à jour du tableau de
bord Démarrage” à la page 45.
Pour sélectionner une image de démarrage NetBoot sous Mac OS 9 :
1 Ouvrez le tableau de bord Démarrage.
2 Sélectionnez l’image disque réseau à utiliser pour démarrer l’ordinateur.
3 Cliquez sur Redémarrer dans la boîte de dialogue d’avertissement.
L’icône NetBoot apparaît, puis l’ordinateur démarre à partir de l’image disque NetBoot
sélectionnée.Chapitre 4 Configuration des clients 47
Sélection d’une image d’installation NetBoot (Mac OS X)
Si votre ordinateur fonctionne sous Mac OS X, version 10.2 ou ultérieure, ouvrez le volet
des Préférences Système Démarrage pour sélectionner une image d’initialisation réseau.
Pour sélectionner une image d’installation à partir de Mac OS X :
1 Dans les Préférences Système, sélectionnez le volet Démarrage.
2 Sélectionnez l’image disque réseau à utiliser pour démarrer l’ordinateur.
3 Cliquez sur Redémarrer.
L’icône NetBoot apparaît, l’ordinateur démarre à partir de l’image sélectionnée, puis
le programme d’installation s’exécute.
Sélection d’une image d’installation NetBoot (Mac OS 9)
Si votre ordinateur fonctionne sous Mac OS 9, ouvrez le tableau de bord Démarrage
pour sélectionner une image d’installation réseau.
Remarque : vous devez mettre à jour le tableau de bord Démarrage sur les ordinateurs
client qui exécutent Mac OS 9 à partir de leur disque dur local, afin qu’il affiche les
images disque NetBoot disponibles. Consultez la section “Mise à jour du tableau de
bord Démarrage” à la page 45.
Pour sélectionner une image d’installation à partir de Mac OS 9 :
1 Ouvrez le tableau de bord Démarrage.
2 Sélectionnez l’image d’installation à utiliser pour démarrer l’ordinateur.
3 Cliquez sur Redémarrer dans la boîte de dialogue d’avertissement.
L’icône NetBoot apparaît, l’ordinateur démarre à partir de l’image disque NetBoot
sélectionnée, puis le programme d’installation s’exécute.48 Chapitre 4 Configuration des clients
Démarrage à l’aide de la touche N
Recourez à cette méthode pour démarrer tout ordinateur client pris en charge à partir
d’une image disque NetBoot. Lorsque vous appuyez sur la touche N, l’ordinateur client
démarre à partir de l’image disque NetBoot par défaut. Si le réseau comporte plusieurs
serveurs, le client démarre à partir de l’image par défaut du premier serveur qui lui
répond.
Si vous disposez d’un ordinateur client plus ancien qui nécessite BootP pour l’adressage
IP (un iMac à chargement par tiroir, un PowerMac G3 bleu et blanc ou un ordinateur plus
ancien), vous devez utiliser cette méthode pour démarrer à partir d’une image disque
NetBoot. En effet, les modèles plus anciens ne permettent pas la sélection d’une image
disque de démarrage NetBoot dans le tableau de bord Démarrage ou le volet des
préférences.
La touche N permet également de démarrer les ordinateurs client sur lesquels aucun
logiciel système n’est installé. Consultez la section “Configuration de clients sans
disque” à la page 45.
Pour démarrer à partir d’une image disque NetBoot à l’aide de la touche N :
1 Mettez sous tension (ou redémarrez) l’ordinateur client tout en appuyant sur la touche N.
Maintenez la touche N enfoncée jusqu’à ce que l’icône NetBoot apparaisse au centre de
l’écran (Mac OS X) ou jusqu’à ce qu’une flèche apparaisse dans le coin supérieur gauche
de l’écran (Mac OS 9).
2 Si une fenêtre de connexion apparaît, tapez vos nom et mot de passe.
L’icône de l’image disque réseau ressemble à celle des volumes du serveur.5
49
5 Gestion du service NetBoot
Ce chapitre explique les tâches quotidiennes à effectuer
pour vous assurer du fonctionnement normal du service
NetBoot. Il comprend également des informations sur
l’équilibrage de la charge sur plusieurs volumes, ou sur
un ou plusieurs serveurs.
Contrôle et surveillance de NetBoot
Les sections suivantes illustrent l’arrêt du service NetBoot, la désactivation des images
individuelles et la surveillance ou la limitation des clients.
Désactivation du service NetBoot
La meilleure méthode pour empêcher les clients d’utiliser NetBoot sur le serveur
consiste à désactiver le service NetBoot sur tous les ports Ethernet.
Pour désactiver NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Arrêter le service.
Pour arrêter le service sur un port Ethernet spécifique, cliquez sur Réglages, Général,
puis désélectionnez la case Activer correspondant au port.
Pour cesser de servir une image particulière, cliquez sur Réglages, Images, puis
désélectionnez la case Activer correspondant à l’image.
Pour arrêter le service sur un client particulier, cliquez sur Réglages, Filtres, sélectionnez
Activer le filtrage NetBoot, choisissez “Ne refuser que les clients ci-dessous” et ajoutez
l’adresse matérielle du client à la liste.
À partir de la ligne de commande
Vous pouvez également arrêter le service NetBoot ou désactiver les images à l’aide de
la commande serveradmin dans le Terminal. Pour plus d’informations, consultez le
chapitre relatif aux images système dans le guide d’administration des lignes de
commande.50 Chapitre 5 Gestion du service NetBoot
Désactivation d’images d’initialisation ou d’installation
individuelles
La désactivation d’une image empêche les ordinateurs client de démarrer à partir
de l’image.
Pour désactiver une image disque NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Images.
3 Désélectionnez la case à cocher dans la colonne Activer correspondant à l’image.
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également désactiver des images à l’aide de la commande serveradmin
dans le Terminal. Pour plus d’informations, consultez le chapitre relatif aux images
système dans le guide d’administration des lignes de commande.
Affichage d’une liste de clients NetBoot
Vous pouvez utiliser Admin Serveur pour afficher une liste de clients ayant démarré
à partir du serveur.
Remarque : il s’agit d’une liste cumulative (c’est-à-dire la liste de tous les clients qui se
sont connectés), et pas uniquement la liste des clients actuellement connectés. L’heure
de la dernière initialisation est affichée pour chaque client.
Pour afficher la liste des clients :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Clients.
Vérification de l’état du service NetBoot et des services associés
Vous pouvez utiliser Admin Serveur pour examiner l’état du service NetBoot
et des autres services (tels que NFS et TFTP) qu’il utilise.
Pour examiner l’état du service NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Pour consulter une synthèse de l’état du service, cliquez sur Vue d’ensemble. Pour afficher
le fichier d’historique, cliquez sur Historiques.
À partir de la ligne de commande
Vous pouvez vérifier l’état de NetBoot et des services associés à l’aide de commandes dans
Terminal. Consultez le chapitre relatif aux images système dans le guide d’administration
des lignes de commande.Chapitre 5 Gestion du service NetBoot 51
Affichage de l’historique du service NetBoot
Vous pouvez utiliser Admin Serveur pour afficher un historique contenant des
informations de diagnostic.
Pour afficher l’historique du service NetBoot :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Historiques.
À partir de la ligne de commande
Vous pouvez consulter l’historique en affichant le contenu du fichier d’historique dans
Terminal. Pour plus d’informations, consultez le chapitre relatif aux images système
dans le guide d’administration des lignes de commande.
Performances et équilibrage de la charge
Pour optimiser les performances au démarrage, il est essentiel que le serveur NetBoot
soit disponible pour l’ordinateur client qui l’utilise. Pour offrir un service NetBoot
efficace et fiable, vous pouvez configurer plusieurs serveurs NetBoot redondants
sur votre infrastructure réseau.
De nombreux sites utilisant NetBoot obtiennent des temps de réponse très acceptables
en décalant les heures de démarrage des ordinateurs client, afin de réduire la charge sur
le réseau. En règle générale, il n’est pas nécessaire de démarrer tous les ordinateurs client
exactement à la même heure ; en fait, ils sont démarrés tôt le matin et restent allumés
toute la journée. Vous pouvez programmer des heures de démarrage échelonnées
à l’aide du volet des préférences (Mac OS X version 10.3 ou ultérieure) ou du tableau
de bord (Mac OS 9) Économiseur d’énergie.
Images d’initialisation
Si une utilisation intensive et des démarrages simultanés surchargent un serveur
NetBoot et provoquent des délais d’attente, envisagez d’ajouter des serveurs NetBoot
afin de répartir les demandes des ordinateurs client sur plusieurs serveurs (équilibrage
de la charge). Si vous optez pour l’intégration de nouveaux serveurs NetBoot, il est
important d’avoir recours à des commutateurs dans votre infrastructure réseau, car les
concentrateurs étant par nature partagés, ils créent un seul réseau partagé et risque
d’augmenter le délai d’attente dans le cas de trafic important.
Répartition des images d’initialisation sur plusieurs serveurs
Si vous configurez plusieurs serveurs NetBoot sur votre réseau, vous pouvez placer des
copies d’une image d’initialisation particulière sur plusieurs serveurs afin de répartir la
charge. En affectant aux copies le même ID d’image dans la plage 4096 à 65 535, vous
pouvez les présenter à vos clients comme une image unique afin d’éviter toute confusion.52 Chapitre 5 Gestion du service NetBoot
Pour répartir une image sur plusieurs serveurs :
1 Ouvrez Utilitaire d’images de réseau sur le serveur sur lequel l’image d’origine est stockée.
2 Cliquez sur Images (en haut de la fenêtre) et sélectionnez l’image dans la liste.
3 Si l’index de l’image est 4095 ou moins, cliquez sur Modifier et affectez à l’image
un index dans la plage 4096 à 65 535.
4 Utilisez le bouton Exporter pour placer des copies de l’image sur les autres serveurs.
5 Sur chacun des autres serveurs, utilisez Admin Serveur pour activer l’image.
Les clients continuent de voir l’image répertoriée une seule fois dans leurs préférences
Démarrage, mais le serveur qui fournit sa copie de l’image est automatiquement
sélectionné en fonction du niveau d’activité des serveurs individuels.
Des améliorations de moindre importance peuvent être obtenues par répartition
des images d’initialisation sur plusieurs disques d’un même serveur.
Répartition des images d’initialisation sur les disques d’un
serveur
Même avec un serveur NetBoot unique, vous pouvez améliorer les performances
en répartissant les copies d’une image sur différents disques du serveur. En affectant
aux copies le même ID d’image dans la plage 4096 à 65 535, vous pouvez les présenter
à vos clients en tant qu’image unique.
Remarque : ne répartissez pas les images sur différentes partitions du même disque
physique. Cela n’améliore pas les performances et peut même les dégrader.
Pour répartir une image sur plusieurs disques :
1 Ouvrez Admin Serveur et sélectionnez NetBoot dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Général.
3 Cliquez dans la colonne Images pour chaque volume que vous souhaitez utiliser
pour le stockage des images.
Choisissez des volumes sur différents disques physiques.
4 Cliquez sur Enregistrer, puis sur Images.
5 Si l’ID de l’image dans la colonne Index est inférieur ou égal à 4095, double-cliquez sur
l’ID, tapez un index dans la plage 4096 à 65 535, puis enregistrez la modification.
6 Ouvrez Terminal, basculez vers l’utilisateur root et utilisez la commande cp pour copier
l’image sur les points de partage NetBootSPn sur les autres volumes. Par exemple :
sudo root
cp -R /Library/NetBoot/NetBootSP0/image.nbi /Volumes/Drive2/Library/
NetBoot/NetBootSP1/image.nbiChapitre 5 Gestion du service NetBoot 53
Équilibrage de l’accès à l’image d’initialisation
Si vous ajoutez un deuxième serveur NetBoot à un réseau, demandez aux clients de
resélectionner leur image d’initialisation dans le tableau de bord ou le volet de préférences
Démarrage. La charge NetBoot est ainsi répartie sur les serveurs. Vous pouvez également
forcer la redistribution de la charge en supprimant le fichier /var/db/bsdpd_clients du
serveur NetBoot existant. De même, si vous rétablissez le fonctionnement du réseau suite
à une panne de serveur ou à une défaillance de l’infrastructure, vos clients ont donc
pendant quelque temps démarré à partir d’un nombre réduit de serveurs NetBoot. Vous
devez supprimer le fichier bsdpd_clients des serveurs en cours d’utilisation, afin que les
clients puissent à nouveau se répartir sur la totalité des serveurs.
Le fichier bsdpd_clients situé sur un quelconque serveur contient les adresses MAC
(Media Access Control) Ethernet des ordinateurs ayant sélectionné ce serveur comme
serveur NetBoot. Tant qu’un client dispose d’une entrée dans le fichier bsdpd_clients
d’un serveur disponible, il démarre toujours à partir de ce serveur. Si ce serveur devient
indisponible pour ce client, il le localise, puis l’associe à un autre serveur disponible
jusqu’à ce que vous retiriez son entrée (ou le fichier entier) de ce serveur. Si un client
est enregistré sur plus d’un serveur du fait qu’un serveur momentanément indisponible
revienne en ligne, ce client démarre à partir du serveur associé au nombre de clients le
moins élevé.
Distribution de fichiers masqués
Les clients qui démarrent à partir d’images Mac OS 9 et ceux qui démarrent à partir
d’images Mac OS X sans disque stockent les fichiers “masqués” temporaires sur le
serveur. La façon dont le serveur répartit ces fichiers masqués varie selon que le client
est initialisé à partir d’une image Mac OS X sans disque ou d’une image Mac OS 9.
Initialisation Mac OS X sans disque
Par défaut, NetBoot pour les clients Mac OS X crée un point de partage pour les fichiers
masqués client sur le volume d’initialisation du serveur. Vous pouvez changer ce
comportement ; consultez la section “Modification du mode d’allocation des fichiers
masqués par les clients NetBoot de Mac OS X” à la page 26. Vous pouvez utiliser Admin
Serveur pour consulter ce point de partage et pour en ajouter d’autres. Les points de
partage sont nommés NetBootClientsn où n est le numéro du point de partage et sont
numérotés à partir de zéro.54 Chapitre 5 Gestion du service NetBoot
Supposons que le serveur possède deux volumes de disque, le répertoire par défaut
des fichiers masqués est NetBootClients0 sur le volume d’initialisation. Si vous utilisez
Admin Serveur pour spécifier que des données client doivent également être stockées
sur le deuxième volume, le répertoire est nommé NetBootClients1. NetBoot stocke les
fichiers masqués du premier client sur NetBootClients0, ceux du deuxième client sur
NetBootClients1, ceux du troisième sur NetBootSP0, etc. De même, avec trois volumes
sélectionnés et huit clients : le premier, le quatrième et le septième clients utilisent le
premier volume ; le deuxième, le cinquième et le huitième clients utilisent le deuxième
volume ; le troisième et le sixième clients utilisent le troisième volume. L’équilibrage
de la charge est donc automatique et garantit, en général, des performances optimales.
Pour empêcher le placement des fichiers masqués sur un volume particulier, utilisez
l’onglet Général dans les réglages du service NetBoot dans Admin Serveur.
Initialisation Mac OS 9
Par défaut, NetBoot pour Mac OS 9 crée des points de partage pour les fichiers masqués
client sur le volume d’initialisation du serveur. Par exemple, si votre serveur comporte
deux volumes installés, il présente deux points de partage (NetBootSP0 et NetBootSP1)
et NetBoot sauvegarde la copie d’image du premier client sur NetBootSP0, la copie
d’image du second client sur NetBootSP1, la copie d’image du troisième client sur
NetBootSP0, et ainsi de suite.
Supposons que vous partitionnez un disque de 60 Go en deux partitions : 10 Go
pour le démarrage et 50 Go pour les données. Ainsi, seul le système d’exploitation et
les quelques fichiers de configuration associés sont placés sur la partition de démarrage
et toutes les données des utilisateurs (telles que les images masquées des clients) sur
la partition de données. Après l’installation du logiciel NetBoot For 9, il existe un volume
NetBootClients0 sur la partition d’initialisation et un volume NetBootClients1 sur la
partition de données.
Pour empêcher le placement des fichiers masqués Mac OS 9 sur un volume ou une
partition spécifique, supprimez le fichier masqué /Library/NetBoot/.clients du volume,
puis arrêtez et redémarrez le service NetBoot.
Optimisation NetBoot avancée
Vous pouvez ajuster un large éventail d’options NetBoot en exécutant le programme
bootpd directement et en modifiant les paramètres de configuration dans des
répertoires NetInfo spécifiques. Pour plus d’informations, consultez la page “man”
relative à bootpd. Pour afficher la page “man” correspondante du manuel, ouvrez
Terminal et tapez man bootpd.6
55
6 Résolution de problèmes
Ce chapitre propose des solutions aux problèmes
courants que vous pouvez rencontrer lors de l’utilisation
de NetBoot et de l’installation en réseau.
Conseils généraux
• Assurez-vous qu’un service DHCP est disponible sur votre réseau. Il peut être fourni
par le service DHCP de Mac OS X Server ou par un autre serveur.
• Assurez-vous que les services requis sont démarrés sur le serveur. Consultez la
section “Configuration requise pour les services réseau” à la page 17. Ouvrez Admin
Serveur et vérifiez les points suivants :
• AFP est démarré lorsque vous initialisez des clients Mac OS 9 ou des clients
Mac OS X sans disque.
• Le service Web est démarré lorsque vous utilisez HTTP plutôt que NFS pour
distribuer des images.
Un ordinateur client NetBoot ne démarre pas
• Il arrive qu’un ordinateur ne démarre pas immédiatement parce que le réseau est
très sollicité par d’autres ordinateurs. Patientez quelques minutes avant d’essayer
à nouveau.
• Assurez-vous que tous les câbles sont correctement connectés et que le serveur
comme l’ordinateur sont alimentés.
• Si vous avez installé de la mémoire ou une carte d’extension sur l’ordinateur client,
assurez-vous qu’elle est correctement installée.
• Si le serveur possède plusieurs cartes Ethernet ou que vous utilisez plusieurs ports
d’une carte Ethernet multiports, vérifiez que les ordinateurs qui utilisent la même
carte ou le même port peuvent démarrer. Dans le cas contraire, assurez-vous que
le port Ethernet configuré sur le serveur est le même que celui auquel l’ordinateur
client est connecté. Les ports Ethernet 1 et 4 des cartes multiports peuvent être
confondus facilement. Les ports des cartes pré-installées sur les serveurs Macintosh
sont numérotés 4, 3, 2, 1 (de gauche à droite) ; ces indications figurent au dos
de l’ordinateur. 56 Chapitre 6 Résolution de problèmes
• Si l’ordinateur concerné possède un disque dur local doté d’un Dossier Système,
débranchez le câble Ethernet et essayez de démarrer l’ordinateur à partir du disque
dur local. Rebranchez ensuite le câble Ethernet et essayez de démarrer l’ordinateur
à partir du réseau.
• Initialisez l’ordinateur client à partir d’un disque local et vérifiez qu’il obtient une
adresse IP auprès du serveur DHCP.
• Sur un client sans disque ou sans système d’exploitation, démarrez à partir d’un
CD-ROM système et utilisez les préférences Démarrage pour sélectionner une image
d’initialisation.
Vous utilisez Gestionnaire Macintosh et un utilisateur ne parvient
pas à se connecter à un client NetBoot
• Vérifiez que l’utilisateur peut se connecter aux autres ordinateurs. S’il y arrive,
l’ordinateur auquel l’utilisateur ne peut se connecter est peut être relié à un serveur
Gestionnaire Macintosh qui ne dispose d’aucun compte pour cet utilisateur. S’il existe
plusieurs serveurs Gestionnaire Macintosh, assurez-vous que l’utilisateur a sélectionné
celui qui correspond à son compte.
• Ouvrez Gestionnaire Macintosh et assurez-vous que l’utilisateur est membre
d’au moins un groupe de travail.
• Ouvrez Gestionnaire Macintosh et réinitialisez le mot de passe de l’utilisateur.
Le bouton Créer d’Utilitaire d’images de réseau n’est pas activé
• Assurez-vous d’avoir saisi un nom et un ID pour l’image dans le volet Général.
• Assurez-vous d’avoir choisi une source pour l’image dans le volet Contenu.
• Pour une image utilisant une source de type CD ou DVD, assurez-vous d’avoir tapé
un nom d’utilisateur par défaut avec un mot de passe d’au moins quatre caractères
dans le volet Utilisateur par défaut.
Les contrôles et les champs sont désactivés dans Utilitaire
d’images de réseau
• Cliquez sur Initialisation ou sur Installation en haut de la fenêtre, ou fermez et ouvrez
Utilitaire d’images de réseau.
Impossible de configurer une image pour utiliser l’initialisation
statique (NetBoot version 1.0)
• L’initialisation du réseau statique, telle qu’elle est fournie par NetBoot version 1.0,
n’est pas prise en charge dans Mac OS X Server version 10.3. 57
Glossaire
Glossaire
DHCP (Dynamic Host Configuration Protocol) Protocole utilisé pour la répartition
d’adresses IP entre les ordinateurs client. Chaque fois qu’un ordinateur client démarre,
le protocole recherche un serveur DHCP et sollicite une adresse IP au serveur DHCP
trouvé. Celui-ci cherche une adresse IP disponible et l’envoie à l’ordinateur client
accompagnée d’un durée de bail (période pendant laquelle l’ordinateur client est
autorisé à utiliser l’adresse).
HTTP (Hypertext Transfer Protocol) Protocole d’application qui définit l’ensemble
de règles pour la liaison et l’échange de fichiers sur le Web.
image disque Fichier qui, une fois ouvert, crée sur un bureau Mac OS une icône dont
la présentation et le comportement sont semblables à ceux d’un disque ou volume
réel. Les ordinateurs client peuvent, à l’aide de NetBoot, démarrer via le réseau à partir
d’une image disque d’un serveur et contenant un logiciel système.
serveur NetBoot Serveur Mac OS X sur lequel vous avez installé le logiciel NetBoot,
que vous avez configuré pour autoriser les clients à démarrer à partir d’images disque
sur le serveur.59
Index
Index
A
Admin de bureau NetBoot 11
automatisation de l'installation réseau 34
B
BootFile
propriété d'image NetBoot 13
Boot Server Discovery Protocol
Voir BSDP
BSDP (Boot Server Discovery Protocol) 14
rôle dans NetBoot 14
C
Classic
installation dans une image NetBoot 23
D
démarrage à l'aide de la touche N 48
dépannage
NetBoot 55
Description
propriété d'image NetBoot 13
déverrouillage d'images disque 30, 39, 40, 42, 43
dossier d'image, NetBoot 10–11
E
équilibrage de la charge
NetBoot 51–54
état du serveur
surveillance des clients NetBoot Mac OS X 50
Ethernet
configuration requise pour NetBoot 18
désactivation de NetBoot sur les ports 49
F
fichier bsdpd_clients
détermination du serveur NetBoot du client 53
rôle et emplacement 9
fichier d'initialisation 11
propriété BootFile 13
spécification pour l'image NetBoot 13
fichiers masqués
à propos de 10
options d'allocation 26
points de partage 9
répartition 53
vue d'ensemble 10
format de répertoire
configuration dans les images d'initialisation 24
G
G4. Voir Power Mac G4
G5. Voir Power Mac G5
I
image d'installation, sélection 47
image de démarrage, sélection 46
images
distinctes pour G5 16
images d'installation vides
Voir images d'installation de paquets
personnalisés
images disque, installation réseau
déverrouillage 30, 39, 40, 42, 43
mise à jour 35
images disque, NetBoot 7, 8
création 19, 21
création à partir de clients existants 24
déverrouillage 30, 39, 40, 42, 43
installation de Classic 23
mise à jour de Mac OS X 24, 25
sur un serveur NFS 14
Index
propriété d'image NetBoot 13
initialisation sans disque
image d'initialisation par défaut 41
services requis 17
installation réseau
à propos des paquets 32
automatisation de l'installation 34
création d'une image 30
création de paquets personnalisés 32
IsDefault
propriété d'image NetBoot 13
IsEnabled60 Index
propriété d'image NetBoot 13
IsInstall
propriété d'image NetBoot 13
L
Language
propriété d'image NetBoot 13
M
mise à jour d'images NetBoot 24, 25
N
Name
propriété d'image NetBoot 13
NBImageInfo.plist
fichier de propriétés NetBoot 11, 12, 13
NetBoot 14, 45
activation 38, 39
AirPort 17
BSDP (Boot Server Discovery Protocol) 14
clients pris en charge 15
configuration 37
configuration d'une image disque Mac OS 9 27
configuration requise pour le serveur 17
création d'images à partir de clients existants 24
création d'images disque Mac OS X 21
désactivation d'images 50
désactivation sur les ports Ethernet 49
dossier d'image 10–11
équilibrage de la charge 51–54
exigences d'administration 15
fichiers masqués 10
filtrage des clients 42
image par défaut 41
images disque 8
installation de Classic dans une image 23
listes de propriétés 12
mise à jour d'images Mac OS X 24, 25
mise à jour du tableau de bord Démarrage 45
ordinateurs client 45, 46, 47
outils d'administration 8
planification de la capacité 17
principales fonctionnalités 7
résolution des problèmes 55
sécurité 15
surveillance des clients Mac OS X 50
TFTP (Trivial File Transfer Protocol) 14
vue d'ensemble de la configuration 18
O
ordinateurs client
démarrage à l'aide de la touche N 48
ordinateurs client, Mac OS 9
sélection de l'image d'installation NetBoot 47
sélection de l'image de démarrage NetBoot 46
ordinateurs client, Mac OS X
sélection de l'image d'installation NetBoot 47
sélection de l'image de démarrage NetBoot 46
P
PackageMaker
aide 33
emplacement 32
paquets
affichage du contenu 35
ajout à une image 33
à propos de 32
création 32
planification de la capacité
NetBoot 17
points de partage
pour les fichiers masqués 9
pour les images 9
points de partage NetBootClientsn
allocation de fichiers masqués 10
points de partage NetBootSPn
ajout ou suppression 39
emplacement 9
ne pas renommer le volume 39
vue d'ensemble 9
Power Mac G4
images non destinées aux processeurs G5 16
Power Mac G5
images non destinées aux processeurs plus
anciens 16
R
RootPath
propriété d'image NetBoot 13
S
sécurité
NetBoot 15
SupportsDiskless
propriété d'image NetBoot 13
synchronisation
image et source 25
T
tableau de bord Démarrage, mise à jour 45
TFTP (Trivial File Transfer Protocol)
rôle dans NetBoot 14
Trivial File Transfer Protocol
Voir TFTP
Type
propriété d'image NetBoot 13
U
Utilitaire d'images de réseau
création d'une image disque 3061 Index
création d'une image disque Mac OS X 21
emplacement 30
Utilitaire d'images réseau 11
V
variable NETBOOT_SHADOW
tableau des valeurs 27
Mac OS X Server
Administration du
service díimpression
Pour la version 10.3 ou ultÈrieure Apple Computer, Inc.
© 2003 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’une copie
valide du logiciel Mac OS X Server peut reproduire ce
document à des fins d’apprentissage de l’utilisation de
ce logiciel. Aucune partie de ce document ne peut être
reproduite ou transmise à des fins commerciales, telles
que la vente de copies du document ou la fourniture de
services d’assistance payants.
L’utilisation de ce logo à des fins commerciales
via le clavier (Option-1) pourra constituer un acte
de contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, AppleTalk, LaserWriter, Mac, Mac
OS et Macintosh sont des marques d’Apple Computer,
Inc., déposées aux États-Unis et dans d’autres pays.
Rendezvous est une marque d’Apple Computer, Inc.
Adobe et PostScript sont des marques d’Adobe Systems
Incorporated.
UNIX est une marque déposée aux États-Unis et dans
d’autres pays, sous licence exclusive de X/Open
Company Ltd.
Remarque : Apple améliore continuellement les
performances et le design de ses produits. Il se peut que
certaines illustrations de ce manuel soient légèrement
différentes de votre version du logiciel.
F022-1323 3
1 Table des matières
Chapitre 1 5 À propos du service d’impression
5 Vue d’ensemble de l’impression en réseau
6 Sans service d’impression
7 Avec le service d’impression
8 Imprimantes compatibles
9 Clients compatibles
10 Considérations supplémentaires
10 Répartition de la charge à l’aide de classes d’imprimantes
10 Sécurité
Chapitre 2 11 Configuration de Service d’impression
11 Avant de commencer
11 Présentation générale de la configuration
12 Configuration du service
12 Ajout d’une file d’attente d’impression
14 Sélection d’une file d’attente LPR par défaut
15 Configuration de la fréquence d’archivage de l’historique d’impression
16 Publication d’une file d’attente LPR avec Rendezvous
16 Inclusion d’une file d’attente LPR dans Open Directory
18 Démarrage du service d’impression
19 Établissement de quotas d’impression
19 Fonctionnement des quotas
19 Définition de quotas
20 Définition de quotas d’impression pour l’utilisateur
21 Application de quotas d’impression à une file d’attente
22 Rénitialisation des quotas d’impression d’un utilisateur
Chapitre 3 23 Configuration de clients d’impression
23 À propos des fichiers PPD
24 Clients Mac OS X
24 Ajout d’une file d’attente d’impression AppleTalk sous Mac OS X
24 Ajout d’une file d’attente d’impression LPR sous Mac OS X
26 Dépannage4 Table des matières
26 Clients Mac OS 8 et Mac OS 9
26 Configuration d’une file d’attente AppleTalk sur les clients Mac OS 8 ou 9
26 Configuration d’une file d’attente LPR sur les clients Mac OS 8 ou 9
27 Dépannage
27 Clients Windows
27 Dépannage
27 Clients UNIX
Chapitre 4 29 Gestion du service d’impression
30 Gérer le service
30 Vérifier l’état du service d’impression
31 Démarrer et arrêter le service d’impression
32 Gestion des files d’attente
32 Affichage de l’état des files d’attente d’impression
33 Arrêt d’une file d’attente d’impression
34 Redémarrage d’une file d’attente
35 Modifier les réglages d’une file d’attente d’impression
36 Modification du nom d’une file
37 Changer la file d’attente d’impression LPR par défaut
38 Suppression d’une file d’attente
39 Gestion des tâches d’impression
39 Contrôle d’une tâche d’impression
40 Suspension d’une tâche d’impression
41 Reprise d’une tâche d’impression
42 Suppression d’une tâche d’impression
43 Gestion des quotas d’impression
43 Suspension des quotas d’une file d’attente
44 Gestion des historiques d’impression
44 Affichage des historiques du service d’impression et des files d’attente
45 Archivage des historiques du service d’impression
46 Suppression de fichiers d’historique archivés
46 Historiques CUPS
Chapitre 5 47 Résolution des problèmes
47 Dépannage du service d’impression
47 Le service d’impression ne démarre pas
47 Les clients ne parviennent pas à ajouter une file d’attente
47 Les utilisateurs ne parviennent pas à imprimer
48 Les tâches d’une file d’attente du serveur ne s’impriment pas
48 La file d’attente devient indisponible
Glossaire 49
Index 511
5
1 À propos du service d’impression
Le service d’impression de Mac OS X Server vous aide à
configurer un environnement d’impression administré
sur votre réseau.
Vous pouvez partager des imprimantes en leur configurant des files d’attente d’impression
sur un serveur. Lorsqu’un utilisateur imprime vers une file d’attente partagée, la tâche
d’impression attend sur le serveur jusqu’à ce que l’imprimante soit disponible ou jusqu’à
ce que les critères de planification définis soient respectés. Vous pouvez par exemple :
• Modifier la priorité des tâches d’impression en attente.
• Suspendre une tâche en vue d’une impression ultérieure.
• Limiter le nombre de pages qu’un utilisateur peut imprimer sur certaines
imprimantes.
• Tenir à jour des historiques relatifs à l’utilisation des imprimantes.
Vous pouvez utiliser les applications suivantes pour configurer et administrer le service
d’impression :
• Admin Serveur pour configurer le service d’impression, configurer des files d’attente
partagées, gérer les tâches d’impression et surveiller l’état de ces tâches.
• Gestionnaire de groupe de travail pour définir des quotas d’impression pour
les utilisateurs.
Le service d’impression de Mac OS X Server est basé sur l’architecture standard
d’impression client de Mac OS X, elle-même basée sur le système CUPS (Common
UNIX Printing SYStem).
Vue d’ensemble de l’impression en réseau
Il est possible de bénéficier de certains avantages de l’impression partagée en réseau
sans utiliser de serveur. Une brève comparaison de l’impression en réseau avec et sans
service d’impression basé sur serveur montre qu’un tel service peut faciliter les choses
pour les utilisateurs et pour l’administrateur.6 Chapitre 1 À propos du service d’impression
Sans service d’impression
Il est relativement simple de mettre des imprimantes partagées à la disposition des
utilisateurs, même sans utiliser de serveur : connectez les imprimantes à votre réseau
et laissez les utilisateurs choisir l’imprimante répondant le mieux à leurs besoins.
Lorsqu’un utilisateur imprime un document, la tâche d’impression qui en résulte attend
dans une file d’attente sur l’ordinateur client jusqu’à ce que l’imprimante soit prête à
l’accepter (on dit alors que la tâche est “mise en attente dans une file d’attente locale”).
Bien que ce mode d’accès aux imprimantes soit facile à configurer, il comporte des
inconvénients :
• Les utilisateurs doivent s’assurer que leurs tâches d’impression sont terminées avant
de mettre leur ordinateur hors tension ou, dans le cas de clients mobiles, déconnecter
leur ordinateur du réseau.
• Les messages d’erreur en provenance de l’imprimante (par exemple “plus de papier”
ou “bourrage papier”) sont adressés directement à l’utilisateur qui est en train
d’imprimer.
Attente
Attente
Attente
Le client doit traiter
l'erreur d'impression
Mise en attente des tâches
dans des files d'attente sur
des ordinateurs clients
Bourrage
papier !Chapitre 1 À propos du service d’impression 7
• Il est difficile pour l’administrateur d’effectuer le suivi ou le contrôle du nombre
de pages imprimées par chaque utilisateur.
Avec le service d’impression
Pour tirer parti du service d’impression, vous devez configurer des files d’attente pour
les imprimantes disponibles sur un serveur. Les utilisateurs peuvent choisir parmi ces
files d’attente plutôt que de choisir les imprimantes directement.
Lorsqu’un utilisateur imprime un document, la tâche d’impression qui en résulte
est rapidement déplacée de la file d’attente sur l’ordinateur de l’utilisateur vers
la file d’attente sur le serveur.
Ce mode d’accès aux imprimantes présente des avantages par rapport à la simple
impression en réseau :
• Les tâches d’impression sont transférées rapidement des ordinateurs client vers
la file d’attente du serveur, de sorte que les utilisateurs peuvent mettre hors tension
ou déconnecter leur ordinateur après avoir lancer l’impression.
• Les conditions d’erreur de l’imprimante sont signalées sur le serveur et non sur les
ordinateurs client individuels.
• Vous pouvez facilement limiter et effectuer le suivi du nombre de pages que chaque
utilisateur imprime sur chaque imprimante.
historiques
des tâches
historiques
du service
Bourrage papier !
Prêt
Prêt
Gestion des
priorités
Erreur
d'impression
Mise en attente des tâches
dans des files d'attente sur
le serveur
Quotas
Interruption8 Chapitre 1 À propos du service d’impression
• Vous pouvez contrôler à quel moment et dans quel ordre sont imprimées les
différentes tâches.
Imprimantes compatibles
Le service d’impression de Mac OS X Server gère :
• Les imprimantes compatibles PostScript connectées à votre réseau via le protocole
AppleTalk ou LPR (Line Printer Remote).
• Les imprimantes PostScript connectées directement au serveur via le port USB
(Universal Serial Bus).
Remarque : une imprimante non PostScript reliée au port USB d’un ordinateur client
Mac OS X peut être partagée via l’option Partage d’imprimante des préférences
Partage, mais cette possibilité n’entre pas dans le cadre du service d’impression
de Mac OS X Server.
Mac OS X Server
Ethernet USB
Imprimante
PostScript AppleTalk
Imprimante
PostScript LPR
Imprimante
PostScriptChapitre 1 À propos du service d’impression 9
Clients compatibles
Tout ordinateur qui utilise le protocole AppleTalk, LPR ou SMB (Server Message Block)
peut imprimer vers des files d’attente partagées via le service d’impression de Mac OS X.
Les ordinateurs Macintosh peuvent communiquer avec les imprimantes via AppleTalk
ou LPR. Les ordinateurs Windows gèrent LPR et SMB. Les ordinateurs UNIX utilisent le
protocole LPR. Pour plus d’informations sur l’impression à partir d’un type particulier
d’ordinateur client, consultez le chapitre 3, “Configuration de clients d’impression”, à la
page 23.
Utilisateur Mac OS X
(imprimantes
sélectionnées via le
Centre d'impression ou
l'utilitaire Configuration
d'imprimante)
Utilitaire Mac OS 9
(imprimantes
sélectionnées
via l'utilitaire
Service
d'impression)
Utilitaire UNIX
Utilisateur
Mac OS X
(imprimantes
sélectionnées via le
Centre d'impression ou
l'utilitaire Configuration
d'imprimante)
Utilisateurs Mac OS 8
et Mac OS 9
(imprimantes
sélectionnées via
l'utilitaire Service
d'impression)
Utilisateur UNIX Utilisateurs
Windows NT
et Windows
2000
Utilisateurs
Windows NT
et Windows
2000
Utilisateurs
Windows 95,
98 et ME
Mac OS X Server
LPR
AppleTalk SMB10 Chapitre 1 À propos du service d’impression
Considérations supplémentaires
Répartition de la charge à l’aide de classes d’imprimantes
Chaque file d’attente du service d’impression que vous configurez est affectée à une
seule imprimante. Le système CUPS (Common UNIX Printing System) gère des files
d’attente spéciales appelées classes d’imprimantes, qui sont des files auxquelles sont
affectées plusieurs imprimantes.
Une classe d’imprimantes offre un certain nombre d’avantages par rapport aux files
d’attente à imprimante unique dans les environnements d’impression impliquant des
volumes ou une disponibilité élevés :
• Les tâches d’impression sont affectées à la première imprimante disponible de la
classe, de sorte que vous pouvez lancer simultanément autant de tâches d’impression
qu’il y a d’imprimantes affectées à la classe.
• Si une imprimante affectée à la classe devient indisponible pour une raison quelconque,
les autres imprimantes de la classe continuent d’imprimer les tâches en attente.
Vous pouvez configurer une classe d’imprimantes via l’option Imprimantes > Regrouper
les imprimantes, dans l’utilitaire Configuration d’imprimante (dans /Applications/Utilitaires).
Une fois la classe créée, vous pouvez ajouter et gérer la file d’attente de classe résultante
dans le service d’impression, comme pour n’importe quelle autre file d’attente.
Vous pouvez également créer une classe d’imprimantes à l’aide des commandes de
Terminal. Pour plus d’informations, consultez le chapitre relatif au service d’impression
dans le guide d’administration des lignes de commande.
Sécurité
Les files d’attente d’imprimante AppleTalk et LPR ne gèrent pas l’authentification
sécurisée. Le service d’impression repose sur le client pour fournir les informations
relatives à l’utilisateur. Bien que les clients Macintosh et Windows standard fournissent
des informations précises, un utilisateur mal intentionné pourrait contourner les quotas
d’impression en modifiant le client afin qu’il fournisse des informations erronées.
Le service Windows gère l’authentification en imposant aux utilisateurs de se connecter
avant toute utilisation d’imprimantes SMB.
Le logiciel CUPS, sur lequel est basé le service d’impression, gère la méthode d’envoi
des tâches d’impression appelée IPP (Internet Printing Protocol). Les clients du service
d’impression sont généralement configurés pour utiliser AppleTalk, LPR ou SMB pour
envoyer leurs tâches d’impression. Cependant, les clients qui utilisent IPP directement
pour envoyer des tâches d’impression peuvent contourner le service d’impression et
ses quotas.
Remarque : IPP est activé sur un client Mac OS X chaque fois que vous activez le
partage d’imprimante dans les préférences Partage.2
11
2 Configuration de Service
d’impression
Ce chapitre indique comment configurer les files
d’attente d’impression et modifier les réglages du service
d’impression à l’aide d’Admin Serveur.
Avant de commencer
Avant de configurer le service d’impression, notez les protocoles utilisés par vos clients
pour l’impression. Le service d’impression gère les protocoles AppleTalk, LPR (Line Printer
Remote) et SMB (Server Message Block).
Présentation générale de la configuration
Voici les principales étapes de configuration du service d’impression :
Étape 1 : Création de files d’attente pour vos imprimantes
Créez des files d’attente pour vos imprimantes sur le serveur à l’aide d’Admin Serveur.
Les utilisateurs voient ces files d’attente comme des imprimantes. Consultez la section
“Ajout d’une file d’attente d’impression” à la page 12.
Étape 2 : (Facultatif) Définition des réglages généraux du service
Utilisez Admin Serveur pour spécifier la file d’attente LPR par défaut et activer les
historiques du service d’impression. Par défaut, il n’existe pas de file d’attente LPR et la
consignation est désactivée. Consultez “Sélection d’une file d’attente LPR par défaut” à
la page 14 et “Configuration de la fréquence d’archivage de l’historique d’impression” à
la page 15.
Étape 3 : Démarrage du service d’impression
Utilisez Admin Serveur pour démarrer le service d’impression sur le serveur et mettre
les files d’attente à la disposition des clients. Consultez la section “Démarrage du
service d’impression” à la page 18.12 Chapitre 2 Configuration de Service d’impression
Étape 4 : (Facultatif) Définition des quotas d’impression
Si vous souhaitez limiter le nombre de pages pouvant être imprimées par les
utilisateurs, attribuez des quotas d’impression aux comptes d’utilisateurs et aux files
d’attente. Consultez la section “Établissement de quotas d’impression” à la page 19.
Étape 5 : Configuration des ordinateurs client.
Ajoutez (ou expliquez aux utilisateurs comment ajouter) les files d’attente de votre
serveur aux réglages d’impression de leurs ordinateurs. Consultez le chapitre 3,
“Configuration de clients d’impression”, à la page 23.
Configuration du service
Ajout d’une file d’attente d’impression
Vous pouvez partager n’importe quelle imprimante compatible PostScript pour laquelle
une file d’attente a été configurée sur le serveur. Créez des files d’attente pour les
imprimantes partagées sur le serveur à l’aide d’Admin Serveur.
Pour créer une file d’attente d’impression partagée :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur Files d’attente, puis sur le bouton Ajouter (+) situé sous la liste.
Bouton
AjouterChapitre 2 Configuration de Service d’impression 13
Si vous ne voyez pas le bouton Files d’attente, il se peut que les réglages des files
d’attente soient déjà affichés. Cliquez sur le bouton Précédent (flèche vers la gauche
dans le coin supérieur droit).
4 Choisissez dans le menu local le protocole utilisé par l’imprimante.
5 Pour une imprimante AppleTalk, sélectionnez l’imprimante dans la liste et cliquez
sur OK.
Pour une imprimante LPR, tapez l’adresse IP ou le nom DNS de l’imprimante et cliquez
sur OK. Si vous ne souhaitez pas utiliser la file d’attente par défaut de l’imprimante,
décochez d’abord la case “Utiliser la file par défaut sur le serveur”, puis tapez le nom
d’une file d’attente.
6 Tapez le nom de la file d’attente que les clients doivent voir dans le champ Nom
du partage.
Cela ne modifie pas le nom de file d’attente de Configuration d’imprimante sur le
serveur.
Assurez-vous que le nom est compatible avec les restrictions d’appellation imposées
par vos clients. Par exemple, certains clients LPR ne gèrent pas les noms comportant
des espaces, tandis que certains clients Windows limitent les noms à 12 caractères.
Le nom des files d’attente partagées via LPR ou SMB ne doit contenir que les caractères
A–Z, a–z, 0–9 et _ (caractère de soulignement).
Les noms de file AppleTalk ne peuvent excéder 32 octets (ce qui peut être inférieur à 32
caractères typographiques). Notez que comme les noms de files d’attente sont encodés
dans la langue utilisée sur le serveur, ils peuvent être illisibles sur les ordinateurs clients
utilisant d’autres langues.
7 Sélectionnez les protocoles utilisés par les ordinateurs clients pour l’impression.
Si vous sélectionnez “Impression Windows (SMB)”, prenez soin de démarrer les services
Windows.
8 Sélectionnez l’option “Appliquer les quotas pour cette file” si vous souhaitez appliquer
les quotas d’impression définis pour les utilisateurs dans le Gestionnaire de groupe
de travail.
9 Cliquez sur Enregistrer, puis sur le bouton Précédent (dans le coin supérieur droit).14 Chapitre 2 Configuration de Service d’impression
Sélection d’une file d’attente LPR par défaut
Vous pouvez utiliser les réglages Général du service d’impression dans Admin Serveur
pour spécifier une file d’attente LPR par défaut pour le serveur.
La mise en place d’une file d’attente LPR par défaut facilite l’impression pour les clients
LPR qui ne connaissent pas le nom des files d’attente sur le serveur.
Pour définir la file d’attente LPR par défaut :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Général.
3 Sélectionnez la file d’attente par défaut dans le menu local.
4 Cliquez sur Enregistrer.
Si la file d’attente que vous souhaitez utiliser ne figure pas dans la liste, il se peut qu’elle
ne soit pas actuellement partagée via LPR.
Un utilisateur peut ajouter cette file d’attente LPR par défaut à la liste d’imprimantes de
son ordinateur, sans connaître le nom de la file d’attente, en sélectionnant “Utiliser la
file par défaut sur le serveur” lors de l’ajout de l’imprimante.
A partir de la ligne de commande
Vous pouvez également définir la file d’attente LPR par défaut à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif au
service d’impression dans le guide d’administration des lignes de commande.Chapitre 2 Configuration de Service d’impression 15
Configuration de la fréquence d’archivage de l’historique
d’impression
Le service d’impression tient à jour un historique général du service ainsi que des
historiques individuels pour chaque file d’attente partagée. Lorsqu’un historique
est archivé, les nouveaux événements sont enregistrés dans un nouveau fichier
d’historique vide.
Vous pouvez utiliser les réglages Consignation du service d’impression dans Admin
Serveur afin de spécifier la fréquence à laquelle les historiques sont archivés.
Pour configurer la fréquence d’archivage des fichiers d’historique :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Consignation.
3 Sélectionnez Archive pour l’historique que vous souhaitez enregistrer et tapez la
fréquence d’archivage voulue.
4 Cliquez sur Enregistrer.
Les historiques actuels et archivés se trouvent dans le répertoire /Bibliothèque/Logs/
PrintService.
A partir de la ligne de commande
Vous pouvez également définir la fréquence d’archivage à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
au service d’impression dans le guide d’administration des lignes de commande.16 Chapitre 2 Configuration de Service d’impression
Publication d’une file d’attente LPR avec Rendezvous
Vous pouvez faciliter la recherche des files d’attente LPR partagées par les utilisateurs
en les publiant à l’aide de Rendezvous.
Pour publier une file d’attente via Rendezvous :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Files d’attente.
3 Double-cliquez sur la file d’attente que vous souhaitez publier.
4 Sous LPR dans la section Protocole, sélectionnez “Afficher le nom Rendezvous”.
5 Cliquez sur Enregistrer, puis sur le bouton Précédent (dans le coin supérieur droit).
Inclusion d’une file d’attente LPR dans Open Directory
Vous pouvez aider les utilisateurs à trouver des files d’attente LPR partagées en incluant
ces dernières dans Open Directory. Si vous incluez le nom du modèle d’imprimante
PPD (Postscript Printer Description) dans le répertoire, les utilisateurs n’auront pas à
se préoccuper du modèle à choisir.
Pour inclure une file d’attente dans Open Directory :
1 Créez la file d’attente si vous ne l’avez pas encore fait.
2 Ouvrez Gestionnaire de groupe de travail.
3 Si vous ne voyez pas les boutons Inspecteur, choisissez Gestionnaire de groupe de
travail > Préférences, puis sélectionnez “Afficher l’inspecteur et l’onglet Toutes les fiches”.
4 Si nécessaire, basculez vers le domaine de répertoire approprié.
Bouton
PrécédentChapitre 2 Configuration de Service d’impression 17
5 Cliquez sur le bouton Toutes les fiches (il ressemble à une cible et se trouve en regard
des boutons Utilisateurs, Groupes et Ordinateurs).
6 Sélectionnez Printers dans le menu local, sous le bouton Toutes les fiches, puis cliquez
sur Nouvelle fiche.
7 Double-cliquez sur “sans_titre_1” en regard de l’attribut RecordName, tapez le nom qui
doit s’afficher pour les utilisateurs lorsqu’ils recherchent l’imprimante, puis appuyez sur
la touche Retour.
8 Cliquez sur Nouvel attribut et sélectionnez PrinterLPRHost dans le menu local Nom
d’attribut.
9 Cliquez dans le champ de texte, tapez l’adresse IP ou le nom DNS du serveur qui
héberge la file d’attente, puis cliquez sur OK.
10 Si la file d’attente sélectionnée n’est pas la file d’attente LPR par défaut sur le serveur,
cliquez sur Nouvel attribut, choisissez PrinterLPRQueue dans le menu local, tapez le
nom de la file d’attente dans le champ de texte, puis cliquez sur OK.
11 Pour spécifier le modèle d’imprimante (facultatif), cliquez sur Nouvel attribut, choisissez
PrinterType dans le menu local, puis cliquez sur OK.
Important : assurez-vous que le nom du modèle que vous tapez correspond
exactement à la valeur de l’attribut *ModelName dans le fichier PPD. Pour confirmer la
valeur de cet attribut, essayez l’une des opérations suivantes :
• Ouvrez l’utilitaire Configuration d’imprimante, cliquez sur Ajouter, choisissez
Impression via IP dans le menu local, sélectionnez le fabricant dans le menu local
Modèle de l’imprimante, puis recherchez le nom dans la liste qui en résulte.
• Créez une copie du fichier PPD, utilisez la commande gunzip dans Terminal
pour le décompresser, ouvrez-le dans TextEdit ou tout autre éditeur de texte,
puis recherchez “*ModelName”. Les fichiers PPD se trouvent dans le répertoire
/Bibliothèque/Printer/PPDs/Contents/Resources/fr.lproj.
12 Cliquez sur Enregistrer.18 Chapitre 2 Configuration de Service d’impression
Démarrage du service d’impression
Vous pouvez utiliser Admin Serveur pour lancer le service d’impression.
Une fois le service lancé, il redémarre automatiquement à chaque redémarrage
du serveur.
Pour démarrer le service d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Démarrer le service.
A partir de la ligne de commande
Vous pouvez également démarrer le service d’impression à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
au service d’impression dans le guide d’administration des lignes de commande.Chapitre 2 Configuration de Service d’impression 19
Établissement de quotas d’impression
Vous pouvez établir des quotas d’impression afin de contrôler le nombre de pages que
chaque utilisateur peut imprimer sur les différentes imprimantes.
Fonctionnement des quotas
Un quota d’impression représente le nombre total de pages pouvant être imprimées
au cours d’une période spécifique. Dès qu’un utilisateur a imprimé le nombre de pages
spécifié par son quota, il ne peut plus imprimer tant que la période d’application du
quota n’est pas terminée et que ce dernier n’est pas renouvelé automatiquement (ou
explicitement, ce que vous pouvez faire à tout moment).
Pour chaque utilisateur, vous pouvez définir soit un quota unique concernant toutes
les imprimantes qu’il utilise, soit des quotas individuels pour chaque imprimante.
Dans le cas d’un quota unique, chaque page imprimée est comptabilisée pour le quota
de l’utilisateur, quelle que soit l’imprimante utilisée.
Dans le cas de quotas par file d’attente, vous pouvez définir des quotas différents pour
chaque imprimante ou choisir de ne pas appliquer de quotas sur certaines
imprimantes, tout en limitant l’utilisation de certaines autres.
Définition de quotas
La définition de quotas d’impression comporte deux parties :
• Définir le quota et la période correspondante pour chaque utilisateur, via le
Gestionnaire de groupe de travail.
• Configurer le service d’impression pour appliquer les quotas aux files d’attente
individuelles, via Admin Serveur.20 Chapitre 2 Configuration de Service d’impression
Définition de quotas d’impression pour l’utilisateur
Vous pouvez utiliser le Gestionnaire de groupe de travail pour définir des quotas
d’impression pour des utilisateurs individuels.
Pour définir le quota d’un utilisateur :
1 Ouvrez le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sélectionnez
l’utilisateur concerné.
2 Cliquez sur Impression.
3 Pour définir un quota unique pour toutes les files d’attente, sélectionnez Toutes les files
d’attente, puis tapez le nombre de pages ainsi que le nombre de jours après lesquels le
quota est réinitialisé.
Pour définir un quota pour une file d’attente particulière, sélectionnez Par file d’attente,
choisissez la file d’attente dans la liste, puis tapez le quota et la période correspondante.
Si la file d’attente ne figure pas dans la liste, cliquez sur Ajouter et remplacez
“sans_titre” par le nom de la file d’attente. Choisissez ensuite la file d’attente dans la
liste, tapez l’adresse IP ou le nom DNS du serveur qui héberge la file d’attente, puis
tapez le quota de page de l’utilisateur ainsi que la période correspondante.
4 Cliquez sur Enregistrer.
Les quotas ne sont pas appliqués tant que vous ne les avez pas activés pour des files
d’attente spécifiques dans le service d’impression, via Admin Serveur. Consultez la
section “Application de quotas d’impression à une file d’attente” à la page 21.Chapitre 2 Configuration de Service d’impression 21
Application de quotas d’impression à une file d’attente
Les utilisateurs ne sont pas soumis aux quotas d’impression définis pour eux dans le
Gestionnaire de groupe de travail tant que vous n’avez pas activé ces quotas pour des
files d’attente spécifiques dans le service d’impression.
Pour appliquer des quotas à une file d’attente :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Dans le panneau Files d’attente, sélectionnez une file d’attente et cliquez sur le bouton
Modifier (sous la liste).
4 Sélectionnez “Appliquer les quotas pour cette file”.
5 Cliquez sur Enregistrer, puis sur le bouton Précédent (dans le coin supérieur droit).
A partir de la ligne de commande
Vous pouvez également établir l’application des quotas pour une file d’attente à l’aide
de la commande serveradmin dans Terminal. Pour plus d’informations, consultez le
chapitre relatif au service d’impression dans le guide d’administration des lignes de
commande.22 Chapitre 2 Configuration de Service d’impression
Rénitialisation des quotas d’impression d’un utilisateur
Vous pouvez à tout moment redémarrer la période de quota d’un utilisateur ou
modifier le quota de page de l’utilisateur via le Gestionnaire de groupe de travail.
Pour réinitialiser les quotas pour une file d’attente d’impression :
1 Ouvrez le Gestionnaire de groupe de travail et sélectionnez l’utilisateur dans la liste.
2 Cliquez sur l’onglet Impression et sélectionnez Toutes les files d’attente ou Par file
d’attente.
3 Pour redémarrer la période de quota, cliquez sur Redémarrer Quota d’impression.
Pour savoir quand a débuté la période actuelle, regardez juste au-dessus du bouton.
Pour modifier le nombre de pages autorisées au cours de la période de quota actuelle,
tapez une nouvelle valeur dans le champ “Limiter à”.
4 Cliquez sur Enregistrer.3
23
3 Configuration de clients
d’impression
Ce chapitre explique comment configurer des ordinateurs
client en vue de l’utilisation des imprimantes offertes par
le service d’impression.
Le service d’impression de Mac OS X Server gère quatre classes élémentaires de clients :
• Clients Mac OS X
• Clients Mac OS 9 et Mac OS 8
• Clients Windows
• Clients Unix
À propos des fichiers PPD
Un fichier PPD (PostScript Printer Description) contient des informations spécifiques
concernant un modèle d’imprimante particulier. Vos utilisateurs ont besoin du fichier PPD
pour tirer parti des fonctionnalités particulières d’une imprimante. Sans le fichier PPD
approprié, ils ne peuvent, par exemple, pas choisir parmi plusieurs bacs d’alimentation
de papier, utiliser des formats de papier particuliers ou imprimer en recto-verso.
Les fichiers PPD des principales imprimantes sont préinstallés dans Mac OS X et
Mac OS X Server. Pour connaître les modèles disponibles, ouvrez l’utilitaire Configuration
d’imprimante, cliquez sur Ajouter, choisissez Impression via IP dans le menu local, puis
sélectionnez un fabricant dans le menu local Modèle de l’imprimante. Si vous ne trouvez
pas le fichier PPD de l’imprimante que vous souhaitez utiliser, contactez le fabricant afin
de vous le procurer. En dernier recours, essayez d’utiliser le fichier PPD générique, qui
permet les opérations d’impression élémentaires sur la plupart des imprimantes.
Le fichier PPD approprié doit être choisi sur l’ordinateur client lorsque la file d’attente
d’impression est ajoutée.24 Chapitre 3 Configuration de clients d’impression
Clients Mac OS X
Pour utiliser les files d’attente offertes par un serveur, les utilisateurs de Mac OS X
doivent ajouter les files d’attente à leur liste d’imprimantes via l’utilitaire Configuration
d’imprimante ou le Centre d’impression, de la même façon que pour l’ajout de toute
autre imprimante. Mac OS X gère les imprimantes AppleTalk et LPR.
Ajout d’une file d’attente d’impression AppleTalk sous Mac OS X
Vous pouvez employer l’utilitaire Configuration d’imprimante (Centre d’impression
dans les versions de Mac OS X antérieures à la version 10.3) pour ajouter des files
d’attente d’impression à la liste d’imprimantes d’un ordinateur. Ces applications se
trouvent généralement dans le répertoire /Applications/Utilitaires.
Pour ajouter une file d’attente d’impression AppleTalk :
1 Ouvrez l’utilitaire Configuration d’imprimante ou le Centre d’impression sur l’ordinateur
client, puis cliquez sur Ajouter.
2 Choisissez AppleTalk dans le menu local.
3 Sélectionnez une file d’attente dans la liste.
4 Sélectionnez le type d’imprimante dans le menu local Modèle de l’imprimante. Si vous
n’êtes pas certain du type, utilisez le type Générique qui répond à la plupart des besoins
en matière d’impression.
5 Cliquez sur Ajouter.
Ajout d’une file d’attente d’impression LPR sous Mac OS X
Vous pouvez employer l’utilitaire Configuration d’imprimante (Centre d’impression
dans les versions de Mac OS X antérieures à la version 10.3) pour ajouter une file
d’attente d’impression LPR à la liste des imprimantes d’un ordinateur. L’utilitaire
Configuration d’imprimante (ou le Centre d’impression) se trouve généralement
dans le répertoire /Applications/Utilitaires.
La façon dont vous ajoutez une imprimante LPR varie selon que l’imprimante est :
• Partagée par adresse IP ou nom DNS uniquement
• Publiée via Rendezvous
• Répertoriée dans Open Directory
Pour ajouter une file d’attente d’impression LPR par adresse IP ou nom DNS :
1 Ouvrez l’utilitaire Configuration d’imprimante ou le Centre d’impression, puis cliquez
sur Ajouter.
2 Sélectionnez “Impression via IP” dans le menu local.
3 Tapez le nom DNS ou l’adresse IP du serveur (pas le nom ou l’adresse de l’imprimante)
dans le champ Adresse de l’imprimante. Chapitre 3 Configuration de clients d’impression 25
Pour utiliser la file d’attente par défaut du serveur, laissez le champ “Nom de la file
d’attente” vide (Configuration d’imprimante) ou sélectionnez l’option “Utiliser la file
par défaut sur le serveur” (Centre d’impression).
Si vous n’avez pas configuré de file d’attente LPR par défaut sur le serveur ou si vous
souhaitez utiliser une file d’attente différente, tapez un nom de file d’attente dans le
champ Nom de la file d’attente. Dans le Centre d’impression, désélectionnez d’abord
l’option “Utiliser la file par défaut sur le serveur”.
4 Sélectionnez le type d’imprimante dans le menu local Modèle de l’imprimante. Si vous
n’êtes pas certain du type, utilisez le modèle Postscript générique, qui répond à la
plupart des besoins en matière d’impression.
5 Cliquez sur Ajouter.
Si vous configurez votre serveur pour publier les files d’attente d’impression LPR via
Rendezvous ou Open Directory, le client n’aura pas besoin de connaître l’adresse du
serveur et le nom de la file d’attente pour rechercher une file d’attente LPR lors de
l’ajout d’une imprimante.
Pour ajouter une file d’attente d’impression LPR publiée via Rendezvous :
1 Ouvrez l’utilitaire de configuration d’imprimante ou le Centre d’impression et cliquez
sur Ajouter.
2 Sélectionnez Rendezvous dans le menu local.
3 Sélectionnez la file d’attente par son nom.
4 Sélectionnez le type d’imprimante dans le menu local Modèle de l’imprimante.
Si vous n’êtes pas certain du type, utilisez le modèle Postscript générique qui répond
à la plupart des besoins élémentaires en matière d’impression.
5 Cliquez sur Ajouter.
Pour obtenir de l’aide sur la publication d’une imprimante via Rendezvous, consultez
la section “Publication d’une file d’attente LPR avec Rendezvous” à la page 16.
Pour ajouter une file d’attente d’impression LPR répertoriée dans Open
Directory :
1 Ouvrez l’utilitaire de configuration d’imprimante ou le Centre d’impression et cliquez
sur Ajouter.
2 Sélectionnez Open Directory dans le menu local.
3 Sélectionnez la file d’attente par son nom.
4 Si le type d’imprimante n’est pas présélectionné dans le menu local Modèle de
l’imprimante, sélectionnez-le. Si vous n’êtes pas certain du type à utiliser, le modèle
Postscript générique répond à la plupart des besoins élémentaires en matière
d’impression.
5 Cliquez sur Ajouter.26 Chapitre 3 Configuration de clients d’impression
Pour obtenir de l’aide sur l’inclusion d’une imprimante dans Open Directory, consultez
la section “Inclusion d’une file d’attente LPR dans Open Directory” à la page 16.
Dépannage
Si un client Mac OS X rencontre des problèmes d’impression, consultez le chapitre 5,
“Résolution des problèmes”, à la page 47.
Clients Mac OS 8 et Mac OS 9
Pour utiliser des files d’attente partagées sur un serveur, les utilisateurs Mac OS 8 et
Mac OS 9 doivent ajouter les files d’attente comme n’importe quelle autre imprimante,
via le Sélecteur pour les imprimantes AppleTalk ou via l’Utilitaire Service d’impression
pour les imprimantes LPR.
L’Utilitaire Service d’impression se trouve généralement dans le répertoire Apple
Extras/LaserWriter Software ou /Applications/Utilitaires.
Configuration d’une file d’attente AppleTalk sur les clients
Mac OS 8 ou 9
Sur un ordinateur qui exécute Mac OS 8 ou Mac OS 9, vous pouvez utiliser le Sélecteur
pour configurer une file d’attente AppleTalk.
Pour ajouter une file d’attente d’impression AppleTalk :
1 Ouvrez le Sélecteur.
2 Sélectionnez l’icône LaserWriter 8 ou l’icône de votre imprimante.
L’icône LaserWriter 8 fonctionne bien dans la plupart des cas. Vous pouvez également
utiliser l’icône d’une autre imprimante (si disponible) afin de tirer profit de ses fonctions
spéciales.
3 Sélectionnez la file d’attente dans la liste de droite et cliquez sur Créer.
4 Lorsque la zone de dialogue apparaît, sélectionnez le fichier PPD correspondant
à l’imprimante.
5 Fermez le Sélecteur.
Configuration d’une file d’attente LPR sur les clients Mac OS 8 ou 9
Employez l’Utilitaire Service d’impression pour configurer des imprimantes LPR sur un
ordinateur exécutant Mac OS 8 ou Mac OS 9.
Pour ajouter une file d’attente d’impression LPR :
1 Ouvrez l’Utilitaire Service d’impression, sélectionnez Imprimante (LPR), puis cliquez
sur OK.
2 Dans la section Fichier PPD (PostScript Printer Description), cliquez sur Modifier et
sélectionnez le fichier PPD correspondant à l’imprimante. Choisissez Générique si vous
ne connaissez pas le type d’imprimante.Chapitre 3 Configuration de clients d’impression 27
3 Dans la section Sélection d’imprimante LPR, cliquez sur Modifier et tapez l’adresse IP
ou le nom de domaine du serveur dans le champ Adresse de l’imprimante.
4 Tapez le nom de la file d’attente d’impression sur le serveur configuré pour le partage
via LPR.
Ne remplissez pas ce champ si vous souhaitez imprimer sur la file LPR par défaut.
5 Cliquez sur Vérifier pour confirmer que le service d’impression accepte les tâches
via LPR.
6 Cliquez sur OK, puis sur Créer.
7 Tapez un nom et sélectionnez un emplacement pour l’icône du service d’impression,
puis cliquez sur Enregistrer.
Le nom par défaut est l’adresse IP de l’imprimante et l’emplacement par défaut est
le Bureau.
Dépannage
Si un client Mac OS 8 ou 9 ne parvient pas à imprimer, consultez le chapitre 5,
“Résolution des problèmes”, à la page 47.
Clients Windows
Pour permettre l’impression par les utilisateurs Windows qui envoient des tâches via
SMB, assurez-vous que les services Windows sont en cours d’exécution et qu’une ou
plusieurs files d’attente d’impression sont disponibles pour l’utilisation via SMB.
Tous les ordinateurs Windows, y compris Windows 95, Windows 98, Windows Millennium
(ME) et Windows XP, gèrent l’impression sur réseau via SMB. Windows 2000 et Windows
NT gèrent également l’impression via LPR.
Remarque : des gestionnaires LPR de tierce partie sont disponibles pour les ordinateurs
Windows ne disposant pas de la gestion LPR intégrée.
Dépannage
Si un client Windows rencontre des problèmes d’impression, consultez le chapitre 5,
“Résolution des problèmes”, à la page 47.
Clients UNIX
Les ordinateurs UNIX gère LPR pour la connexion aux imprimantes réseau sans
installation de logiciels supplémentaires.4
29
4 Gestion du service d’impression
Ce chapitre explique comment effectuer les opérations
de gestion quotidienne du service d’impression une fois
que celui-ci fonctionne.
En général, ces tâches de gestion sont les suivantes :
• Vérifier l’état du service d’impression
• Démarrer et arrêter le service d’impression
• Afficher les files d’attente
• Arrêter et redémarrer une file d’attente
• Modifier les réglages d’une file d’attente d’impression
• Renommer une file d’attente
• Changer la file d’attente LPR par défaut
• Supprimer une file d’attente
• Afficher les tâches d’impression
• Interrompre et reprendre des tâches
• Supprimer des tâches
• Suspendre les quotas d’impression
• Afficher et gérer les historiques du service30 Chapitre 4 Gestion du service d’impression
Gérer le service
Vérifier l’état du service d’impression
Vous pouvez utiliser Admin Serveur pour surveiller le service d’impression du
serveur Mac OS X.
Pour vérifier l’état du service d’impression :
1 Dans Admin Serveur, localisez dans la liste Ordinateurs et services le nom du serveur
que vous souhaitez surveiller, puis sélectionnez Impression dans la liste des services
sous le nom du serveur.
2 Cliquez sur Vue d’ensemble pour déterminer si le service d’impression est en cours
d’exécution, l’heure de démarrage (le cas échéant), ainsi que le nombre de files
d’attente et de tâches d’impression en attente.
3 Cliquez sur Hist., puis choisissez un historique dans le menu local Afficher afin
de voir son contenu.
4 Cliquez sur Files d’attente pour afficher l’état des files d’attente.
5 Cliquez sur Tâches afin de voir la liste des tâches d’impression en attente dans
chaque file.
A partir de la ligne de commande
Vous pouvez également déterminer si le service d’impression est en cours d’exécution
à l’aide de la commande serveradmin dans Terminal. Pour plus d’informations,
consultez le chapitre relatif au service d’impression dans le guide d’administration
des lignes de commande.Chapitre 4 Gestion du service d’impression 31
Démarrer et arrêter le service d’impression
Vous pouvez utiliser Admin Serveur pour démarrer ou arrêter le service d’impression.
Pour démarrer ou arrêter le service d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Démarrer le service ou sur Arrêter le service.
A partir de la ligne de commande
Vous pouvez également démarrer et arrêter le service d’impression à l’aide de la
commande serveradmin dans Terminal. Pour plus d’informations, consultez le
chapitre relatif au service d’impression dans le guide d’administration des lignes
de commande.32 Chapitre 4 Gestion du service d’impression
Gestion des files d’attente
Cette section explique comment effectuer la gestion quotidienne des files d’attente.
Affichage de l’état des files d’attente d’impression
Vous pouvez utiliser Admin Serveur pour afficher l’état actuel des files d’attente
d’impression. Le volet Files d’attente affiche toutes les files d’attente du serveur et
indique le nom de la file et le type d’imprimante, la façon dont l’imprimante est
partagée, l’état de l’impression à partir de la file, ainsi que le nombre de tâches
en attente.
Pour afficher l’état des files d’attente :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Files d’attente pour afficher la liste des files d’attente d’impression
sur le serveur.
A partir de la ligne de commande
Vous pouvez également répertorier les files d’attente à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
au service d’impression dans le guide d’administration des lignes de commande.Chapitre 4 Gestion du service d’impression 33
Arrêt d’une file d’attente d’impression
Pour empêcher l’impression des tâches en attente, vous pouvez utiliser Admin Serveur
afin d’arrêter la file d’attente correspondante.
Les nouvelles tâches continuent d’être ajoutées à la file d’attente, mais elles ne sont
pas imprimées tant que vous n’avez pas redémarré la file d’attente. Une tâche en cours
d’impression est réimprimée depuis le début lorsque vous redémarrez la file d’attente.
Pour arrêter une file d’attente :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Files d’attente pour afficher la liste des files d’attente d’impression sur
le serveur.
3 Sélectionnez la file d’attente que vous souhaitez arrêter et cliquez sur le bouton Arrêter
(dans le coin inférieur droit).
Bouton
Arrêter34 Chapitre 4 Gestion du service d’impression
Redémarrage d’une file d’attente
Vous pouvez utiliser Admin Serveur pour redémarrer une file d’attente arrêtée et pour
reprendre l’impression de toutes les tâches en attente.
Pour redémarrer une file d’attente d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Files d’attente pour afficher la liste des files d’attente d’impression
sur le serveur.
3 Sélectionnez une file d’attente arrêtée (recherchez dans la colonne État) et cliquez
sur le bouton Démarrer (dans le coin inférieur droit).
Les tâches individuelles qui sont suspendues le restent. Si une tâche d’impression a été
interrompue lors de l’arrêt de la file d’attente, cette tâche est réimprimée depuis le début.
Bouton
DémarrerChapitre 4 Gestion du service d’impression 35
Modifier les réglages d’une file d’attente d’impression
Vous pouvez utiliser Admin Serveur pour afficher et modifier la configuration d’une file
d’attente d’impression.
Remarque : lorsque vous modifiez la configuration d’une file d’attente, celle-ci peut
devenir indisponible pour les utilisateurs, lesquels peuvent alors être amenés à
configurer leur ordinateur pour réutiliser cette file d’attente.
Pour modifier les réglages d’une file d’attente d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sélectionnez l’onglet Files d’attente.
3 Sélectionnez la file d’attente d’impression que vous souhaitez modifier, puis cliquez
sur le bouton Modifier (sous la liste).
4 Apportez les modifications, cliquez sur Enregistrer, puis sur le bouton Précédent
(dans le coin supérieur droit).
A partir de la ligne de commande
Vous pouvez également modifier les réglages des files d’attente à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif au
service d’impression dans le guide d’administration des lignes de commande.
Bouton
Précédent36 Chapitre 4 Gestion du service d’impression
Modification du nom d’une file
Lorsque vous ajoutez une imprimante dans l’utilitaire de configuration d’imprimante
ou dans le Centre d’impression, le nom par défaut de la nouvelle file d’attente est le
nom de l’imprimante associée. Vous pouvez modifier ce nom afin d’aider les utilisateurs
à choisir l’imprimante appropriée ou à se conformer aux conventions d’appellation
imposées par les protocoles utilisés par vos clients.
Remarque : si vous modifiez le nom d’une file d’attente d’impression déjà partagée,
les utilisateurs devront reconfigurer leur ordinateur afin d’utiliser le nouveau nom de
la file d’attente. Les nouvelles tâches envoyées par les utilisateurs à la file d’attente sous
l’ancien nom ne seront pas imprimées.
Pour renommer une file d’attente :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Files d’attente.
3 Sélectionnez la file d’attente d’impression que vous souhaitez modifier, puis cliquez
sur le bouton Modifier (sous la liste).
4 Tapez un nouveau nom dans le champ Nom du partage.
5 Cliquez sur Enregistrer, puis sur le bouton Précédent (dans le coin supérieur droit).
La modification du nom de partage de la file d’attente n’entraîne pas la modification
du nom de la file sous-jacente dans l’utilitaire de configuration d’imprimante ou dans
le Centre d’impression.
Bouton
PrécédentChapitre 4 Gestion du service d’impression 37
A partir de la ligne de commande
Vous pouvez également renommer une file d’attente à l’aide de la commande
serveradmin dans Terminal. Consultez le chapitre relatif au service d’impression
dans le guide d’administration des lignes de commande.
Changer la file d’attente d’impression LPR par défaut
La désignation d’une file d’attente LPR par défaut simplifie la configuration pour
les ordinateurs client. Les utilisateurs peuvent choisir d’imprimer sur la file par défaut
plutôt que de saisir le nom d’une file particulière.
Pour sélectionner une file par défaut :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Dans le volet Général, choisissez la file d’attente dans le menu local “Files par défaut
pour LPR”.
Si la file d’attente que vous souhaitez utiliser n’est pas répertoriée, cliquez sur Files
d’attente, double-cliquez sur la file dans la liste, puis assurez-vous que le protocole
LPR est activé.
A partir de la ligne de commande
Vous pouvez également changer la file d’attente LPR par défaut à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
au service d’impression dans le guide d’administration des lignes de commande.38 Chapitre 4 Gestion du service d’impression
Suppression d’une file d’attente
Lorsque vous supprimez une file d’attente d’impression, les tâches de la file sont
également supprimées.
Remarque : une tâche en cours d’impression est immédiatement annulée. Pour éviter
l’interruption des tâches d’impression en attente tout en empêchant l’arrivée de
nouvelles tâches, vous pouvez désactiver les protocoles de partage dans les réglages
des files d’attente et attendre que l’impression de toutes les tâches soit terminée avant
de supprimer la file d’attente.
Pour supprimer une file d’attente :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Files d’attente.
3 Sélectionnez la file d’attente et cliquez sur le bouton Supprimer (au bas de la liste).
Bouton
SupprimerChapitre 4 Gestion du service d’impression 39
Gestion des tâches d’impression
Cette section explique comment effectuer la gestion quotidienne des tâches d’impression.
Contrôle d’une tâche d’impression
Vous pouvez surveiller les tâches d’impression individuelles via Admin Serveur.
Pour afficher une tâche d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Tâches.
3 Choisissez une file d’attente dans le menu local “Tâches en file d’attente”.
Les tâches sont répertoriées par ordre de priorité et comprennent le nom de l’utilisateur
qui a envoyé chaque tâche, le nom de la tâche, sa taille, le nombre de feuilles à imprimer,
l’état actuel de la tâche, ainsi que le nombre de pages de la tâche (il peut s’avérer
nécessaire de faire défiler pour voir la dernière colonne).
À propos du nombre de pages et de feuilles
Le nombre de pages représente le nombre de pages créées et envoyées par une
application. Il est déterminé par la pagination effectuée par l’application et dépend
des réglages de l’application (tels que la marge ou la taille des polices) ainsi que des
réglages Format d’impression (par exemple la taille du papier). Un utilisateur peut choisir
d’imprimer plusieurs pages d’un document sur une même feuille de papier, de sorte que
le nombre de pages n’indique pas toujours le nombre de feuilles utilisées par la tâche.
Par exemple, un document de 20 pages imprimé à raison de 2 pages par feuille utilise
seulement 10 feuilles.40 Chapitre 4 Gestion du service d’impression
Le nombre de feuilles représente la quantité de papier utilisée et permet d’appliquer des
quotas d’impression utilisateur. Dans l’exemple du paragraphe précédent, le nombre de
feuille d’une tâche contenant un document de 20 pages était de seulement 10.
Remarque : le nombre de feuilles est précis pour les clients Macintosh qui impriment
à partir d’applications ne générant pas leur propre code Postscript. Les tâches créées
par d’autres applications ou ordinateurs ne contiennent pas forcément les informations
nécessaires au calcul précis du nombre de feuilles.
Suspension d’une tâche d’impression
Lorsque vous placez une tâche d’impression en attente, elle n’est pas imprimée tant
que vous n’annulez pas cette mise en attente. Si la tâche était en cours d’impression,
celle-ci est annulée et la tâche reste dans la file. Lorsque vous reprenez la tâche,
l’impression redémarre au début.
Pour suspendre une tâche d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Tâches.
3 Sélectionnez la file d’attente dans la liste locale.
4 Sélectionnez une tâche et cliquez sur le bouton Suspendre (sous la liste).
Cliquez en maintenant enfoncée la touche Maj ou la touche Commande afin
de sélectionner plusieurs tâches.
Bouton
SuspendreChapitre 4 Gestion du service d’impression 41
Reprise d’une tâche d’impression
Lorsqu’une tâche d’impression a été suspendue, elle n’est pas imprimée tant que vous
ne procédez pas à sa reprise. Lorsque vous reprenez la tâche, l’impression redémarre
au début.
Remarque : si vous suspendez l’ensemble de la file d’attente d’impression, vous devez
également la redémarrer pour imprimer la tâche.
Pour relancer une tâche d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Tâches.
3 Sélectionnez la file d’attente dans le menu local.
4 Sélectionnez la tâche et cliquez sur le bouton Démarrer (sous la liste).
Cliquez en maintenant enfoncée la touche Maj ou la touche Commande afin
de sélectionner plusieurs tâches.
La tâche est imprimée après toutes les autres tâches de la file qui présentent
la même priorité.
Bouton
Démarrer42 Chapitre 4 Gestion du service d’impression
Suppression d’une tâche d’impression
Vous pouvez utiliser Admin Serveur pour supprimer une tâche et empêcher son
impression.
Pour supprimer une tâche d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Tâches.
3 Sélectionnez la file d’attente dans la liste locale.
4 Sélectionnez la tâche et cliquez sur le bouton Supprimer (sous la liste).
Toute page déjà envoyée à l’imprimante continue d’être imprimée, même après
la suppression de la tâche.
Bouton
SupprimerChapitre 4 Gestion du service d’impression 43
Gestion des quotas d’impression
Cette section explique comment effectuer la gestion quotidienne des quotas d’impression.
Suspension des quotas d’une file d’attente
Vous pouvez utiliser Admin Serveur pour appliquer et suspendre les quotas d’impression
de files d’attente spécifiques. Si vous suspendez les quotas d’une file d’attente, tous les
utilisateurs peuvent imprimer sur cette file sans limitations.
Pour suspendre les quotas d’une file d’attente d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Files d’attente.
3 Sélectionnez la file d’attente à modifier, puis cliquez sur Modifier.
4 Désélectionnez l’option “Appliquer les quotas pour cette file”.
5 Cliquez sur Enregistrer, puis sur le bouton Précédent (dans le coin supérieur droit).
A partir de la ligne de commande
Vous pouvez également désactiver les quotas à l’aide de la commande serveradmin
dans Terminal. Pour plus d’informations, consultez le chapitre relatif au service
d’impression dans le guide d’administration des lignes de commande.44 Chapitre 4 Gestion du service d’impression
Gestion des historiques d’impression
Cette section explique comment afficher et archiver les historiques du service
d’impression et des files d’attente.
Affichage des historiques du service d’impression et des files
d’attente
Le service d’impression conserve deux types d’historique : un historique du service
d’impression et des historiques individuels pour chaque file d’attente d’impression.
L’historique du service d’impression consigne des événements tels que l’heure de
démarrage et d’arrêt du service ou l’heure de suspension d’une file d’attente. Les
historiques des files d’attente d’impression consignent des informations telles que
l’utilisateur ayant envoyé une tâche et la taille des tâches.
Vous pouvez afficher les historiques du service d’impression à l’aide d’Admin Serveur.
Pour afficher les historiques du service d’impression :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Hist., puis sélectionnez un historique dans le menu local Afficher.
Les historiques se trouvent dans le répertoire /Bibliothèque/Logs/PrintService.
Les historiques des tâches sont nommés après leur file d’attente (par exemple,
PrintService.mafile.job.log). La date d’archivage est ajoutée aux historiques archivés
(par exemple, PrintService.myqueue.job.log.20021231).Chapitre 4 Gestion du service d’impression 45
A partir de la ligne de commande
Vous pouvez également afficher les historiques à l’aide de la commande cat ou tail
dans Terminal. Pour plus d’informations, consultez le chapitre relatif au service
d’impression dans le guide d’administration des lignes de commande.
Archivage des historiques du service d’impression
Vous pouvez utiliser Admin Serveur pour indiquer la fréquence à laquelle les historiques
du service d’impression sont archivés et les nouveaux historiques sont démarrés.
Pour établir la périodicité d’archivage des historiques :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Consignation.
3 Sélectionnez “Archiver l’historique du serveur tous les” et tapez le nombre de jours
après lesquels vous souhaitez archiver l’historique et en démarrer un nouveau.
Le fichier d’historique actuel du service est nommé PrintService.server.log.
La date d’archivage est ajoutée aux historiques archivés (par exemple
PrintService.server.log.20030731 pour un fichier archivé le 31 juillet 2002).
4 Sélectionnez “Archiver l’historique des tâches tous les” et tapez l’intervalle d’archivage.
Les historiques des tâches archivés (et les historiques actuels) se trouvent dans le
répertoire /Bibliothèque/Logs/PrintService. Les fichiers sont nommés après leur file
d’attente (par exemple PrintService.myqueue.job.log). La date d’archivage est ajoutée
aux historiques archivés (par exemple, PrintService.myqueue.job.log.20021231).46 Chapitre 4 Gestion du service d’impression
A partir de la ligne de commande
Vous pouvez également définir l’intervalle d’archivage à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
au service d’impression dans le guide d’administration des lignes de commande.
Suppression de fichiers d’historique archivés
Les fichiers d’historique du service d’impression sont stockés dans le répertoire
/Bibliothèque/Logs/PrintService. Vous pouvez supprimer les fichiers inutiles comme
n’importe quel autre fichier, à l’aide du Finder.
Des scripts fournis avec Mac OS X Server vous permettent de récupérer l’espace disque
occupé par les fichiers d’historiques. Pour plus d’informations, consultez le chapitre
relatif au service d’impression dans le guide d’administration des lignes de commande.
A partir de la ligne de commande
Vous pouvez également supprimer les fichiers d’historique archivés à l’aide de la
commande rm dans Terminal. Pour plus d’informations, consultez le chapitre relatif
au service d’impression dans le guide d’administration des lignes de commande.
Historiques CUPS
Un ensemble distinct de fichiers d’historique est géré par le service CUPS (Common
UNIX Print Service) utilisé par le service d’impression. Ces historiques sont stockés dans
le répertoire /var/log/cups.5
47
5 Résolution des problèmes
Dépannage du service d’impression
Essayez d’appliquer les recommandations suivantes pour résoudre ou éviter les
problèmes d’impression lors de l’utilisation du service d’impression.
Le service d’impression ne démarre pas
• Vérifiez que le numéro de série du logiciel du serveur a été saisi correctement
et n’est pas périmé. Pour vérifier le numéro, ouvrez Admin Serveur, sélectionnez
le serveur dans la liste Ordinateurs et services, puis cliquez sur Vue d’ensemble.
Pour saisir un nouveau numéro de série, cliquez sur Réglages.
• Examinez l’historique du service d’impression afin de détecter toute indication d’un
problème. Ouvrez Admin Serveur, sélectionnez Impression dans la liste Ordinateurs
et services, puis cliquez sur Historiques.
Les clients ne parviennent pas à ajouter une file d’attente
• Assurez-vous que le service d’impression est en cours d’exécution. Ouvrez Admin
Serveur et sélectionnez Impression dans la liste Ordinateurs et services. Si le service
n’est pas en cours d’exécution, cliquez sur Démarrer le service.
• Assurez-vous que la file d’attente est correctement partagée. Le protocole SMB est
destiné aux utilisateurs Windows uniquement. Le protocole LPR est un protocole
standard que les utilisateurs de (certains) ordinateurs Windows, de même que
Macintosh, UNIX et autres modèles, peuvent utiliser pour leurs tâches d’impression.
Les utilisateurs ne parviennent pas à imprimer
• Assurez-vous que le service d’impression est en cours d’exécution. Ouvrez Admin
Serveur et sélectionnez Impression dans la liste Ordinateurs et services. Si le service
n’est pas en cours d’exécution, cliquez sur Démarrer le service.
• Assurez-vous que la file d’attente a été ajoutée. Sur les ordinateurs Mac OS 8 ou
Mac OS 9, utilisez le Sélecteur (pour les files d’attente AppleTalk) ou l’Utilitaire Services
d’impression (pour les files d’attente LPR) pour vérifier la configuration de l’imprimante.
Sous Mac OS X, utilisez l’utilitaire Configuration d’imprimante ou le Centre d’impression
pour ajouter des files d’attente à la liste des imprimantes.
• Vérifiez que les paramètres TCP/IP des clients Mac OS sont configurés correctement.48 Chapitre 5 Résolution des problèmes
• Si les clients Windows NT 4.x ne parviennent pas à imprimer sur le serveur, assurezvous que la file d’attente ne porte pas le même nom que l’adresse TCP/IP de
l’imprimante ou du serveur. Utilisez le nom d’hôte DNS à la place de l’adresse de
l’imprimante ou du serveur, et s’il n’en existe pas, tapez un nom de file composé
exclusivement de lettres et de chiffres.
Les tâches d’une file d’attente du serveur ne s’impriment pas
• Assurez-vous que ni la file d’attente ni les tâches qu’elle contient ne sont suspendues.
Ouvrez Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services,
puis cliquez sur Files d’attente et Tâches.
• Vérifiez que l’imprimante est bien connectée au serveur ou au réseau auquel le
serveur est connecté.
• Vérifiez que l’imprimante est allumée et que le problème ne vient pas de
l’imprimante elle-même (plus de papier, bourrage, etc.).
• Pour plus de détails, examinez les historiques d’impression. Ouvrez Admin Serveur,
sélectionnez Impression dans la liste Ordinateurs et services, puis cliquez sur
Historiques.
La file d’attente devient indisponible
• Si vous avez modifié le nom d’une file qui a déjà été partagée, les tâches d’impression
que l’utilisateur envoie à l’ancienne file (ancien nom) ne seront pas imprimées. Les
utilisateurs devront reconfigurer leur ordinateur afin de pouvoir imprimer sur la file
ayant changé de nom. 49
Glossaire
Glossaire
CUPS (Common UNIX Printing System) Infrastructure d’impression multiplateforme
basée sur le protocole IPP (Internet Printing Protocol). Le Centre d’impression Mac OS X,
son système d’impression sous-jacent, et le service d’impression de Mac OS X Server
sont basés sur CUPS. Pour plus d’informations, consultez le site www.cups.org.
fichier PPD (Postscript Printer Description) Fichier contenant des informations
sur les fonctionnalités d’un modèle d’imprimante particulier. Le fichier PPD contient les
commandes dont vous avez besoin pour tirer parti de fonctionnalités particulières telles
que l’utilisation de plusieurs bacs d’alimentation en papier, l’adoption de formats de papier
spéciaux ou l’impression recto-verso. Le modèle d’imprimante que vous choisissez lors de
l’ajout d’une imprimante spécifie le fichier PPD utilisé avec l’imprimante.
file d’attente Zone d’attente ordonnée dans laquelle des éléments attendent d’être
traités par le système. Voir aussi file d’attente d’impression.
file d’attente d’impression Zone d’attente ordonnée dans laquelle les tâches
d’impression attendent qu’une imprimante soit disponible. Le service d’impression
de Mac OS X Server utilise des files d’attente d’impression sur le serveur pour faciliter
la gestion.
IPP (Internet Printing Protocol) Protocole client/serveur pour l’impression via Internet.
L’infrastructure d’impression Mac OS X et le service d’impression de Mac OS X Server
basé sur cette infrastructure gèrent le protocole IPP.
LPR (Line Printer Remote) Protocole standard d’impression via TCP/IP.
Rendezvous Protocole développé par Apple pour la détection automatique
d’ordinateurs, de périphériques et de services sur les réseaux IP. Cette proposition
de protocole standard Internet est parfois appelé “ZeroConf” ou “multicast DNS”
(multidiffusion DNS). Pour plus d’informations, consultez le site www.apple.com
ou www.zeroconf.org.50 Glossaire
SMB (Server Message Block) Protocole permettant à des ordinateurs clients d’accéder
à des fichiers et à des services de réseau. Il peut être utilisé via TCP/IP, Internet ou
d’autres protocoles. Les services Windows utilisent le protocole SMB pour fournir l’accès
aux serveurs, imprimantes et autres ressources réseau.
USB (Universal Serial Bus) Norme de communication entre un ordinateur et des
périphériques externes utilisant un câble de connexion directe bon marché.
51
Index
Index
A
Admin Serveur
affichage des historiques du service
d’impression 44
ajout de files d’attente 12
application de quotas pour les files d’attente 19–
21
archivage des fichiers d’historique 45
arrêt des files d’attente 33
arrêt du service d’impression 31
attribution d’un nouveau nom aux files
d’attente 36
désignation d’une file d’attente LPR par défaut 37
Inspecteur 16
modification des quotas de files d’attente
d’impression 43
reconfiguration des files d’attente
d’impression 35
redémarrage des files d’attente d’impression 34
redémarrage de tâches d’impression 41
suppression de files d’attente d’impression 38
suppression de tâches d’impression 42
surveillance des files d’attente d’impression 32
surveillance des tâches d’impression 39
surveillance du service d’impression 30
suspension de tâches d’impression 40
affichage des fichiers d’historique 44
arrêt d’une file d’attente 33
arrêt du service d’impression 31
attribution de noms aux imprimantes et aux files
d’attente. Voir nom des files d’attente
authentification 10
C
centre d’impression
ajout d’une file d’attente AppleTalk 24
ajout d’une file d’attente LPR 24
classes d’imprimantes 10
Common Unix Printing System (CUPS) Voir CUPS
comptabilisation. Voir quotas
configuration d’une file d’attente 35
CUPS (Common Unix Printing System) 5
classes d’imprimantes 10
fichiers d’historique 46
D
démarrage d’une file d’attente 34
démarrage du service d’impression 18
dépannage 47
F
fichier PPD (Postscript Printer Description). Voir
fichiers PPD
fichiers d’historique
affichage 30, 44
archivage 45
configuration de la fréquence d’archivage 15
convention d’appellation 44, 45
CUPS 46
emplacement 45
gestion 44
suppression 46
fichiers PPD
affichage des fichiers installés 23
examen du contenu 17
spécifiés dans Open Directory 16
vue d’ensemble 23
file d’attente LPR par défaut
ajout d’une file d’attente 13
modification 37
spécification 14
files d’attente
ajout 12
ajout dans Mac OS X via AppleTalk 24
ajout dans Mac OS X via LPR 24
arrêt 33
attribution d’un nouveau nom 36
inclusion dans Open Directory 16
par défaut 37
publication via Rendezvous 16
reconfiguration 35
redémarrage 34
suppression 38
surveillance 32
vue d’ensemble 6–852 Index
files d’attente d’impression. Voir files d’attente
I
impression AppleTalk
clients Mac OS 8 ou 9 26
clients Mac OS X 24
impression LPR
choix de la file d’attente par défaut par le
client 14
clients Mac OS 8 ou 9 26
clients Mac OS X 24
clients Unix 27
configuration de la file d’attente par défaut 37
impression SMB
clients Windows 27
configuration d’une file d’attente pour les clients
Windows 13
imprimante AppleTalk
ajout d’une file d’attente 13
imprimantes USB (Universal Serial Bus) 8
Inspecteur
dans Admin Serveur 16
IPP (Internet Printing Protocol)
service d’impression et sécurité 10
IPP (Internet Printing Protocol) Voir IPP
N
nombre de feuilles
définition 40
vérification pour une tâche 39
nombre de pages
définition 39
vérification pour une tâche 39
nom de partage 36
nom des files d’attente
considérations et restrictions 13
modification 36
nom de partage 13
nom des imprimantes. Voir nom des files d’attente
O
Open Directory
inclusion des files d’attente LPR 16
ordinateurs client, Mac OS 8 et 9
configuration de l’impression 26
ordinateurs client, Mac OS X
configuration de l’impression 24
ordinateurs client, UNIX
configuration de l’impression 27
ordinateurs client, Windows
configuration de l’impression 27
Q
quotas
application 19
basés sur le nombre de feuilles 40
configuration 19
gestion 43
sécurité 10
vue d’ensemble 19
R
redémarrage d’une file d’attente 34
Rendezvous
publication de files d’attente LPR 16
S
sélecteur
configuration de l’impression via AppleTalk 26
service d’impression
ajout de files d’attente 12
applications de gestion 5
arrêt 31
clients compatibles 9
clients UNIX 27
clients Windows 27
configuration de clients Mac OS X 24
configuration des clients Mac OS 8 et 9 26
démarrage 18
dépannage 47
imprimantes compatibles 8
surveillance 30
vue d’ensemble 5
vue d’ensemble de la configuration 11
suppression d’une file d’attente 38
suppression d’une tâche 42
T
tâches d’impression
redémarrage 41
suppression 42
surveillance 39
suspension 40
U
Universal Serial Bus (USB) Voir imprimantes USB
utilitaire Configuration d’imprimante
ajout d’une file d’attente AppleTalk 24
configuration d’une classe d’imprimantes 10
utilitaire de configuration d’imprimante
ajout d’une file d’attente AppleTalk 24
utilitaire Service d’impression
configuration de l’impression LPR 26
Bienvenue sur Panther
Découvrez les possibilités de Mac OS X
et des applications Mac OS X Apple Computer, Inc.
© 2004 Apple Computer, Inc. Tous droits réservés.
Le logo Apple est une marque d’Apple Computer, Inc.,
déposée aux États-Unis et dans d’autres pays. En l’absence
du consentement écrit d’Apple, l’utilisation à des fins
commerciales de ce logo via le clavier (Option + 1) pourra
constituer un acte de contrefaçon et/ou de concurrence
déloyale.
Apple, le logo Apple, iLife, iMovie, iTunes, Mac et Mac OS
sont des marques d’Apple Computer, Inc., déposées aux
États-Unis et dans d’autres pays. Finder, GarageBand,
iDVD, iPhoto, iPod, iSight, Panther, Safari, SnapBack et
SuperDrive sont des marques d’Apple Computer, Inc.
.Mac est une marque de service d’Apple Computer, Inc.
Étant donné qu’Apple sort régulièrement de nouvelles
versions et mises à jour de son logiciel, les images
présentées dans ce manuel peuvent être légèrement
différentes de celles que vous voyez à l’écran. 3
1 Bienvenue sur Panther
Mac OS X s’adapte à votre façon de travailler. Sa simplicité
et sa puissance vous permettent de dialoguer avec des
amis, d’organiser votre bureau, de classer votre album
photos et de faire des dizaines d’autres choses à la fois,
rapidement et facilement.
Accédez rapidement à
vos disques, serveurs et
dossiers favoris dans
les fenêtres du Finder.
Changez d’utilisateurs sans
quitter vos applications.
Utilisez iChat AV pour prendre
part à des conversations vidéo
avec vos amis ou collègues.4
Centré sur vous
Mac OS X vous place au centre de votre ordinateur, ce qui facilite la recherche de
vos fichiers où qu’ils se trouvent. La colonne située à gauche de toutes les fenêtres
du Finder vous permet d’accéder facilement à votre iDisk, au réseau, à votre dossier
de départ et autres dossiers favoris.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Utilisation du Finder
• Navigation sur votre réseau
• Utilisation de votre dossier de départ
• Ouverture et enregistrement des documents
• Recherche de vos fichiers
Pour rechercher rapidement un fichier
ou un dossier, tapez son nom ici.
Votre disque dur, votre
iDisk, vos serveurs et
les supports amovibles
tels que votre iPod
apparaissent dans
la colonne de gauche
de toutes les fenêtres
du Finder.
Conservez votre dossier
de départ et autres
éléments favoris
dans cette partie de la
fenêtre du Finder.
Utilisez votre dossier de départ pour
stocker vos documents, vos photos,
votre musique et bien plus encore.
Parcourez l’aide pour obtenir
les réponses à vos questions. 5
Facilité d’accès étendue
Sous Mac OS X Panther, vous disposez des mêmes options d’accès aux emplacements
lors de l’ouverture et de l’enregistrement des fichiers dans des applications que lors
de la recherche de fichiers dans le Finder.
Cliquez sur la loupe pour choisir
l’emplacement de la recherche,
puis tapez le nom du fichier
que vous recherchez.
Double-cliquez sur un fichier
pour l’ouvrir. Double-cliquez
sur un dossier pour l’ouvrir dans
sa propre fenêtre du Finder.
Cliquez ici pour effectuer
à nouveau une recherche.
Recherche de fichiers
La recherche de fichiers
dans le Finder est rapide
et simple. Il vous suffit
de taper ce que vous
cherchez dans le champ
de recherche. Vous voyez
s’afficher les résultats
immédiatement à
mesure que vous tapez.
Ouverture et
enregistrement
Les zones de dialogue
Ouvrir et Enregistrer
affichent la même vue
que celle du Finder
afin que vous puissiez
accéder à votre iDisk,
au réseau et autres
dossiers favoris.
Cliquez sur les boutons
Présentation par liste ou
Présentation par colonnes
pour changer la vue.
Choisissez les emplacements
récemment utilisés dans
le menu local ou utilisez
les boutons Précédent
ou Suivant.
Les applications peuvent
inclure d’autres options ici.6
Personnalisation du Finder
Le Finder dispose de nombreuses fonctionnalités pratiques vous permettant de
travailler à votre guise. Vous pouvez personnaliser la fenêtre du Finder pour accéder
rapidement aux fichiers et dossiers que vous utilisez le plus et aux actions que vous
effectuez le plus souvent.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Personnalisation du Finder
• Ajout d’éléments à la barre latérale
• Utilisation de votre dossier de départ
• Sélection d’étiquettes
Sélectionnez les éléments auxquels
vous accédez le plus souvent pour
les afficher dans la fenêtre du Finder.
Ajoutez des boutons
à la barre d’outils pour
vos actions préférées.
Pour accéder
rapidement aux
fichiers de projets et
à vos dossiers favoris,
glissez-les dans la
colonne de gauche
de la fenêtre du Finder.
Cliquez sur ce bouton pour éjecter un CD, un DVD,
un iPod, un serveur ou autre support amovible. 7
Personnalisation de vos fichiers
Utilisez le menu local Action dans la barre d’outils pour affecter des étiquettes
et effectuer d’autres actions sur les fichiers. Vous pouvez personnaliser les fenêtres
du Finder et les étiquettes pour répondre à vos besoins.
Actions
Les éléments du menu
local Action varient en
fonction de l’élément
sélectionné. Lorsque
vous sélectionnez un
fichier, vous pouvez lui
attribuer une étiquette,
le compresser ou choisir
une application pour
l’ouvrir.
Pour afficher les icônes d’aperçu
ou des informations sur les éléments,
ou encore modifier la couleur de
fond dans les fenêtres du Finder,
choisissez Afficher les options
de présentation dans le menu
Présentation.
Utilisez la fenêtre
Étiquettes des
préférences du Finder
pour personnaliser le
nom des étiquettes.
Étiquettes
Les étiquettes
vous permettent
d’identifier rapidement
les documents importants.
Vous pouvez personnaliser
le libellé des étiquettes
et rechercher des fichiers
par étiquette. Vous pouvez
également visualiser les
étiquettes dans les zones
de dialogue Ouvrir et
Enregistrer.8
Une utilisation simplifiée
Avec Mac OS X, il n’a jamais été aussi facile de travailler, même lorsque vous effectuez
plusieurs tâches à la fois. Lorsqu’un trop grand nombre de fenêtres vous empêche de
voir clairement ce que vous faites, activez Exposé pour les organiser par une simple
pression de touche.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Personnalisation d’Exposé
• Copiage d’éléments à l’aide d’Exposé
• Passage d’une application à l’autre
• Changement d’utilisateur
Pour accéder instantanément à votre bureau,
appuyez sur F11. Pour réafficher les fenêtres,
appuyez de nouveau sur F11.
Exposé
Utilisez ces raccourcis
pour afficher les fenêtres
avec lesquelles vous
travaillez ou votre
bureau. Pour modifier
les raccourcis par défaut
d’Exposé ou utiliser les
coins d’écrans, ouvrez les
Préférences Système et
cliquez sur Exposé.
Pour juxtaposer instantanément toutes
vos fenêtres ouvertes, appuyez sur F9.
Lorsque le pointeur
est placé sur une
fenêtre, le titre de la
fenêtre apparaît.
Pour accéder instantanément aux fenêtres
de l’application active, appuyez sur F10. 9
Permutation rapide
Mac OS X permet à plusieurs personnes de partager facilement un ordinateur. Panther
vous permet en outre de changer d’utilisateur sans avoir à quitter les applications ouvertes.
Sélectionnez cette option
dans la fenêtre Options
de session des préférences
Comptes.
Configuration
Pour activer la
Permutation rapide
d’utilisateur, ouvrez les
Préférences Système et
cliquez sur Comptes, puis
sur Options de session.
Permutation
d’utilisateurs
Pour changer de compte
utilisateur, choisissez le
nom de l’utilisateur dans
le menu situé en haut
à droite de l’écran, puis
saisissez son mot de
passe d’ouverture de
session, si nécessaire.
La coche indique que cet
utilisateur est connecté.
Permutation
Une fois le mot de
passe saisi, le bureau
de l’utilisateur pivote
pour s’afficher.10
Restez en contact
Mac OS X vous offre de nombreuses possibilités pour garder le contact avec vos amis,
votre famille et vos collègues. Avec iChat AV*
et iSight, la vidéoconférence devient un
jeu d’enfant que ce soit pour une discussion professionnelle, une conversation entre
amis ou pour garder le contact avec votre famille.
* Pour utiliser iChat AV, vous devez disposer d’un compte .Mac ou AIM.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Utilisation d’iChat AV
• Configuration de votre compte .Mac
• Organisation de votre courrier électronique
• Attribution d’adresses pour les messages
Cliquez sur ce
bouton pour ajouter
une personne à votre
liste de contacts et à
votre Carnet d’adresses.
Envoyez un message instantané
à un groupe de contacts .Mac et AIM.
Cliquez ici pour afficher votre
vidéo en mode plein écran.
Cette personne est
disponible pour une
conversation audio.
Utilisez la conversation
audio au lieu du
téléphone.
Cette personne est
disponible pour une
conversation vidéo.
Pour savoir ce que voit votre contact,
consultez l’image dans l’image. 11
Dites-le par courrier électronique
Utilisez Mail pour recevoir des messages électroniques de vos amis et de vos collègues
et leur en envoyer. Vous découvrirez de nouvelles façons d’organiser les messages que
vous recevez et d’inscrire les adresses des messages que vous envoyez.
Soyez organisé
Le visualiseur de Mail vous
permet de regrouper tous
les messages sur le même
thème ou par “segment”.
Cliquez sur le premier
message d’un segment
pour sélectionner
l’ensemble du segment.
Lorsque vous sélectionnez un segment,
un récapitulatif des
messages de ce segment
s’affiche. Cliquez sur un
message pour l’ouvrir.
Pour savoir si vous avez
répondu à un message,
recherchez la dans
la colonne d’état.
Adresses
Pour saisir une adresse,
commencez à saisir le
nom d’une personne
de votre Carnet
d’adresses, puis Mail
complétera l’adresse
automatiquement.
Pour déplacer une
adresse du champ À
au champ Cc, glissez-la
tout simplement. Cliquez
sur une adresse pour la
modifier, l’ajouter à votre
Carnet d’adresses ou
choisir une autre adresse.
Certaines personnes possèdent
plusieurs adresses électroniques.
Mail peut signaler les adresses afin
que vous soyez certain d’envoyer
vos messages à la bonne adresse.
Utilisez le texte stylé et des
graphiques dans vos messages.12
Restez mobile
Mac OS X vous permet d’accéder à tout instant à vos données importantes depuis
n’importe quel ordinateur connecté à Internet. Les fichiers stockés sur votre iDisk*
sont
toujours disponibles, même hors connexion, et sont automatiquement synchronisés
lorsque vous êtes connecté.
* Pour utiliser iDisk, vous devez disposer d’un compte .Mac.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Configuration de votre iDisk
• Synchronisation de vos données
• Sécurisation de votre ordinateur
• Activation de FileVault
Conservez vos
documents sur votre
iDisk afin de pouvoir les
utiliser à tout moment.
Vous pouvez utiliser iSync pour synchroniser les
contacts de votre Carnet d’adresses, les calendriers
iCal et les signets Safari avec le serveur .Mac.
Lorsque vous êtes connecté, votre iDisk se synchronise
automatiquement afin que vos fichiers soient toujours disponibles. 13
Tranquillité d’esprit
Que vous soyez au volant de votre voiture ou à la maison, la sécurité est primordiale.
Activez FileVault pour crypter votre dossier de départ et sécuriser vos données
importantes.
Si vous avez oublié votre mot de passe
d’ouverture de session, le mot de passe
maître vous permettra d’accéder à vos
données. Par contre, si vous oubliez les
deux mots de passe, vos données
seront définitivement perdues.
FileVault
Pour activer FileVault,
utilisez les préférences
Sécurité. Dans ce cas,
vous devez définir un
mot de passe maître.
Utilisez les préférences
Comptes pour activer
FileVault pour les autres
utilisateurs de votre
ordinateur.
Pour plus de sécurité, sélectionnez
d’autres options pour demander un
mot de passe pour accéder à votre
ordinateur.
Protection
Lorsque FileVault est
activé, vous travaillez
de la même manière
avec vos fichiers dans
le Finder et les autres
applications. Lorsque
vous ouvrez un fichier,
il est automatiquement
décrypté et prêt à être
utilisé.
L’icône de votre dossier
de départ est remplacée
par l’icône FileVault pour
indiquer que celui-ci
est protégé.14
Un adressage simplifié
Carnet d’adresses facilite le suivi des informations sur vos contacts. Vous pouvez
utiliser ces informations pour envoyer des courriers électroniques, faxer un document
ou ajouter un contact dans iChat AV. Vous pouvez également imprimer votre liste
de contacts pour garder votre carnet d’adresses où que vous soyez.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Utilisation de Carnet d’adresses
• Impression de vos adresses
• Configuration des imprimantes
• Envoi et réception de télécopies
Envoyez un message électronique
à cette personne ou entamez une
conversation avec elle.
Utilisez les services
de répertoires standard
tels que LDAP.
Créez des groupes pour
organiser vos contacts.
Pour ajouter des
contacts, glissez-les
dans le groupe.
Recherchez des informations sur
vos contacts en les tapant ici.
Cliquez sur ces boutons
pour créer un nouveau
groupe ou ajouter une
nouvelle fiche au Carnet
d’adresses. 15
Impression et envoi par télécopie
Imprimez les informations de votre Carnet d’adresses sous forme de liste ou
d’étiquettes-adresses. Le nouveau télécopieur intégré vous permet d’envoyer
des télécopies en utilisant les numéros correspondants stockés dans votre
Carnet d’adresses.
Impression
Pour garder votre
annuaire téléphonique
où que vous soyez,
imprimez les
informations de votre
Carnet d’adresses sous
forme de liste, avec des
photos. Vous pouvez
également imprimer
des étiquettes-adresses
à partir de votre Carnet
d’adresses.
Sélectionnez
les éléments
que vous
souhaitez
inclure dans
l’imprimé.
Choisissez
d’imprimer
une liste
ou des
étiquettesadresses en
utilisant les
étiquettes
Avery.
Envoi par télécopie
Vous pouvez envoyer
des télécopies à vos
contacts en utilisant
les numéros de fax
enregistrés dans votre
Carnet d’adresses.
Vous pouvez également
recevoir des télécopies
et en afficher un
Aperçu.16
Visualisation optimale
Aperçu est l’utilitaire de visualisation de fichiers PDF le plus rapide pour votre Mac.
Quelle que soit la taille du fichier PDF, vous pouvez rechercher rapidement et
facilement les informations dont vous avez besoin. Que vous affichiez les documents
et les images à l’écran ou que vous les imprimiez depuis Aperçu, leur qualité sera
toujours optimale.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Utilisation d’Aperçu
• Sélection des polices à utiliser dans les documents
• Création de collections de polices
• Réglage des options typographiques
Cliquez sur un élément des
résultats de recherche pour
ouvrir la page correspondante.
Utilisez les outils pour copier du texte
et des images dans des fichiers PDF
ou rogner vos fichiers d’images.
Saisissez ici le texte
à rechercher dans
le fichier PDF.
Utilisez Aperçu pour
afficher les fichiers PDF
et de nombreux types
de fichiers d’images. 17
Une kyrielle de polices
Mac OS X met à votre disposition un remarquable assortiment de polices.
Le Livre des polices et la fenêtre des polices facilitent l’installation, l’aperçu
et la gestion de toutes vos polices.
Saisissez ici le nom d’une police
pour la retrouver facilement.
Livre des polices
Utilisez le Livre des
polices pour installer,
prévisualiser et organiser
vos polices. Pour
organiser vos polices,
créez une collection et
glissez les polices à
l’intérieur. Si vous ne
souhaitez pas qu’une
police figure dans la
fenêtre des polices,
sélectionnez-la et
cliquez sur Désactiver.
Déplacez le curseur pour
visualiser la police sélectionnée
dans différentes tailles.
Pour installer une police,
vous pouvez doublecliquer sur son icône
dans le Finder ou cliquer
sur le bouton Ajouter (+)
sous la colonne Police.
Sélectionnez souligné,
barré, couleur ou ombre
détourée.
Si vous avez simplement
besoin de choisir des
polices, vous pouvez
redimensionner la fenêtre
des polices pour afficher
uniquement les
menus locaux.
Fenêtre des polices
Lorsque vous travaillez
sur un document, utilisez
la fenêtre des polices
pour sélectionner les
polices, les styles et les
fonctions typographiques
de la police. Vous pouvez
accéder aux mêmes
collections que celles
créées dans le Livre des
polices. Vous pouvez
également créer de
nouvelles collections
ou ajouter des polices
à la collection Favoris.
Cliquez sur le bouton Action pour
sélectionner les propriétés
typographiques de la police.18
Se connecter
Mac OS X vous permet de vous connecter facilement à votre réseau ou à Internet.
Une fois que vous êtes connecté, les applications comme Safari, iChat AV et iTunes
rendent l’utilisation d’Internet plus productive et plus amusante.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Se connecter
• Partage de vos fichiers
• Recherche sur Internet
• Exploration d’Internet
Utilisez les icônes d’état pour
démarrer les connexions.
Consultez l’état de
votre connexion dans les
préférences Réseau.
Cliquez sur Réseau dans
une fenêtre du Finder
pour rechercher et vous
connecter aux serveurs
réseau Mac, Windows
et UNIX.
Cliquez ici pour obtenir
de l’aide sur la configuration
d’une connexion.
De nombreuses applications
Mac OS X utilisent Internet. 19
Partage et navigation
Partager vos fichiers, dossiers ou votre connexion Internet est simple et sûr.
Safari est le navigateur Web le plus rapide et le plus simple à utiliser pour Mac.
Partage
Utilisez les préférences
Partage pour activer
les services réseau qui
répondent à vos besoins,
y compris le partage
avec les ordinateurs
Windows et Internet.
Coupez votre réseau
du monde extérieur en
utilisant un coupe-feu
personnel.
Cliquez sur ces boutons pour
partager votre connexion
Internet avec d’autres
ordinateurs de votre réseau
et activer la protection
Coupe-feu personnel.
L’adresse permettant
d’accéder à un service
s’affiche ici.
Safari
Safari affiche les pages
Web à une vitesse
incroyable. La recherche
de sites Web est un jeu
d’enfant grâce au champ
de recherche de Google
intégré. Cliquez sur le
bouton Ajouter aux
Signets (+) pour mettre
un signet à une page
Web. La navigation par
onglets vous permet
d’ouvrir plusieurs pages
Web dans la même
fenêtre.
Utilisez les boutons
SnapBack pour
retourner à votre page
Web de départ ou à vos
résultats de recherche
Google.20
Compatibilité avec Windows
Mac OS X s’intègre sans encombre dans les réseaux Windows afin que vous
puissiez partager des documents et des imprimantes. Vous pouvez établir une
connexion sécurisée à un réseau Windows sur Internet et accéder aux serveurs
Microsoft Exchange.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Connexion aux ordinateurs Windows
• Partage de vos fichiers avec des ordinateurs Windows
• Connexion à l’aide du VPN
• Ouverture et enregistrement des documents
Recherchez les serveurs
Windows et les dossiers
partagés dans le Finder.
De nombreuses applications, telles que Microsoft Word, sont
disponibles à la fois pour les ordinateurs Mac et Windows
afin que vous puissiez facilement partager vos fichiers.
Vous pouvez également utiliser la boîte
de dialogue Se connecter au serveur pour
accéder aux serveurs dans le Finder.
Utilisez votre iDisk pour
partager des documents
avec des utilisateurs
de Windows. 21
Connexion à Windows
Utilisez Connexion à Internet pour établir des connexions VPN à distance vers des
réseaux d’entreprise Windows et Cisco. Utilisez Mail et Carnet d’adresses avec les
services de courrier Microsoft Exchange.
Choisissez Modifier la configuration ici
pour configurer votre connexion VPN.
Sélectionnez cette option
si vous utilisez une carte
RSA SecurID.
Saisissez les informations
fournies par votre
administrateur système.
VPN
Dans Connexion à
Internet, choisissez
Nouvelle connexion VPN
dans le menu Fichier, puis
sélectionnez L2TP via
IPSec. Il s’agit du même
standard que celui utilisé
par les réseaux Windows.
Services Exchange
Étant donné que Mail
et Carnet d’adresses sont
compatibles avec les
serveurs Microsoft
Exchange, vous pouvez
accéder aux mêmes
adresses que celles
d’un serveur Exchange.
Sélectionnez cette option dans
les préférences Carnet d’adresses.
Dans les préférences Mail, créez un
nouveau compte et choisissez Exchange
dans le menu local Type de compte.22
Tirez le meilleur parti d’iLife
De plus en plus, nous utilisons les appareils numériques pour immortaliser les meilleurs
moments de notre vie. iLife vous permet d’en choisir facilement les temps forts, de les
rassembler à votre guise et de les partager avec d’autres personnes.
*iTunes Music Store et certains services iPhoto peuvent ne pas être disponibles dans votre pays. Pour utiliser certains
services iPhoto, vous devez posséder un compte .Mac.
Pour plus d’informations, recherchez les rubriques suivantes dans l’aide :
• Utilisation d’iTunes pour l’achat de musique
• Création d’un diaporama avec iPhoto
• Réalisation de films avec iMovie
• Production de vos propres DVD
Commandez des tirages ou un album,
partagez vos photos en utilisant .Mac,
ou affichez-les sur votre bureau.*
Transformez vos photos en
diaporama en ajoutant de
la musique depuis iTunes.
Créez des listes de
lecture pour organiser
votre musique.
Achetez de la musique
sur l’iTunes Music Store.*
Créez vos propres films en utilisant iMovie
et votre caméscope numérique. 23
Photos et films
iPhoto et iMovie vous permettent de capturer vos photos et films numériques avant
de les utiliser pour créer des présentations et des films intéressants.
Retouchez vos photos et
effectuez un zoom avant
pour visualiser les détails.
iPhoto
Créez des albums pour
organiser vos photos
dans iPhoto. Pour que
vos images soient prêtes
à être partagées, vous
pouvez les retoucher
et les rogner à la taille
voulue.
Glissez le cadre pour
sélectionner la zone à
retravailler ou à rogner,
ou choisissez la taille
standard dans le menu
local Imposer le format.
Utilisez les navigateurs
iMedia pour ajouter
des clips vidéo, des
photos et de la
musique, ou préparer
la gravure de votre
propre DVD.
iMovie
Utilisez iMovie
pour rassembler vos
séquences, vos images
et votre musique. Vous
pouvez ajouter des
effets, des titres et
des transitions pour
peaufiner vos créations.
Glissez des scènes
ou transitions dans
la chronologie, puis
glissez-les de nouveau
pour les arranger.
Ajoutez un
mouvement
panoramique et
zoom aux photos
statiques en utilisant
l’effet Ken Burns.24
Créez votre propre musique
GarageBand transforme votre Mac en un véritable studio d’enregistrement doté de
plusieurs centaines d’instruments pour vous permettre de créer, jouer et enregistrer
votre propre musique.
Créez vos propres DVD
Utilisez iDVD*
pour créer des DVD et partager les films et les diaporamas que vous avez
créés avec vos amis et votre famille.
* Pour graver un DVD, votre ordinateur doit être équipé d’un lecteur SuperDrive. iDVD peut ne pas être installé
sur votre ordinateur.
GarageBand
Créez des morceaux
à l’aide d’instruments
intégrés, de boucles
Apple Loops et
d’enregistrements
d’instruments réels.
Ajoutez votre musique
originale à vos
diaporamas ou menus
DVD, gravez-la sur
CD ou utilisez-la en
accompagnement sur
vos projets iMovie.
Avec GarageBand,
vous disposez d’un
contrôle total de vos
pistes, de manière à
obtenir exactement
le son que vous
recherchez.
Utilisez une boucle
Apple Loop pour
commencer à créer
votre tout premier
morceau.
iDVD
Choisissez un film ou
un album photo pour
commencer votre DVD.
Ensuite, personnalisez
vos menus DVD pour
parcourir votre création.
Lorsque vous êtes prêt,
gravez un DVD.
Créez un diaporama en utilisant un album iPhoto
et en important de la musique depuis iTunes.
Créez des menus DVD personnalisés en utilisant
vos séquences, votre musique et vos photos.
Cliquez sur
ce bouton
pour graver
votre DVD.
Instructions de remplacement
Respectez scrupuleusement les instructions de ce document. À défaut, vous risquez de détériorer votre matériel et d’invalider
sa garantie.
Remarque: Des instructions sont disponibles en ligne à l’adresse http://www.apple.com/support/doityourself/.
Avertissement : Durant cette procédure, mettez les petites pièces hors de portée des enfants.
Avertissement : Il existe des bords tranchants à l’intérieur de l’ordinateur. Soyez vigilant.
Outils requis
Les outils suivants sont nécessaires à l’exécution de cette procédure :
• Tournevis cruciforme n°2 avec bout magnétique.
• Petit tournevis plat
• Pince à bec fin
Ouverture de l’ordinateur
Avertissement : Éteignez systématiquement l’ordinateur avant de l’ouvrir afin d’éviter d’endommager ses composants internes et de vous blesser. Après extinction, les composants internes risquent d’être très chauds.
Attendez qu’ils refroidissent avant de poursuivre.
1. Placez l’ordinateur sur une surface propre et plane.
2. Si vous pensez que le mode Suspension d’activité est déclenché, appuyez sur le bouton d’alimentation en façade pour réactiver l’ordinateur.
3. Éteignez l’ordinateur et patientez cinq minutes avant de poursuivre.
4. Si vous avez installé un câble antivol, retirez-le.
5. Débranchez tous les autres câbles connectés à l’ordinateur, à l’exception du cordon d’alimentation.
1 Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan F073-0800 Rev. A
Ventilateur inférieur
AppleCare6. Touchez les caches métalliques des connecteurs PCI, à l’arrière de l’ordinateur. (Figure 1)
Important : Agissez toujours de même avant de toucher un élément ou d’installer un composant à l’intérieur de l’ordinateur. Pour éviter d’accumuler de l’électricité statique, ne vous déplacez pas dans la pièce avant d’avoir achevé l’installation et
refermé l’ordinateur.
7. Débranchez le cordon d’alimentation. (Figure 2)
Avertissement : Ne branchez jamais le cordon d’alimentation et ne mettez jamais l’ordinateur sous tension
tant que les composants internes et externes ne sont pas tous en place et que le capot est ouvert. En transgressant ces règles, vous risqueriez d’endommager l’ordinateur ou de vous blesser. Assurez-vous que le cordon d’alimentation reste débranché jusqu’à la fin de la procédure, tant que l’ordinateur n’est pas refermé.
Avertissement : Le bloc d’alimentation de votre ordinateur est un composant haute tension à n’ouvrir sous
aucun prétexte, même lorsque l’ordinateur est éteint. S’il nécessite une intervention, contactez votre revendeur Apple ou votre Société de maintenance agréée Apple.
8. Soulevez le loquet situé sur le panneau latéral droit.
9. Abaissez délicatement le panneau latéral jusqu’à ce qu’il repose à plat. Afin de ne pas érafler le boîtier, prévoyez un linge
doux et propre.
Avertissement : Si des voyants sont allumés sur la carte mère, cela signifie que l’ordinateur n’est pas éteint.
Refermez le panneau d’accès latéral et éteignez l’ordinateur avant de poursuivre.
F073-0800 Rev. A Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan 2
Figure 1
Figure 2Dépose du ventilateur
1. Retirez le cache arrière du berceau de lecteurs optiques en le faisant coulisser. (Figure 3)
2. Ôtez les deux vis fixant ce berceau au châssis. (Figure 4)
3 Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan F073-0800 Rev. A
Figure 3
Figure 43. Faites-le coulisser vers l’arrière et tourner de façon à pouvoir accéder aux câbles du ou des lecteurs de disques optiques.
4. Débranchez les câbles données et alimentation (P6 et P7) à l’arrière du ou des lecteurs optiques et extrayez le berceau de
l’ordinateur. (Figure 5)
5. Débranchez le câble nappe ATA de la carte mère. (Figure 6)
F073-0800 Rev. A Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan 4
Figure 5
Figure 66. Débranchez le second câble nappe ATA de la carte mère et repliez-le vers l’arrière pour dégager le connecteur du câble de
ventilateur inférieur. (Figure 7)
7. Attention : Le dispositif de verrouillage du connecteur du ventilateur est fragile. S’il venait à casser, le connecteur demeurerait néanmoins utilisable. Manipulez-le toutefois avec précaution.
Au moyen d’un petit tournevis plat, soulevez délicatement le dispositif de verrouillage du câble du ventilateur tout en
débranchant ce dernier de la carte mère. (Figure 8)
5 Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan F073-0800 Rev. A
Figure 7
Figure 88. Faites coulisser le ventilateur vers le haut, bien à la verticale, pour le désolidariser du support de lecteurs optiques, et
retirez-le. (Figure 9)
Installation du ventilateur de remplacement
1. A l’aide d’une pince à bec fin ou d’un tournevis plat, retirez les quatre goujons en plastique de la grille de protection amovible et du ventilateur. (Figure 10)
2. Utilisez les quatre vis fournies avec le ventilateur de remplacement pour fixer la grille de protection au ventilateur de remplacement.
F073-0800 Rev. A Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan 6
Figure 9
Figure 103. Installez le ventilateur de remplacement.
Attention : Engagez le ventilateur de remplacement (illustration ci-dessous) de sorte que le câble soit situé en dessous du
ventilateur, le connecteur du câble faisant face à la carte mère. (Le ventilateur de remplacement est orienté de 90° dans le
sens des aiguilles d’une montre par rapport au ventilateur d’origine). Assurez-vous qu’aucun câble n’obstrue le passage et
ne risque d’être écrasé dans l’opération.
Alignez le ventilateur sur les trois loquets du support de lecteurs optiques et faites-le coulisser vers le bas, bien à la verticale,
jusqu’à ce qu’il s’enclenche. (Figure 11)
Remarque : Faites passer le câble du ventilateur en-dessous du câble nappe et au-dessus du câble souple plus étroit,
comme dans l’illustration. (Figure 12)
4. Connectez le câble nappe ATA à la carte mère.
7 Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan F073-0800 Rev. A
Figure 11
Figure 125. Réinstallez le berceau de lecteurs optiques.
Remarque : Avant de réinstaller ce berceau sur son support, assurez-vous que le faisceau de câbles d’alimentation passe
dans la goulotte prévue à cet effet sur le panneau latéral. (Figure 13)
Remarque : Tout en faisant coulisser le berceau sur son support, assurez-vous que le loquet situé sous le berceau s’enclenche dans l’encoche du support. (Figure 14)
Connectez les câbles au lecteur optique. (Figure 15)
F073-0800 Rev. A Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan 8
Figure 13
Figure 14
Figure 15Remarque : Avant de réinstaller le cache arrière, assurez-vous que le bord supérieur de celui-ci s’adapte sur le bord
supérieur du berceau de lecteurs optiques. (Figure 16)
Attention : Veillez à ne pas écraser le câble d’alimentation entre le panneau et le berceau.
Fixez les deux vis du berceau de lecteurs optiques.
9 Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan F073-0800 Rev. A
Figure 16
Figure 16Fermeture de l’ordinateur
1. Vérifiez que vous avez réinstallé toutes les vis et que tous les câbles internes sont connectés.
2. Relevez le panneau d’accès latéral, soulevez le loquet et pressez le panneau contre le boîtier jusqu’à ce qu’il s’enclenche.
3. Rebranchez tous les câbles et faites démarrer l’ordinateur.
Avertissement : Ne mettez jamais l’ordinateur sous tension tant que ses composants internes et externes ne
sont pas tous en place et que le capot est ouvert. En transgressant ces règles, vous risqueriez d’endommager
l’ordinateur ou de vous blesser.
Apple Computer, Inc.
© 2003 Apple Computer, Inc. Tous droits réservés.
Ce manuel est protégé par la loi du 11 mars 1957 sur la propriété littéraire et artistique, complétée par la loi du 3 juillet 1985 et par toutes les conventions internationales
applicables aux droits d’auteurs. En vertu de ces lois et conventions, aucune reproduction totale ni partielle de ce manuel n’est autorisée, sauf consentement écrit préalable d’Apple.
Le logo Apple est une marque d’Apple Computer Inc., déposée aux États-Unis et dans d’autres pays. En l’absence du consentement écrit d’Apple, l’utilisation à des fins
commerciales de ce logo via le clavier (Option - I) pourra constituer un acte de contrefaçon et/ou de concurrence déloyale.
Tout a été mis en œuvre pour que les informations présentées dans ce manuel soient exactes. Apple n’est pas responsable des erreurs de reproduction ou d’impression.
Apple Computer, Inc.
1 Infinite Loop
Cupertino, CA 95014-2084
USA
+ 1 408 996 1010
http://www.apple.com
Apple, le logo Apple, Mac, Macintosh et le logo Mac sont des marques d’Apple Computer Inc., déposées aux États-Unis et dans d’autres pays.
Power Mac est une marque d’Apple Computer, Inc.
F073-0800 Rev. A Power Mac G4 (Mirrored Drive Door_FW 800) - Lower Fan 10
1
Nouvelles fonctionnalités de Motion 3
Ce document présente les nouvelles fonctionnalités et améliorations offertes par Motion 3.
Pour en savoir plus sur ces fonctionnalités et leur utilisation, consultez le Manuel de l’utilisateur de Motion et la Documentation complémentaire de Motion, disponible à partir du menu
Aide de Motion.
3D
Motion 3 prend désormais en charge un environnement de compositing multiplan à trois
dimensions vous permettant de créer des graphismes d’animation en 3D élaborés, avec
une profondeur et de nouveaux niveaux de réalisme.Dans l’espace de travail 3D de Motion
il est possible de réaliser les actions suivantes :
 ajouter et animer des caméras, des images et du texte le long de trajectoires à trois
dimensions ;
 créer des systèmes de particules et des réplicateurs avec hauteur, largeur et profondeur ;
 appliquer des comportements tels que le lancement, la rotation et le vortex dans
un espace 3D ;
 appliquer de nouveaux comportements de caméra automatisant les balances de
balayage et les zooms impressionnants ;
 styliser les projets avec un mélange de modes de fusion et de lumières scéniques.2
Alignement et stabilisation Motion
À l’aide des nouveaux comportements de suivi de l’animation, vous pouvez stabiliser les
plans caméras pris à la main, aligner les points individuels d’une forme ou les masquer
à l’arrière-plan, etc. Parmi les nouveaux comportements de suivi de l’animation figurent :
 Comportement Suivre le mouvement : appliquez les données de suivi d’un élément
du canevas à l’autre, les « verrouillant » ainsi l’un à l’autre. Vous pouvez faire correspondre le fichier image d’un logo à la vidéo d’arrière-plan d’un écran publicitaire de manière
à ce que le logo apparaisse en superposition sur l’écran même lorsque la caméra bouge.
Vous pouvez également appliquer les données de transformation d’un objet source
animé à un autre objet de destination sans réaliser d’analyse. L’objet de destination
bouge donc de la manière que l’objet source.
 Comportement Stabiliser : analysez un film ou une séquence d’images avec
le comportement Stabiliser afin de supprimer les mouvements non souhaités.
Utilisez le comportement Stabiliser pour adoucir les plans pris à la main.
 Comportement Déstabiliser :restaurez les mouvements vers ceux d’un plan déjà stabilisé. Ce comportement est pratique lorsque vous avez stabilisé un plan vidéo pour y ajouter un effet au premier plan mais que vous souhaitez restaurer les mouvements de
caméra pour le composite final. Après avoir terminé de travailler sur les effets de premier
plan, utilisez le comportement Déstabiliser pour appliquer à nouveau les données
de mouvement d’origine à la fois à l’élément d’arrière-plan d’origine et au nouveaux
éléments du premier plan.
 Comportement Points de piste : alignez les points de contrôle d’une forme ou d’un
masque (y compris les traits de peinture) sur des éléments en mouvement dans un
plan. Vous pouvez par exemple dessiner un masque autour d’une automobile dans
un plan, puis aligner les points de contrôle du masque sur les bords de l’auto en mouvement, l’isolant ainsi du reste du plan.Vous pouvez ensuite appliquer des effets à l’automobile isolée sans affecter les zones environnantes du plan. Le comportement Points de
piste vous permet également d’appliquer des données de suivi existantes enregistrées
par les comportements de suivi Analyser animation, Suivre le mouvement ou Stabiliser
sur les points de contrôle d’une forme ou d’un masque.
 Comportement Suivre le paramètre : alignez le paramètre d’un filtre sur un seul point
dans un plan. Vous pouvez par exemple faire en sorte que le point central d’un filtre
Rayons de lumière appliqué suive une lumière en mouvement dans un plan. Dans ce
cas, les données de suivi sont appliquées à un seul paramètre du filtre (le paramètre
Centre) plutôt qu’à l’ensemble du filtre.3
Peinture
Motion vous permet de concevoir des éléments à l’effet peinture à l’aide de pinceaux
personnalisés et de traits à base de vecteurs qui se trament dans l’espace 3D. Vous pouvez créer des traits de pinceaux animés et répondant à la pression, à l’inclinaison et à la
vitesse lorsque vous utilisez une tablette graphique. Vous pouvez également concevoir
des pinceaux personnalisés à l’aide de couleurs, de dégradés, de texte, d’images et de
séquences QuickTime. Il existe deux nouvelles fonctionnalités de peinture dans Motion :
 Traits de peinture : vous pouvez créer une forme en « peignant » un trait dans le
Canevas à l’aide de l’outil Trait de peinture de la barre d’outils ou en modifiant le contour d’une forme existante. Au lieu de dessiner la forme point par point (comme une
forme de Bézier ou B-Spline), l’outil Trait de peinture vous permet d’utiliser un stylet et
une tablette graphique (ou une souris) pour tracer un trait de peinture. En plus de partager leurs paramètres de contour avec d’autres formes, les traits de peinture disposent
d’outils uniques qui vous permettent de modifier l’aspect du coup de pinceau et de
créer des effets similaires aux particules sur un trait. Utilisez la fonction Écriture activée
pour enregistrer un trait de telle sorte qu’il soit dessiné sur le Canevas au fil du temps.
 Peinture de séquence : ce nouveau comportement vous permet d’animer en séquence
les diverses touches d’un trait de peinture au fil du temps. Grâce au comportement
Peinture de séquence, vous pouvez personnaliser un trait de peinture pour qu’il effectue un fondu entrant, un fondu sortant, une rotation, qu’il rétrécisse ou grossisse au fil
du temps.
Intégration dans Final Cut Pro
Motion offre désormais une plus grande intégration dans Final Cut Pro 6. Envoyez des plans
de montage de Final Cut Pro vers Motion et conservez plus d’informations de projet que
jamais auparavant. Envoyez des informations de la Chronologie telles que les cuts, les
couches et des paramètres élémentaires d’animation. Envoyez des plans SmoothCam de
Final Cut Pro vers Motion sans avoir à réanalyser le plan. Vous pouvez également envoyer
des données de resynchronisation de Final Cut Pro vers Motion pour effectuer ensuite
des modifications.
 Vous pouvez ajouter des animations créées dans Motion directement dans votre
séquence Final Cut Pro sans rendu.
 Vous pouvez apprécier de manière immédiate les changements apportés à votre
projet Motion dans votre séquence Final Cut Pro.4
 Créez de nouveaux projets Motion basés sur une sélection de plans ou sur une séquence
de Final Cut Pro.Vous pouvez utiliser cette fonctionnalité pour créer une séquence d’animation dans Final Cut Pro et l’affiner ensuite dans Motion. Le nouveau projet Motion
peut être intégré dans votre séquence Final Cut Pro.
Modèles Final Cut Pro
Vous pouvez désormais configurer des modèles dans Motion et les utiliser comme masters dans Final Cut Pro, afin de créer, à partir de changements apportés à un seul projet,
plusieurs projets et séquences Final Cut Pro. Modifiez le texte de modèles Motion directement dans Final Cut Pro tout en conservant leur disposition, leur format et leur animation.
Les zones de dépôt créées dans les projets Motion sont transférées dans Final Cut Pro pour
que le contenu soit facilement remplaçable.
 Vous pouvez créer des modèles dans Motion pour les utiliser directement dans
Final Cut Pro.
 Modifiez les modèles master en séquences et personnalisez les paramètres tels
que le texte et la vidéo dans les zones de dépôt. Vous pouvez modifier de manière
globale l’apparence de tous vos plans modèles au sein de votre projet en modifiant
le fichier de modèle Motion d’origine.
Comportements Audio
De nouveaux comportements au sein de Motion vous permettent de générer des animations audio. Utilisez le comportement de paramètre Audio pour déclencher et animer des
paramètres en fonction de l’amplitude audio ou des éléments transitoires de forme d’onde.
Faites en sorte par exemple qu’un système de particules émette des impulsions sur le
rythme d’une musique ou que l’amplitude des basses sur une piste audio affecte l’opacité d’un objet. Vous pouvez également modifier le seuil et la fréquence à tout moment
sans avoir à recalculer les expressions type ou les images clés.
 Balance automatique : automatise les effets de balance les plus fréquemment utilisés
sur une piste audio. Vous pouvez animer une auto se déplaçant de droite à gauche et
faire en sorte que le son du projet se déplace de droite à gauche également.
 Fondu audio entrant/sortant : automatise les effets de fondu entrant/sortant
les plus fréquemment utilisés sur une piste audio.
 Paramètre Audio : effectue l’analyse d’une propriété caractéristique d’une piste audio,
puis applique une courbe d’animation au paramètre d’un objet en fonction de l’analyse obtenue.Comportements Resynchronisation
Les nouveaux comportements de resynchronisation de Motion vous permettent de créer
des modifications de vitesse nettes et précises dans vos plans vidéo. Certains des nouveaux
comportements de resynchronisation vous permettent d’accélérer, de ralentir un plan, de
lui appliquer un effet stroboscopique, le répéter, lui appliquer des images flash aléatoires,
des imperfections ou de l’inverser. Le comportement Vitesse définie permet de contrôler de
manière précise la vitesse variable appliquée à un plan.Vous avez également accès au données de resynchronisation à partir de Final Cut Pro et vous pouvez utiliser les images clés
classiques pour des effets de vitesse variable.
Éditeur d’images clés avancé
Grâce aux nouveaux outils avancés de l’Éditeur d’images clés, vous pouvez créer vos animations avec des images clés avec plus de rapidité et de précision. Utilisez les raccourcis
clavier pour afficher uniquement les courbes d’animation dont vous avez besoin.
 Outil Esquisse : faites glisser un outil plume intuitif pour tracer des courbes d’animation dans l’Éditeur d’images clés, tout en créant des images clés au fur et à mesure
pour tout type de paramètre.
 Outil Case : faites glisser cet outil pour sélectionner des images clés multiples, puis
faites-les glisser, étirez-les ou repositionnez-les en ajustant les poignées à l’écran.
Copyright © 2007 Apple Inc. Tous droits réservés.
Apple, le logo Apple, Final Cut, Final Cut Pro, Final Cut Studio et QuickTime sont des marques d’Apple Inc.,
déposées aux États-Unis et dans d’autres pays. Les autres noms de sociétés et de produits mentionnés dans
le présent manuel sont des marques de leurs sociétés respectives.
Mac OS X Server
Administration des
services Windows
Pour la version 10.3 ou ultérieureApple Computer Inc.
© 2003 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’un exemplaire
enregistré du logiciel Mac OS X Server peut reproduire
cette publication aux fins d’apprentissage du logiciel.
Toute reproduction ou diffusion d’un extrait de cette
publication à des fins commerciales, telle que la vente
de reproductions ou la fourniture de services à titre
onéreux, est interdite.
Tout a été mis en œuvre pour que les informations
contenues dans ce manuel soient exactes. Apple
Computer, Inc., n’est pas responsable des erreurs
d’impression ou de typographie.
Le logo Apple est une marque d’Apple Computer Inc.
déposée aux États-Unis et dans d’autres pays.
L’utilisation de ce logo à des fins commerciales
via le clavier (Option-G) pourra constituer un acte
de contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, AppleScript, AppleShare,
AppleTalk, ColorSync, FireWire, Keychain, Mac,
Macintosh, Power Macintosh, QuickTime, Sherlock et
WebObjects sont des marques d’Apple Computer, Inc.,
déposées aux États-Unis et dans d’autres pays. AirPort,
Extensions Manager, Finder, iMac et Power Mac sont des
marques d’Apple Computer, Inc.
Adobe et PostScript sont des marques d’Adobe Systems
Incorporated.
Java et tous les logos et marques Java sont des marques
de Sun Microsystems, Inc. déposées aux États-Unis et
dans d’autres pays.
Netscape Navigator est une marque de Netscape
Communications Corporation.
Remarque : Apple améliore continuellement les
performances et le design de ses produits. Il se peut
que certaines illustrations de ce manuel soient
légèrement différentes de votre version du logiciel.
F022-1328 3
1 Table des matières
Préface 7 À propos de ce guide
8 Utilisation de ce guide
8 Informations complémentaires
Chapitre 1 11 Vue d’ensemble des services Windows
12 Fourniture d’un CDP pour la connexion au domaine
12 Fourniture de répertoires de départ et de profils d’utilisateurs itinérants
13 Jonction avec un CDP en tant que membre d’un domaine
13 Fourniture de services de fichiers, d’impression, d’exploration et de résolution de nom
14 Fourniture du service VPN
14 Outils de gestion des services Windows
14 Administration du serveur
15 Gestionnaire de groupe de travail
15 Utilitaires de ligne de commande
Chapitre 2 17 Configuration des services Windows
18 Avant de configurer les services Windows
18 Pour une compatibilité multiplate-forme optimale
19 Validation des mots de passe d’utilisateurs Windows
20 Définition du rôle et de l’identité du serveur pour les services Windows
20 Configuration d’un serveur de services Windows autonomes
21 Configuration d’un serveur comme membre d’un domaine Windows
22 Configuration d’un serveur en tant que contrôleur de domaine principal
24 Modification des réglages d’accès aux services Windows
24 Modification des réglages de consignation des services Windows
25 Modification des réglages avancés des services Windows
26 Démarrage des services Windows
26 Configuration d’une file d’attente d’impression pour le partage SMB
27 Gestion des ordinateurs clients Windows
27 Configuration de clients Windows pour les réseaux TCP/IP
27 Connexion au service de fichiers à partir de Windows
28 Connexion au serveur par nom ou adresse dans Windows 95, 98 ou ME
28 Connexion au serveur par nom ou adresse sous Windows XP4 Table des matières
29 Configuration de clients Windows pour le service d’impression
Chapitre 3 31 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
31 Présentation générale de la configuration
33 Gestion des comptes pour les utilisateurs Windows
33 Emplacement de stockage des comptes d’utilisateur Windows
33 Création de comptes d’utilisateur Windows dans le contrôleur de domaine principal
34 Création de comptes d’utilisateur Windows dans un domaine de répertoire en
lecture /écriture
35 Modification de comptes d’utilisateur Windows
36 Utilisation des réglages élémentaires pour utilisateurs
36 Utilisation des réglages Windows pour les utilisateurs
38 Utilisation des réglages avancés pour les utilisateurs
38 Fourniture de services d’authentification sécurisée pour les utilisateurs Windows
39 Utilisation des réglages de groupe pour les utilisateurs
39 Configuration d’un répertoire de départ pour un utilisateur Windows
40 Utilisation des réglages de courrier pour les utilisateurs
40 Utilisation des réglages d’impression pour les utilisateurs
41 Définition d’un utilisateur invité
41 Suppression d’un compte d’utilisateur Windows
42 Désactivation d’un compte d’utilisateur Windows
42 Gestion des groupes pour les utilisateurs Windows
43 Utilisation des réglages de dossier de groupe pour les groupes Windows
43 Gestion des stations de travail Windows dans le compte Ordinateurs Windows
43 Ajout d’ordinateurs au compte Ordinateurs Windows
44 Suppression d’ordinateurs du compte Ordinateurs Windows
44 Modification des informations relatives à un ordinateur du compte Ordinateurs
Windows
44 Placement d’un ordinateur Windows dans un autre compte d’ordinateurs
45 Suppression du compte Ordinateurs Windows
45 Gestion des points de partage SMB
45 Verrouillage opportuniste (oplocks)
46 Verrouillage strict
46 Création d’un point de partage SMB et définition des autorisations
48 Modification des réglages Windows (SMB) d’un point de partage
49 Gestion des points de partage
Chapitre 4 51 Migration d’utilisateurs d’un serveur Windows vers Mac OS X Server
Chapitre 5 57 Gestion des services Windows
57 Démarrage et arrêt des services Windows
57 Démarrage des services Windows
58 Arrêt des services WindowsTable des matières 5
58 Surveillance des services Windows
58 Affichage de l’état des services Windows
59 Affichage des historiques des services Windows
59 Affichage des connexions aux services Windows
60 Affichage des graphiques des services Windows
60 Déconnexion d’utilisateurs Windows
60 Modification de l’identité Windows du serveur
60 Modification du nom d’ordinateur Windows du serveur
61 Modification du domaine Windows du serveur
62 Modification du groupe de travail Windows du serveur
62 Gestion de l’accès aux services Windows
62 Autorisation de l’accès en invité aux services Windows
63 Limitation du nombre de clients Windows connectés
63 Gestion de la consignation pour les services Windows
64 Gestion des réglages avancés des services Windows
64 Modification de la page de codes Windows
64 Activation de l’exploration des domaines Windows
65 Inscription auprès d’un serveur WINS
Chapitre 6 67 Résolution des problèmes liés aux services Windows
67 Problèmes liés à un contrôleur de domaine principal
67 L’utilisateur ne parvient pas à se connecter au domaine Windows
67 L’utilisateur Windows ne possède pas de répertoire de départ
68 Les valeurs par défaut des réglages du profil de l’utilisateur Windows ont été
rétablies
68 L’utilisateur Windows perd le contenu du dossier Mes documents
68 Problèmes liés au service de fichiers Windows
68 L’utilisateur ne peut pas s’authentifier pour le service de fichiers Windows
69 L’utilisateur ne voit pas le serveur Windows dans le Voisinage réseau
69 Problèmes généraux liés aux services de fichiers
69 Problèmes liés au service d’impression Windows
70 Les utilisateurs Windows ne parviennent pas à imprimer
70 Problèmes généraux liés aux services d’impression
Glossaire 71
Index 75 7
Préface
À propos de ce guide
Ce guide décrit les services que Mac OS X Server
peut fournir aux utilisateurs d’ordinateurs Windows
et explique comment configurer votre serveur afin de
fournir des services Windows.
Voici un résumé du contenu de chaque chapitre :
• Le chapitre 1, “Vue d’ensemble des services Windows” met en évidence certains
concepts importants et présente les outils utilisés pour la gestion des services
Windows.
• Le chapitre 2, “Configuration des services Windows” explique comment configurer
Mac OS X Server en tant que fournisseur de services Windows autonomes, membre d’un
domaine Windows ou contrôleur de domaine principal (CDP). Les services Windows
autonomes incluent le service de fichiers, le service d’impression, le service WINS
(Windows Internet Naming Service) et le service d’exploration de domaine Windows.
• Le chapitre 3, “Administration des utilisateurs, groupes, ordinateurs et points de
partage Windows” explique comment configurer et gérer les comptes des
utilisateurs, des groupes et des ordinateurs (stations de travail) Windows.
• Le chapitre 4, “Migration d’utilisateurs d’un serveur Windows vers Mac OS X Server”
explique comment faire migrer les informations relatives aux utilisateurs et aux
groupes depuis un serveur Windows NT vers un ordinateur Mac OS X Server.
• Le chapitre 5, “Gestion des services Windows” décrit comment démarrer et arrêter
les services Windows, les surveiller et gérer leurs réglages.
• Le chapitre 6, “Résolution des problèmes liés aux services Windows” vous aide à
gérer les problèmes courants qui se produisent avec un CDP, avec le service de
fichiers Windows et avec le service d’impression Windows.
• Le glossaire définit les termes utilisés dans ce guide.8 Préface À propos de ce guide
Utilisation de ce guide
Les chapitres de ce guide sont organisés dans l’ordre dans lequel vous en aurez
probablement besoin lors de la configuration de Mac OS X Server en vue de fournir
des services Windows.
• Consultez le chapitre 1 afin de vous familiariser avec les services Windows fournis par
Mac OS X Server et avec les programmes nécessaires pour configurer et gérer ces
services. Le chapitre 1 contient également des informations sur les outils de gestion
des services Windows.
• Suivez les instructions du chapitre 2 pour configurer les services Windows avec des
réglages par défaut.
• Lisez le chapitre 3 lorsque vous êtes prêt à configurer ou à gérer les comptes
d’utilisateurs, de groupes ou d’ordinateurs Windows. Ce chapitre aborde la
configuration des répertoires de départ et des profils d’utilisateur itinérants.
• Lisez le chapitre 4 si vous devez faire migrer des comptes d’utilisateur de serveurs
Windows NT vers Mac OS X Server.
• Utilisez les instructions du chapitre 5 si vous devez surveiller les services Windows,
gérer l’accès à ces services, gérer leurs historiques ou encore modifier leurs réglages
avancés.
• Consultez le chapitre 6 si vous rencontrez des problèmes avec les services Windows.
Informations complémentaires
Mac OS X Server est fourni avec un ensemble de guides qui décrivent d’autres services
et fournissent des instructions pour leur configuration, leur gestion et leur dépannage.
La plupart de ces documents se trouvent sur les disques du serveur, sous la forme de
fichiers PDF. Tous sont disponibles au format PDF sur le site Web www.apple.com/
server/documentation.
Ce guide Vous indique comment
Mac OS X Server Premiers contacts
pour la version 10.3 ou ultérieure
Comprendre les fonctionnalités de Mac OS X Server version 10.3
et préparer votre serveur.
Mac OS X Server Migration pour
la version 10.3 ou ultérieure
Réutiliser sur Mac OS X Server version 10.3 les réglages des
données et des services actuellement utilisés sur des versions
antérieures du serveur.
Mac OS X Server Gestion des
utilisateurs pour la version 10.3
ou ultérieure
Créer et gérer les comptes d’utilisateur, de groupe et d’ordinateur.
Configurer les préférences gérées pour les clients Mac OS 9 et
Mac OS X.
Mac OS X Server Administration
des services de fichiers pour la
version 10.3 ou ultérieure
Partager des volumes ou dossiers de serveur sélectionnés parmi les
clients du serveur via les protocoles suivants : AFP, NFS, FTP et SMB.
Mac OS X Server Administration
du service d’impression pour la
version 10.3 ou ultérieure
Héberger les imprimantes partagées et gérer les files d’attente et
travaux d’impression associés.Préface À propos de ce guide 9
Pour plus d’informations, consultez les ressources suivantes :
• Les fichiers Ouvrez-moi contiennent des mises à jour importantes et des informations
spécifiques. Recherchez-les sur les disques Mac OS X Server.
• L’aide en ligne, accessible depuis le menu Aide de toutes les applications serveur,
fournit des instructions relatives à toutes les tâches d’administration ainsi que des
informations de dernière minute et des mises à jour disponibles sur le Web.
• Les pages Web Support et la Base de connaissance (Knowledge Base) AppleCare
apportent des réponses aux questions courantes, ainsi que des informations de
dernière minute. Elles sont disponibles sur le site Web suivant :
www.info.apple.com/ (en anglais)
• Apple Training offre des cours pour les coordinateurs techniques et les administrateurs
système. Pour obtenir le catalogue des cours, consultez le site Web suivant :
train.apple.com/
Mac OS X Server Administration
des images système pour la
version 10.3 ou ultérieure
Créer des images disque et configurer le serveur de sorte que d’autres
ordinateurs Macintosh puissent démarrer à partir de ces images sur le
réseau. Ce guide traite de NetBoot et Installation en réseau.
Mac OS X Server Administration
du service de courrier pour la
version 10.3 ou ultérieure
Installer, configurer et administrer les services de courrier sur
le serveur.
Mac OS X Server Administration
des technologies Web pour la
version 10.3 ou ultérieure
Configurer et gérer un serveur Web, dont WebDAV, WebMail et
les modules Web.
Mac OS X Server Administration
des services réseau pour la version
10.3 ou ultérieure
Installer, configurer et administrer les services DHCP, DNS,
coupe-feu IP, NAT et VPN sur le serveur.
Mac OS X Server Administration
Open Directory pour la version
10.3 ou ultérieure
Gérer les services de répertoires et d’authentification.
Mac OS X Server Administration
du Serveur Enchaînement
QuickTime pour la version 10.3
ou ultérieure
Configurer et gérer les services d’enchaînement QuickTime.
Mac OS X Server Administration
du serveur d’applications Java
Déployer et gérer les applications J2EE à l’aide d’un serveur
d’applications JBoss sur Mac OS X Server.
Mac OS X Server Administration
par ligne de commande pour la
version 10.3 ou ultérieure
Utiliser les commandes et les fichiers de configuration pour
exécuter les tâches d’administration du serveur via l’interpréteur
de commandes UNIX.
Ce guide Vous indique comment 10 Préface À propos de ce guide
• Les groupes de discussion et les listes de diffusion vous permettent d’entrer
en contact avec d’autres administrateurs serveur qui ont peut-être déjà trouvé
des solutions aux problèmes que vous rencontrez. Pour trouver des groupes
de discussion et des listes de diffusion, consultez les sites Web suivants :
discussions.info.apple.com/
www.lists.apple.com/
• Le site Web Samba contient des informations sur les logiciels open source sur
lesquels sont basés les services Windows de Mac OS X Server. Visitez le site Web
Samba à l’adresse suivante :
www.samba.org1
11
1 Vue d’ensemble des services
Windows
Les services Windows comprennent un contrôleur
de domaine principal, des services de fichiers et
d’impression SMB, l’exploration des domaines Windows,
la résolution de noms et VPN.
Mac OS X Server peut fournir divers services aux utilisateurs de Microsoft Windows 95,
98, ME (Millennium Edition), XP, NT 4.0 et 2000.
• Le service de fichiers permet aux clients Windows de se connecter au serveur à l’aide
du protocole SMB (Server Message Block) sur un réseau TCP/IP.
• Les services d’impression utilisent SMB pour permettre aux clients Windows
d’imprimer sur des imprimantes PostScript en réseau.
• Le service WINS (Windows Internet Naming Service) permet aux clients Windows
d’effectuer la résolution de noms/d’adresses sur plusieurs sous-réseaux.
• L’exploration des domaines permet aux clients Windows de rechercher des serveurs
disponibles sur les sous-réseaux.
• Les réseaux privés virtuels (VPN) permettent aux clients Windows de se connecter de
manière sécurisée à Mac OS X Server lorsqu’ils ne se trouvent pas sur le réseau local.
• Le contrôleur de domaine principal (CDP) permet :
• La connexion au CDP à partir de stations de travail Windows NT 4.x, Windows 2000
et Windows XP.
• Aux utilisateurs de changer leur mot de passe au cours de la connexion.
• La connexion à l’aide du même compte utilisateur sur les ordinateurs Mac OS X
et Windows.
• Le stockage des profils d’utilisateurs itinérants sur un ordinateur Mac OS X Server.
• Le placement des répertoires de départ en réseau sur un ordinateur Mac OS X Server.
• La sécurité de niveau utilisateur pour les clients Windows 95, 98 et ME.
En offrant ces services, Mac OS X Server peut remplacer les serveurs Windows NT dans
les petits groupes de travail. Les réglages des services Windows sont regroupés dans
le Gestionnaire de groupe de travail et Admin Serveur, ce qui facilite leur localisation.
Ces réglages sont également conçus pour être familiers aux administrateurs Windows
expérimentés.12 Chapitre 1 Vue d’ensemble des services Windows
Les services Windows de Mac OS X Server sont basés sur Samba 3, un serveur SMB/CIFS
open source. Pour plus d’informations sur Samba, consultez le site Web Samba à
l’adresse suivante :
www.samba.org
Fourniture d’un CDP pour la connexion au domaine
La configuration de votre Mac OS X Server comme contrôleur de domaine principal
Windows (CDP) permet les connexions aux domaines pour les utilisateurs Windows
de votre réseau. Plutôt que de se connecter à l’aide d’un nom d’utilisateur et d’un mot de
passe définis localement sur chaque station de travail, chaque utilisateur peut se connecter à l’aide d’un nom d’utilisateur et d’un mot de passe définis sur le CDP. Un CDP fournit
à chaque utilisateur Windows un nom d’utilisateur et un mot de passe lui permettant de
se connecter à partir de n’importe quelle station de travail Windows sur le réseau.
Les utilisateurs n’ont besoin que d’un seul compte sur Mac OS X Server pour se
connecter aux stations de travail Windows et aux ordinateurs Mac OS X. Les mêmes
nom d’utilisateur et mot de passe permettent la connexion au domaine Windows et à
Mac OS X.
Les utilisateurs peuvent changer de mot de passe lors de la connexion au domaine
Windows.
Pour pouvoir configurer Mac OS X Server en tant que CDP, vous devez configurer le
serveur en tant que maître Open Directory. Le CDP utilise les informations relatives aux
utilisateurs et aux ordinateurs stockées dans le répertoire LDAP du maître Open Directory.
Vous pouvez configurer un maître Open Directory et un CDP lorsque vous utilisez
l’Assistant du serveur après avoir installé Mac OS X Server. Vous pouvez également utiliser
Admin Serveur après l’installation pour configurer un maître Open Directory et un CDP.
Prenez soin de ne configurer qu’un seul ordinateur Mac OS X Server en tant que CDP
sur votre réseau. Le réseau peut comporter plusieurs maîtres Open Directory, mais un
seul CDP.
Fourniture de répertoires de départ et de profils
d’utilisateurs itinérants
La configuration de votre ordinateur Mac OS X Server comme CDP Windows lui
permet d’héberger des répertoires de départ et des profils d’utilisateurs itinérants pour
les utilisateurs Windows. Sinon, un autre ordinateur Mac OS X Server peut héberger les
répertoires de départ et les profils d’utilisateurs itinérants. Chapitre 1 Vue d’ensemble des services Windows 13
Chaque utilisateur Windows qui se connecte au CDP possède un répertoire de départ
en réseau. Si un utilisateur place des fichiers ou des dossiers dans son répertoire de
départ, il peut y accéder, après s’être connecté au CDP, à partir de n’importe quelle
station de travail Windows raccordée au CDP. L’utilisateur peut également accéder au
contenu de son répertoire de départ après s’être connecté à un ordinateur Mac OS X.
L’utilisateur possède le même répertoire de départ en réseau, qu’il se connecte à un
ordinateur Windows ou à un ordinateur Mac OS X.
Le répertoire de départ en réseau d’un utilisateur se trouve sur un point de partage
d’un ordinateur Mac OS X Server. Un réglage du compte d’utilisateur spécifie le point
de partage du répertoire de départ. Vous pouvez gérer les répertoires de départ à l’aide
du Gestionnaire de groupe de travail.
Grâce aux profils itinérants, chaque utilisateur présente le même profil lorsqu’il se
connecte au domaine à partir de n’importe quelle station de travail Windows sur le
réseau. Un profil itinérant stocke les réglages de préférence d’un utilisateur Windows
(économiseur d’écran, couleurs, arrière-plan, sons, cookies Web, etc.) sur un point de
partage d’un ordinateur Mac OS X Server. Le profil itinérant d’un utilisateur est stocké
par défaut dans un dossier prédéterminé du CDP.
Jonction avec un CDP en tant que membre d’un domaine
Si vous disposez de plusieurs serveurs dotés de Mac OS X Server sur votre réseau, vous
pouvez en configurer un comme CDP et configurer les autres pour offrir des services
Windows supplémentaires. Il est essentiel qu’un seul CDP soit présent sur le réseau.
Il est nécessaire de joindre les autres serveurs au domaine Windows du CDP afin qu’ils
puissent utiliser le CDP pour l’authentification des utilisateurs. Les répertoires de départ
et les profils d’environnement des utilisateurs Windows peuvent se trouver sur des
points de partage de serveurs membres du domaine Windows.
Fourniture de services de fichiers, d’impression,
d’exploration et de résolution de nom
Que vous configuriez ou non un CDP, vous pouvez configurer Mac OS X Server pour
fournir d’autres services aux utilisateurs Windows. Le démarrage des services Windows
sur Mac OS X Server lui permet de fournir l’accès aux points de partage via le protocole
standard Windows de services de fichiers, à savoir SMB (Server Message Block). Les
services Windows permettent également à Mac OS X Server de fournir l’accès SMB
aux files d’impression configurées pour les imprimantes PostScript. 14 Chapitre 1 Vue d’ensemble des services Windows
Vous pouvez en outre configurer Mac OS X Server pour la fourniture des services de
résolution de nom WINS aux clients Windows ou pour l’enregistrement auprès d’un
serveur WINS existant sur le réseau. Mac OS X Server peut également fournir un service
d’exploration réseau en tant qu’explorateur maître du groupe de travail ou explorateur
maître du domaine pour les clients Windows.
Fourniture du service VPN
Un réseau privé virtuel (VPN) Mac OS X Server peut inclure à la fois des stations de
travail Windows et des ordinateurs Mac OS X. Les stations de travail se connectent
au serveur via une liaison privée de données cryptées, simulant une connexion locale
comme si l’ordinateur distant était relié au réseau local.
Le VPN Mac OS X Server utilise le protocole MS-CHAPv2 (Microsoft Challenge
Handshake Authentication Protocol version 2) pour l’authentification. MS-CHAPv2
constitue également le système standard d’authentification Windows pour VPN.
Vous pouvez configurer un service VPN dans Mac OS X Server afin d’utiliser le protocole
Windows standard pour le transport crypté des données VPN, à savoir le protocole
PPTP (Point-to-Point Tunneling Protocol). Vous pouvez également configurer le service
VPN Mac OS X Server afin d’utiliser un protocole supplémentaire, à savoir L2TP/IPSec
(Layer Two Tunneling Protocol, Secure Internet Protocol).
Pour obtenir davantage d’informations ainsi que des instructions de configuration,
consultez le chapitre relatif au VPN dans le guide d’administration des services réseau .
Outils de gestion des services Windows
Les applications Gestionnaire de groupe de travail et Admin Serveur offrent une interface
graphique pour la gestion des services Windows dans Mac OS X Server. Vous pouvez en
outre gérer les services Windows à partir de la ligne de commande de Terminal.
Administration du serveur
Admin Serveur permet de :
• Configurer Mac OS X Server comme CDP, comme membre d’un domaine Windows
ou pour des services Windows autonomes. Pour obtenir des instructions, consultez le
chapitre 2.
• Gérer les services de fichiers et d’impression Windows, la résolution de nom WINS
et l’exploration de domaines. Pour obtenir des instructions, consultez le chapitre 5.
• Contrôler les services Windows. Pour obtenir des instructions, consultez le chapitre 5.
Pour obtenir des informations de base sur l’utilisation d’Admin Serveur, consultez le
chapitre sur l’administration de serveur du guide des premiers contacts.
L’application Administration du serveur est installée dans le répertoire /Applications/Server/.Chapitre 1 Vue d’ensemble des services Windows 15
Gestionnaire de groupe de travail
Gestionnaire de groupe de travail permet de :
• Configurer et gérer les comptes d’utilisateur, de groupe et d’ordinateur. Pour
obtenir des instructions, consultez le chapitre 3 de ce guide, ainsi que les chapitres
concernant les comptes d’utilisateur, de groupe et d’ordinateur du guide de gestion
des utilisateurs.
• Gérer des points de partage pour les services de fichiers ainsi que pour les
répertoires de départ d’utilisateurs et les profils d’utilisateurs itinérants. Pour des
instructions, consultez le chapitre 5 de ce guide, ainsi que le chapitre du guide
d’administration des services de fichiers concernant les points de partage.
• Accéder à l’Inspecteur, qui vous permet de travailler sur les entrées Open Directory.
Pour des instructions, consultez le chapitre du guide d’administration Open Directory
concernant la maintenance.
Pour obtenir des informations de base sur l’utilisation du Gestionnaire de
groupe de travail, consultez le chapitre du guide des premiers contacts concernant
l’administration de serveur.
Le Gestionnaire des groupes de travail est installé dans le répertoire /Applications/
Server/.
Utilitaires de ligne de commande
Un jeu complet d’utilitaires de ligne de commande est accessible pour les administrateurs
qui préfèrent administrer le serveur à l’aide de commandes. Pour l’administration
du serveur à distance, exécutez les commandes dans une session SSH (Secure Shell).
Vous pouvez taper les commandes sur les serveurs et ordinateurs Mac OS X au moyen de
l’application Terminal, qui se trouve dans le dossier /Applications/Utilitaires/. Pour obtenir
des instructions, consultez le guide d’administration par ligne de commande.2
17
2 Configuration des services
Windows
Vous pouvez configurer Mac OS X Server comme
fournisseur de services Windows autonome, membre d’un
domaine Windows ou contrôleur de domaine principal.
Mac OS X Server peut fournir différents services natifs aux clients Windows :
• Le contrôleur de domaine principal permet à chaque utilisateur de se connecter
au domaine à l’aide des mêmes nom d’utilisateur et mot de passe sur n’importe
quelle station de travail Windows et fournit des profils d’utilisateurs itinérants et
des répertoires de départ en réseau.
• Le serveur membre du domaine authentifie automatiquement les utilisateurs pour ses
services Windows, tels que le service de fichiers, en utilisant la connexion au domaine
fournie par le contrôleur de domaine principal. Le serveur membre peut également
héberger des répertoires de départ en réseau et des profils d’utilisateurs itinérants.
• Le service de fichiers permet aux clients Windows d’accéder aux fichiers stockés sur
des points de partage du serveur à l’aide du protocole SMB (Server Message Block)
via TCP/IP.
• Les services d’impression utilisent SMB pour permettre aux clients Windows
d’imprimer sur des imprimantes PostScript sur le réseau.
• Le service WINS (Windows Internet Naming Service) permet aux clients de différents
sous-réseaux de procéder à la résolution de nom/d’adresse.
• L’exploration des domaines Windows permet aux clients de rechercher les serveurs
disponibles sur les sous-réseaux.
La configuration des services Windows s’effectue via quatre groupes de réglages :
• Général Spécifiez le rôle du serveur pour la fourniture des services Windows et
l’identité du serveur parmi les clients de ses services Windows.
• Accès Limitez le nombre de clients et contrôlez l’accès en invité.
• Consignation Choisissez la quantité d’informations enregistrées dans l’historique
du service.
• Avancé Configurez l’inscription WINS et les services d’exploration de domaine,
choisissez une page de codes pour les clients et contrôlez les points de partage
virtuels pour les répertoires de départ.18 Chapitre 2 Configuration des services Windows
Dans la mesure où les réglages par défaut fonctionnent correctement si vous souhai-tez
uniquement fournir des services de fichiers et d’impression Windows, vous n’aurez peut-
être qu’à lancer les services Windows. Vous devez toutefois vérifier préalablement
les réglages afin de modifier tout paramètre qui ne serait pas adapté à votre réseau.
Vous devrez modifier certains réglages si vous souhaitez configurer Mac OS X Server
comme contrôleur de domaine principal Windows ou membre du domaine Windows
d’un CDP Mac OS X Server.
Outre la configuration des services et clients Windows, vous devez configurer
des comptes pour les utilisateurs, les groupes et les ordinateurs (stations de travail)
Windows. Pour plus d’informations, consultez le chapitre 3, “Administration des
utilisateurs, groupes, ordinateurs et points de partage Windows”
Pour plus d’informations sur les services de répertoire et d’authentification Mac OS X
Server, notamment le maître et les répliques Open Directory, consultez le guide
d’administration Open Directory.
Avant de configurer les services Windows
Si vous prévoyez de fournir des services Windows à partir de Mac OS X Server, lisez
dans les sections suivantes les différents aspects à prendre en considération. Pour
en savoir plus sur les capacités du logiciel client, il est préférable que vous vérifiez
la documentation Microsoft de votre version Windows. Bien que Mac OS X Server
ne nécessite aucun logiciel ni configuration particuliers sur les ordinateurs clients
Windows, il est recommandé de consulter la section “Gestion des ordinateurs clients
Windows” à la page 27.
Pour une compatibilité multiplate-forme optimale
Les ordinateurs Mac OS et Windows stockent et gèrent différemment les fichiers.
Pour une compatibilité optimale, il est souhaitable que vous définissiez au moins un
point de partage à l’usage exclusif des utilisateurs Windows. Consultez la section
“Gestion des points de partage SMB” à la page 45.
De plus, vous pouvez optimiser le fonctionnement en suivant les instructions suivantes :
• Utilisez des versions de logiciel comparables sur les deux plates-formes.
• Ne modifiez les fichiers qu’avec l’application avec laquelle ils ont été créés.
• Si vous disposez de clients Mac OS 8 et Mac OS 9, limitez les noms de fichiers
Windows à 31 caractères.
• N’utilisez pas de symboles ni de caractères accentués dans les noms des éléments
partagés.Chapitre 2 Configuration des services Windows 19
Validation des mots de passe d’utilisateurs Windows
Mac OS X Server gère plusieurs méthodes de validation de mot de passe d’utilisateur
pour les services Windows. Le type de mot de passe d’un compte d’utilisateur
détermine la méthode de validation de mot de passe.
Mots de passe Open Directory
Si un compte d’utilisateur présente un mot de passe de type Open Directory, ce mot
de passe est validé pour les services Windows à l’aide du serveur de mot de passe
Open Directory. Il s’agit de la méthode de validation de mot de passe recommandée,
nécessaire pour la connexion à un domaine Windows depuis une station de travail
Windows vers un CDP Mac OS X Server. Un mot de passe Open Directory peut
également être utilisé pour l’authentification auprès du service de fichiers Windows.
La validation des mots de passe Open Directory peut être utilisée avec les comptes
d’utilisateur stockés dans les domaines de répertoires LDAP ou NetInfo. Le domaine de
répertoire ne stocke pas le mot de passe Open Directory, mais seulement un pointeur
vers le serveur de mot de passe Open Directory et un identifiant de mot de passe.
Le serveur de mot de passe Open Directory stocke les mots de passe dans un fichier
de base de données privé, lisible uniquement par l’utilisateur racine et dont le contenu
est crypté. Le serveur de mot de passe Open Directory n’autorise jamais la lecture des
mots de passe via le réseau ; ils peuvent uniquement être définis et vérifiés.
Mots de passe shadow
Si un compte d’utilisateur présente un mot de passe de type shadow, ce mot de passe
est crypté et stocké dans un fichier sur le serveur. Chaque mot de passe shadow est
stocké dans un fichier distinct et ce fichier ne peut être lu que par l’utilisateur racine.
Seuls les comptes d’utilisateur stockés dans un domaine de répertoire local peuvent
disposer d’un mot de passe shadow.
Un mot de passe shadow peut être utilisé pour l’authentification auprès du service
de fichiers Windows, mais il ne peut pas être utilisé pour se connecter au domaine
Windows d’un CDP.
Mot de passe du gestionnaire d’authentification
Mac OS X Server gère les comptes d’utilisateur configurés pour utiliser l’ancienne
technologie du Gestionnaire d’authentification pour la validation des mots de passe
dans Mac OS X Server versions 10.0 à 10.2. Après la mise à niveau d’un serveur avec
Mac OS X Server version 10.3, les utilisateurs existants peuvent continuer d’utiliser
les mêmes mots de passe. Un compte d’utilisateur existant utilise Gestionnaire
d’authentification si le compte se trouve dans un domaine NetInfo pour lequel
Gestionnaire d’authentification a été activé et si le compte est configuré pour utiliser
un mot de passe crypté.20 Chapitre 2 Configuration des services Windows
Si vous faites migrer un domaine de répertoire de NetInfo vers LDAP, tous les comptes
d’utilisateur qui utilisaient le Gestionnaire d’authentification pour la validation des mots
de passe sont convertis pour disposer d’un mot de passe Open Directory.
Définition du rôle et de l’identité du serveur pour les
services Windows
Vous pouvez configurer Mac OS X Server afin qu’il joue l’un des trois rôles suivants pour
la fourniture de services Windows :
• Contrôleur de domaine principal (CDP) Le serveur fournit les services de fichiers
et d’impression Windows. Il héberge également un domaine Windows, assurant
le stockage des comptes d’utilisateur, de groupe et d’ordinateur, et fournissant des
services d’authentification au domaine. Le serveur CDP peut héberger des profils
d’utilisateur et des répertoires de départ pour les utilisateurs qui disposent de
comptes d’utilisateur sur le CDP.
• Membre de domaine Le serveur fournit les services de fichiers et d’impression
Windows. Les services d’authentification sont assurés par le CDP Mac OS X Server.
Un membre du domaine peut héberger des profils utilisateur et des répertoires de
départ pour les utilisateurs qui disposent de comptes d’utilisateur sur le CDP.
• Services Windows autonomes Le serveur fournit les services de fichiers et d’impression
Windows. Le serveur authentifie les utilisateurs pour ses services de fichiers Windows,
mais il ne fournit pas de services d’authentification pour la connexion aux domaines
Windows sur les ordinateurs Windows. Il s’agit du rôle par défaut.
Remarque : Mac OS X Server peut héberger un CDP uniquement si le serveur est un
maître Open Directory.
Important : si votre réseau comporte plusieurs systèmes Mac OS X Server, configurezen un seul comme CDP. Les autres peuvent être des membres de domaines ou fournir
des services Windows autonomes.
Configuration d’un serveur de services Windows autonomes
Admin Serveur vous permet de configurer Mac OS X Server pour la fourniture de
services Windows autonomes : fichiers, impression, exploration et WINS (Windows
Internet Name Service). Le serveur ne fournit pas de services d’authentification pour
la connexion aux domaines Windows sur les ordinateurs Windows.
Pour configurer des services Windows autonomes :
1 Ouvrez Admin Serveur et sélectionnez Windows pour un serveur de la liste Ordinateurs
et services.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Général (vers le haut).
3 Sélectionnez Serveur autonome dans le menu local Rôle, puis tapez une description,
un nom d’ordinateur et un groupe de travail.Chapitre 2 Configuration des services Windows 21
Description : cette description facultative apparaît dans la fenêtre Voisinage réseau
des ordinateurs Windows.
Nom de l’ordinateur : tapez le nom que les utilisateurs Windows verront lorsqu’ils
se connecteront au serveur. Il s’agit du nom NetBIOS du serveur. Ce nom ne doit pas
compter plus de 15 caractères, sans caractères spéciaux ni ponctuation. Si vous trouvez
cela pratique, faites correspondre le nom du serveur avec son nom d’hôte DNS non
qualifié. Par exemple, si votre serveur DNS possède une entrée “serveur.exemple.com”
pour votre serveur, nommez ce dernier “serveur”.
Groupe de travail : tapez le nom d’un groupe de travail. Les utilisateurs Windows
peuvent visualiser le nom du groupe de travail dans la fenêtre Voisinage réseau. Si
votre sous-réseau comporte des domaines Windows, utilisez l’un d’eux comme nom
du groupe pour faciliter la communication entre sous-réseaux. Sinon, consultez votre
administrateur de réseau Windows qui vous fournira le nom correct. Le nom d’un
groupe de travail ne peut comporter plus de 15 caractères.
4 Cliquez sur Enregistrer.
Pour plus d’informations sur la configuration de services Windows individuels, consultez
les sections “Modification des réglages d’accès aux services Windows” à la page 24,
“Modification des réglages de consignation des services Windows” à la page 24,
“Modification des réglages avancés des services Windows” à la page 25 et le guide
d’administration du service d’impression.
À partir de la ligne de commande
Vous pouvez également définir le rôle d’un serveur pour la fourniture de services
Windows à l’aide de la commande serveradmin de Terminal. Pour plus d’informations,
consultez le chapitre relatif aux services de fichiers du guide d’administration par ligne
de commande.
Configuration d’un serveur comme membre d’un domaine
Windows
Admin Serveur vous permet de configurer Mac OS X Server pour se connecter à un
domaine Windows hébergé par un contrôleur de domaine principal (CDP) Mac OS X
Server. Un serveur qui se connecte à un domaine Windows peut utiliser les services
d’authentification du CDP. Ce serveur membre du domaine peut également fournir
les services de fichiers, d’impression, d’exploration et WINS (Windows Internet Name
Service). Le serveur peut héberger des profils utilisateur et des répertoires de départ pour
les utilisateurs qui disposent de comptes d’utilisateur sur le CDP. Le serveur membre du
domaine ne fournit pas de services d’authentification aux autres membres du domaine.
Pour connecter Mac OS X Server au domaine Windows d’un CDP Mac OS X Server :
1 Ouvrez Admin Serveur et sélectionnez Windows pour un serveur de la liste Ordinateurs
et services.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Général (vers le haut).22 Chapitre 2 Configuration des services Windows
3 Sélectionnez Membre du domaine dans le menu local Rôle, puis tapez une description,
un nom d’ordinateur et un domaine.
Description : cette description facultative apparaît dans la fenêtre Voisinage réseau
des ordinateurs Windows.
Nom de l’ordinateur : tapez le nom que les utilisateurs Windows verront lorsqu’ils
se connecteront au serveur. Il s’agit du nom NetBIOS du serveur. Ce nom ne doit pas
compter plus de 15 caractères, sans caractères spéciaux ni ponctuation. Si vous trouvez
cela pratique, faites correspondre le nom du serveur avec son nom d’hôte DNS non
qualifié. Par exemple, si votre serveur DNS possède une entrée “serveur.exemple.com”
pour votre serveur, nommez ce dernier “serveur”.
Domaine : tapez le nom du domaine Windows auquel le serveur se connectera.
Le domaine doit être hébergé par un CDP Mac OS X Server. Le nom ne peut pas
dépasser 15 caractères et ne peut pas être “WORKGROUP”.
4 Cliquez sur Enregistrer.
5 Tapez le nom et le mot de passe d’un compte d’utilisateur habilité à administrer
le domaine de répertoire LDAP sur le serveur CDP, puis cliquez sur OK.
Pour plus d’informations sur la configuration de services Windows individuels,
consultez “Modification des réglages d’accès aux services Windows” à la page 24,
“Modification des réglages de consignation des services Windows” à la page 24,
“Modification des réglages avancés des services Windows” à la page 25 et le guide
d’administration du service d’impression.
À partir de la ligne de commande
Vous pouvez également définir le rôle d’un serveur pour la fourniture de services
Windows à l’aide de la commande serveradmin de Terminal. Pour plus d’informations,
consultez le chapitre relatif aux services de fichiers dans le guide d’administration via la
ligne de commande.
Configuration d’un serveur en tant que contrôleur de domaine
principal
Admin Serveur vous permet de configurer Mac OS X Server comme contrôleur
de domaine principal (CDP) Windows. Le CDP héberge un domaine Windows et
fournit des services d’authentification aux autres membres du domaine, notamment
l’authentification pour la connexion au domaine à partir de stations de travail
Windows. Le serveur CDP peut fournir d’autres services Windows : fichiers, impression,
exploration et WINS (Windows Internet Name Service). Le serveur peut héberger des
profils utilisateur et des répertoires de départ pour les utilisateurs qui disposent de
comptes d’utilisateur sur le CDP.
Pour configurer un CDP Windows :
1 Assurez-vous que le serveur est un maître Open Directory.Chapitre 2 Configuration des services Windows 23
Pour déterminer si un serveur est un maître Open Directory, ouvrez Admin Serveur,
sélectionnez Open Directory pour le serveur dans la liste Ordinateurs et services,
cliquez sur Réglages (vers le bas de la fenêtre), puis cliquez sur Général (vers le haut).
Si Rôle n’est pas réglé sur Maître Open Directory, vous ne pouvez pas configurer ce
serveur pour héberger un CDP. Consultez le guide d’administration Open Directory
pour en savoir plus sur les maîtres Open Directory.
2 Dans la liste Ordinateurs et services d’Admin Serveur, sélectionnez Windows pour un
serveur maître Open Directory.
3 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Général (vers le haut).
4 Sélectionnez Contrôleur de domaine principal (CDP) dans le menu local Rôle, puis
tapez une description, un nom d’ordinateur et un domaine.
Description : cette description facultative apparaît dans la fenêtre Voisinage réseau
des ordinateurs Windows.
Nom de l’ordinateur : tapez le nom que les utilisateurs Windows verront lorsqu’ils
se connecteront au serveur. Il s’agit du nom NetBIOS du serveur. Ce nom ne doit pas
compter plus de 15 caractères, sans caractères spéciaux ni ponctuation. Si vous trouvez
cela pratique, faites correspondre le nom du serveur avec son nom d’hôte DNS non
qualifié. Par exemple, si votre serveur DNS possède une entrée “serveur.exemple.com”
pour votre serveur, nommez ce dernier “serveur”.
Domaine : tapez le nom du domaine Windows qui sera hébergé par le serveur.
Ce nom ne peut pas dépasser 15 caractères et ne peut pas être “WORKGROUP”.
5 Cliquez sur Enregistrer.
6 Tapez le nom et le mot de passe d’un compte d’administrateur pouvant administrer
le domaine de répertoire LDAP sur le serveur, puis cliquez sur OK.
Pour plus d’informations sur la configuration de services Windows individuels,
consultez “Modification des réglages d’accès aux services Windows” à la page 24,
“Modification des réglages de consignation des services Windows” à la page 24,
“Modification des réglages avancés des services Windows” à la page 25 et le guide
d’administration du service d’impression.
À partir de la ligne de commande
Vous pouvez également définir le rôle d’un serveur pour la fourniture de services
Windows à l’aide de la commande serveradmin de Terminal. Pour plus d’informations,
consultez le chapitre relatif aux services de fichiers dans le guide d’administration via la
ligne de commande.24 Chapitre 2 Configuration des services Windows
Modification des réglages d’accès aux services Windows
Vous pouvez utiliser le volet Accès des réglages de services Windows dans Admin
Serveur pour autoriser l’accès en invité ou limiter le nombre de connexions client
simultanées.
Pour configurer les réglages d’accès des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Accès (vers le haut).
3 Pour autoriser les utilisateurs Windows ou les autres utilisateurs SMB à se connecter au
service de fichiers Windows sans fournir de nom d’utilisateur ou de mot de passe,
sélectionnez “Autoriser l’accès en invité”.
4 Pour limiter le nombre d’utilisateurs pouvant se connecter simultanément aux services
Windows, sélectionnez “maximum __”, puis tapez un nombre dans le champ.
5 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également modifier les réglages des services Windows en utilisant la
commande serveradmin de Terminal. Pour plus d’informations, consultez le chapitre
relatif aux services de fichiers dans le guide d’administration via la ligne de commande.
Modification des réglages de consignation des services
Windows
Vous pouvez utiliser le volet Consignation des réglages de services Windows d’Admin
Serveur pour spécifier la quantité d’informations enregistrées dans le fichier
d’historique Windows.
Pour configurer les réglages de consignation des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Consignation (vers le haut).
3 Choisissez un niveau de détail d’historique dans le menu local :
Faible enregistre uniquement les messages d’erreur et d’avertissement.
Moyen enregistre les messages d’erreur et d’avertissement, les heures de démarrage et
d’arrêt des services, les échecs d’authentification et les enregistrements de noms dans
l’explorateur.
Élevé enregistre les messages d’erreur et d’avertissement, les heures de démarrage et
d’arrêt des services, les échecs d’authentification, les enregistrements de noms dans
l’explorateur, ainsi que tous les accès aux fichiers.
4 Cliquez sur Enregistrer.Chapitre 2 Configuration des services Windows 25
À partir de la ligne de commande
Vous pouvez également modifier les réglages des services Windows en utilisant la
commande serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre
relatif aux services de fichiers dans le guide d’administration via la ligne de commande.
Modification des réglages avancés des services Windows
Vous pouvez utiliser le panneau Avancé des réglages de services Windows dans Admin
Serveur pour choisir une page de codes client, configurer le serveur comme navigateur
maître de domaine ou de groupe de travail, spécifier l’inscription WINS du serveur et
activer des points de partage virtuels pour les répertoires des utilisateurs.
Pour configurer les réglages avancés des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Avancé.
3 Sélectionnez dans le menu local “Code de la page” le jeu de caractères qui sera utilisé
par les clients.
4 En regard de Services, déterminez si vous souhaitez activer les services d’exploration du
domaine.
Le Navigateur maître de groupe de travail permet l’exploration et la découverte des
serveurs d’un sous-réseau unique.
Le Navigateur maître du domaine permet l’exploration et la découverte des serveurs
de différents sous-réseaux.
5 En regard d’Inscription WINS, sélectionnez la façon dont vous souhaitez inscrire le
serveur auprès du service WINS.
“Désactivé” : empêche votre serveur d’utiliser ou de fournir le service WINS pour la
navigation en dehors de son sous-réseau local.
“Activer le serveur WINS” : votre serveur fournit des services locaux de résolution
de nom. Cela permet aux clients se trouvant sur plusieurs sous-réseaux différents
de réaliser la résolution d’adresses et de noms.
“S’inscrire sur serveur WINS” : votre réseau possède un serveur WINS ; vos clients
Windows et votre serveur Windows ne se trouvent pas tous sur le même sous-réseau.
Saisissez l’adresse IP ou le nom DNS du serveur WINS.
6 Pour simplifier la configuration des points de partage pour les répertoires de départ
des utilisateurs Windows, sélectionnez “Activer les points de partage virtuels”.
Si vous activez les points de partage virtuels, les répertoires de départ sont montés
automatiquement lorsque les utilisateurs Windows se connectent au CDP et les
utilisateurs possèdent les mêmes répertoires de départ, qu’ils se connectent à partir
d’une station de travail Windows ou d’un ordinateur Mac OS X. 26 Chapitre 2 Configuration des services Windows
Si vous désactivez les points de partage virtuels, vous devez configurer des points de
partage SMB pour les répertoires de départ et les profils d’utilisateurs Windows, puis
configurer chaque compte d’utilisateur Windows pour qu’il utilise ces points de partage.
À partir de la ligne de commande
Vous pouvez également modifier les réglages des services Windows en utilisant la
commande serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre
relatif aux services de fichiers dans le guide d’administration via la ligne de commande.
Démarrage des services Windows
Vous pouvez utiliser Admin Serveur pour démarrer les services Windows.
Pour démarrer les services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Démarrer le service.
À partir de la ligne de commande
Vous pouvez également démarrer les services Windows à l’aide de la commande
serveradmin de Terminal. Pour plus d’informations, consultez le chapitre relatif aux
services de fichiers dans le guide d’administration via la ligne de commande.
Configuration d’une file d’attente d’impression pour le
partage SMB
Vous pouvez configurer le partage via SMB de n’importe quelle file d’attente
d’impression configurée sur le serveur. Admin Serveur permet de configurer des files
d’attente pour imprimantes partagées sur le serveur.
Pour créer une file d’attente d’impression partagée :
1 Dans Admin Serveur, sélectionnez Impression dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis cliquez sur Files d’attente.
3 Sélectionnez la file d’attente dans la liste, puis cliquez sur le bouton Modifier (sous la liste).
Si vous ne voyez pas le bouton Files d’attente, il est possible que les réglages de file
d’attente soient déjà affichés. Cliquez sur le bouton Précédent (flèche vers la gauche
dans le coin supérieur droit).
4 Assurez-vous que Nom du partage est compatible avec le partage SMB.
Cela ne modifie pas le nom de la file d’attente de Configuration d’imprimante sur
le serveur.
Les noms des files d’attente partagées via SMB doivent comporter 15 caractères
au maximum et peuvent uniquement contenir les caractères A à Z, a à z, 0 à 9 et _
(caractère de soulignement). Chapitre 2 Configuration des services Windows 27
5 Sélectionnez le protocole SMB.
6 Cliquez sur Enregistrer, puis sur le bouton Précédent (dans le coin supérieur droit).
Veillez à démarrer les services Windows.
Gestion des ordinateurs clients Windows
Mac OS X Server gère le protocole SMB (Server Message Block), le protocole natif
de partage de fichiers Windows. Le protocole SMB est également connu sous le nom
“Common Internet File System” (CIFS). Mac OS X Server est doté de services intégrés
d’exploration et de résolution de nom pour vos ordinateurs clients Windows. Vous
pouvez activer le service WINS (Windows Internet Naming Service) sur votre serveur
ou bien procéder à l’enregistrement sur un serveur WINS existant.
Les services Windows de Mac OS X Server incluent les services Explorateur maître
Windows et Navigateur maître du domaine. Vous n’avez pas besoin d’un serveur
Windows ou d’un contrôleur de domaine principal sur votre réseau pour permettre aux
utilisateurs Windows de voir votre serveur dans la fenêtre Favoris réseau (Windows XP
et 2000) ou Voisinage réseau (Windows 95, 98 et ME). Autorisez les explorateurs maîtres
à permettre aux clients Windows à l’extérieur du sous-réseau de votre serveur d’accéder
au serveur par nom.
Configuration de clients Windows pour les réseaux TCP/IP
Pour accéder aux services Windows, les ordinateurs clients Windows doivent être
correctement configurés pour la connexion via TCP/IP. Pour toute information sur la
configuration TCP/IP, consultez votre documentation de mise en réseau Windows.
Connexion au service de fichiers à partir de Windows
Un utilisateur Windows peut se connecter au service de fichiers Windows de
Mac OS X Server via Favoris réseau (sous Windows XP et 2000) ou Voisinage réseau
(sous Windows 95, 98 et Millennium Edition (ME)).
Avant de tenter de vous connecter au serveur sur un ordinateur client Windows,
recherchez le groupe de travail ou le domaine de l’ordinateur client et du serveur
de fichiers. La procédure dépend de la version de Windows.
• Sous Windows XP, cliquez sur Démarrer, sur Panneau de configuration, sur
Performances et maintenance, double-cliquez sur l’icône Système, puis sélectionnez
l’onglet Nom de l’ordinateur.
• Sous Windows 2000, cliquez sur Démarrer, sur Paramètres, sur Panneau de
configuration, double-cliquez sur l’icône Système, puis sélectionnez l’onglet
Identification réseau.
• Sous Windows 95, 98 ou ME, cliquez sur Démarrer, sur Paramètres, sur Panneau de
configuration, double-cliquez sur l’icône Réseau, puis sélectionnez l’onglet Identification. 28 Chapitre 2 Configuration des services Windows
Pour retrouver le nom du groupe de travail du serveur, ouvrez Admin Serveur, cliquez
sur Windows dans la liste Ordinateurs et services, cliquez sur Réglages, puis sur Général.
Pour vous connecter au service de fichiers Windows à partir d’un ordinateur
Windows :
1 Sur l’ordinateur client Windows, ouvrez Favoris réseau (Windows XP et 2000) ou
Voisinage réseau (Windows 95, 98 et ME). Si vous êtes dans le même groupe de
travail ou domaine que le serveur, passez à l’étape 4.
2 Double-cliquez sur l’icône Réseau global.
3 Double-cliquez sur l’icône du groupe de travail (Workgroup) ou du domaine dans
lequel se trouve le serveur.
4 Double-cliquez sur l’icône du serveur.
5 Authentifiez-vous à l’aide du nom abrégé et du mot de passe d’un compte d’utilisateur
stocké sur le serveur.
Le compte d’utilisateur peut être stocké dans le domaine de répertoire local du serveur
ou dans son domaine de répertoire partagé, si le serveur en possède un.
Connexion au serveur par nom ou adresse dans Windows 95, 98
ou ME
Un utilisateur de Windows 95, 98 ou Millennium Edition (ME) peut se connecter à
Mac OS X Server pour utiliser le service de fichiers Windows sans passer par Voisinage
réseau. Cette méthode requiert la connaissance de l’adresse IP du serveur ou son nom
d’ordinateur Windows (également appelé nom NetBIOS).
Pour se connecter au service de fichiers Windows sans utiliser le Voisinage réseau :
1 Sous Windows 95, 98 ou ME, cliquez sur Démarrer, sur Rechercher, puis sur Ordinateur.
2 Saisissez le nom ou l’adresse IP de votre serveur Windows.
3 Double-cliquez sur le serveur pour vous connecter.
4 Authentifiez-vous à l’aide du nom abrégé et du mot de passe d’un compte d’utilisateur
stocké sur le serveur.
Le compte d’utilisateur peut être stocké dans le domaine de répertoire local du serveur
ou dans son domaine de répertoire partagé, si le serveur en possède un.
Connexion au serveur par nom ou adresse sous Windows XP
Un utilisateur Windows XP peut se connecter à Mac OS X Server pour utiliser le
service de fichiers Windows sans passer par Favoris réseau. Cette méthode nécessite
de connaître l’adresse IP du serveur ou son nom d’ordinateur Windows (également
appelé nom NetBIOS).
Pour se connecter au service de fichiers Windows sans utiliser Favoris réseau :
1 Sous Windows XP, cliquez sur Démarrer, sur Rechercher, sur “Ordinateurs ou personnes”,
puis sur “Un ordinateur sur le réseau”.Chapitre 2 Configuration des services Windows 29
2 Saisissez le nom ou l’adresse IP de votre serveur Windows.
3 Double-cliquez sur le serveur pour vous connecter.
4 Authentifiez-vous à l’aide du nom abrégé et du mot de passe d’un compte d’utilisateur
stocké sur le serveur.
Le compte d’utilisateur peut être stocké dans le domaine de répertoire local du serveur
ou dans son domaine de répertoire partagé, si le serveur en possède un.
Configuration de clients Windows pour le service d’impression
Pour permettre aux utilisateurs de Windows d’imprimer des tâches via SMB, assurezvous que les services Windows sont activés et qu’une ou plusieurs files d’attente sont
disponibles pour l’utilisation de SMB.
Tous les ordinateurs Windows, y compris Windows 95, Windows 98, Windows Millennium
(ME) et Windows XP, gèrent l’impression sur réseau via SMB. Windows 2000 et Windows
NT gèrent également l’impression via LPR.
Remarque : des gestionnaires LPR de tierce partie sont disponibles pour les ordinateurs
Windows ne disposant pas de la gestion LPR intégrée. 3
31
3 Administration des utilisateurs,
groupes, ordinateurs et points de
partage Windows
Vous pouvez gérer des comptes pour des utilisateurs
Windows, des groupes d’utilisateurs Windows, ainsi qu’un
compte de liste d’ordinateurs pour des stations de travail
Windows. Vous pouvez également gérer des points de
partage SMB.
Les comptes d’utilisateur, les comptes de groupe, les comptes d’ordinateurs et les points
de partage jouent un rôle essentiel dans le fonctionnement quotidien d’un serveur :
• Un compte d’utilisateur stocke les données dont Mac OS X Server a besoin pour
authentifier les utilisateurs Windows et fournir la connexion au domaine Windows,
les profils d’utilisateurs itinérants, les répertoires de départ, le service de fichiers, le
service de courrier, etc.
• Un compte de groupe constitue un moyen simple de contrôler l’accès aux fichiers
et aux dossiers. Un compte de groupe permet de stocker les identités des utilisateurs
appartenant au groupe.
• Un compte d’ordinateurs est une liste d’ordinateurs accessibles aux mêmes utilisateurs
et groupes. Le compte Ordinateurs Windows répertorie les stations de travail Windows
qui se sont jointes au domaine Windows du CDP ; il s’agit des ordinateurs Windows
qui peuvent être utilisés pour se connecter au domaine Windows du contrôleur de
domaine principal Mac OS X Server.
• Un point de partage est un dossier, un disque dur ou une partition de disque dur
que vous rendez accessible via le réseau.
Pour permettre l’utilisation des services Windows, Mac OS X Server doit disposer
de comptes pour les utilisateurs, les groupes et les stations de travail Windows.
Le serveur doit également disposer de points de partage pour les services Windows.
Présentation générale de la configuration
Voici un récapitulatif des principales tâches à effectuer pour configurer des utilisateurs,
des groupes, des ordinateurs et des points de partage pour les services Windows.
Consultez les pages indiquées pour obtenir des informations détaillées sur chaque étape.32 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Étape 1 : Configuration de points de partage (facultatif)
Pour partager des dossiers et des volumes avec des utilisateurs sur le réseau, il faut
les désigner comme points de partage. Sur un serveur CDP, les points de partage sont
créés automatiquement pour les profils d’utilisateurs itinérants et les répertoires de
départ. Vous pouvez configurer des points de partage alternatifs pour les répertoires
de départ et les profils d’utilisateurs sur un serveur CDP ou un serveur membre du
domaine. Vous pouvez en outre configurer d’autres points de partage pour les fichiers
et les dossiers que les utilisateurs Windows doivent partager. Consultez la section
“Gestion des points de partage SMB” à la page 45.
Étape 2 : Configuration de comptes d’utilisateur
Chaque utilisateur Windows qui se connectera au domaine Windows doit disposer
d’un compte d’utilisateur. Un utilisateur qui ne compte pas se connecter au domaine
Windows, mais qui utilisera le service de fichiers ou de courrier Windows doit
également disposer d’un compte d’utilisateur. Voir “Gestion des comptes pour les
utilisateurs Windows” sur cette page.
Étape 3 : Connexion des stations de travail au domaine Windows
Toute station de travail Windows destinée à être utilisée pour la connexion à un
domaine Windows doit se joindre au domaine Windows. Vous pouvez configurer des
stations de travail Windows pour se joindre au CDP Mac OS X Server de la même façon
que vous pourriez configurer des stations de travail pour se joindre au domaine d’un
serveur Windows NT. Dans Windows 2000 Professionnel ou Windows XP Professionnel,
par exemple, vous pouvez utiliser l’Assistant Identification réseau.
Lorsqu’une station de travail Windows se joint au CDP, Mac OS X Server ajoute
automatiquement la station de travail au compte d’ordinateurs “Ordinateurs Windows”
du serveur. Vous pouvez également ajouter des stations de travail à ce compte à l’aide
du Gestionnaire de groupe de travail. Consultez la section “Gestion des stations de
travail Windows dans le compte Ordinateurs Windows” à la page 43.
Étape 4 : Configuration de comptes de groupe pour les utilisateurs Windows
(facultatif)
Vous ne devez effectuer cette opération que si vous souhaitez utiliser des groupes
pour définir des autorisations de fichier basées sur des groupes. Notez que Mac OS X
Server ne gère pas les listes de contrôle d’accès (ACL) de type NT. Les différences :
sous Mac OS X Server, vous ne pouvez affecter qu’une seule autorisation de groupe
(et une seule autorisation d’utilisateur individuel) à un fichier ou un dossier particulier.
Sur un serveur Windows NT, vous pouvez affecter un éventail plus large d’autorisations.
Consultez la section “Gestion des groupes pour les utilisateurs Windows” à la page 42. Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 33
Gestion des comptes pour les utilisateurs Windows
Un compte d’utilisateur permet de stocker les données dont Mac OS X Server a besoin
pour valider l’identité d’un utilisateur et lui fournir des services tels que l’accès à des
fichiers particuliers du serveur. Si le compte d’utilisateur se trouve sur un serveur qui
est contrôleur de domaine principal (CDP) ou sur un serveur qui est membre d’un
domaine Windows régi par un CDP, le compte d’utilisateur permet également à tout
utilisateur d’ordinateur Windows de se connecter au domaine Windows.
Le même compte d’utilisateur peut être utilisé pour se connecter à un ordinateur
Mac OS X.
Emplacement de stockage des comptes d’utilisateur Windows
Les comptes d’utilisateur Windows peuvent être stockés dans n’importe quel domaine
de répertoire accessible à partir de l’ordinateur qui doit accéder au compte. Pour
pouvoir être utilisé pour la connexion à un domaine Windows à partir d’un ordinateur
Windows, un compte d’utilisateur doit être stocké dans le domaine de répertoire LDAP
du serveur Mac OS X Server constituant le contrôleur de domaine principal (CDP).
Un compte d’utilisateur Windows qui n’est pas stocké dans le domaine de répertoire
LDAP du CDP peut être utilisé pour accéder à d’autres services. Par exemple, un
compte d’utilisateur du domaine de répertoire local d’un serveur Mac OS X Server peut
être utilisé pour accéder au service de fichiers Windows fourni par le même serveur.
Consultez le guide d’administration Open Directory pour obtenir des informations
complètes sur les différents types de domaines de répertoires.
Création de comptes d’utilisateur Windows dans le contrôleur de
domaine principal
Vous pouvez utiliser le Gestionnaire de groupe de travail pour créer un compte
d’utilisateur sur un CDP Mac OS X Server. Les utilisateurs Windows disposant de comptes
sur un ordinateur Mac OS X Server constituant le contrôleur de domaine principal (CDP)
peuvent se connecter au domaine Windows à partir d’une station de travail Windows.
Ces comptes d’utilisateur peuvent également être utilisés pour d’autres services
Windows. Pour créer un compte d’utilisateur dans un domaine de répertoires particulier,
vous devez disposer d’autorisations d’administration sur ce domaine.
Pour créer un compte d’utilisateur dans le CDP :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur le bouton
Utilisateur.
2 Ouvrez le domaine de répertoire LDAP et authentifiez-vous en tant qu’administrateur
du domaine.
Pour ouvrir le domaine de répertoire LDAP, cliquez sur la petite icône de globe
au-dessus de la liste des utilisateurs et faites votre choix dans le menu local.34 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Pour vous authentifier, cliquez sur l’icône de cadenas et tapez le nom et le mot de
passe d’un administrateur dont le type de mot de passe est Open Directory.
3 Cliquez soit sur Serveur > Nouvel utilisateur, soit sur Nouvel utilisateur dans la barre
d’outils.
4 Spécifiez des réglages pour l’utilisateur dans les onglets fournis.
Consultez “Utilisation des réglages élémentaires pour utilisateurs” à la page 36 et
“Utilisation des réglages d’impression pour les utilisateurs” à la page 40 pour plus
de détails.
Pour créer un utilisateur, vous pouvez également utiliser un préréglage ou un fichier
d’importation. Pour plus d’informations, consultez le guide de gestion des utilisateurs.
Création de comptes d’utilisateur Windows dans un domaine de
répertoire en lecture /écriture
Vous pouvez utiliser le Gestionnaire de groupe de travail pour créer des comptes
d’utilisateur Windows dans des domaines de répertoire autres que le domaine de
répertoire LDAP d’un serveur qui est contrôleur de domaine principal. Si Mac OS X
Server fournit des services Windows, vous pouvez créer des comptes d’utilisateur
Windows dans le domaine de répertoire local du serveur. Si ce serveur est connecté
à un domaine de répertoire LDAP d’un autre serveur, vous pouvez également créer des
comptes d’utilisateur Windows dans le domaine de répertoire LDAP de l’autre serveur.
Le domaine de répertoire LDAP de l’autre serveur doit être configuré pour l’accès en
écriture ; il ne peut pas être en lecture seule.
Les comptes d’utilisateur du domaine de répertoire local ou du domaine de répertoire
LDAP d’un autre serveur ne peuvent pas être utilisés pour la connexion à un domaine
Windows. Ces comptes d’utilisateur peuvent accéder à d’autres services, tels que le
service de fichiers Windows, si le serveur qui héberge le service possède une politique
de recherche d’authentification incluant le domaine de répertoire où réside le compte
d’utilisateur. Par exemple, un compte d’utilisateur Windows du domaine de répertoire
local d’un serveur peut accéder au service de fichiers Windows sur le même serveur.
Pour plus d’informations sur les politiques de recherche, consultez le guide
d’administration Open Directory.
Pour créer un compte d’utilisateur dans un domaine de répertoire en lecture/
écriture :
1 Assurez-vous que les services de répertoire de Mac OS X Server que vous administrez
ont été configurés de manière à accéder au domaine qui vous intéresse.
Mac OS X Server peut toujours accéder à son propre domaine de répertoire local.
Utilisez Format de répertoire pour configurer l’accès au domaine de répertoire LDAP
d’un autre serveur. Pour obtenir des instructions, consultez le guide d’administration
Open Directory.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 35
2 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur le bouton
Utilisateur.
3 Ouvrez le domaine de répertoire dans lequel vous souhaitez créer des comptes
d’utilisateur et authentifiez-vous en tant qu’administrateur du domaine.
Pour ouvrir un domaine de répertoire, cliquez sur l’icône représentant un petit globe
au-dessus de la liste des utilisateurs et faites votre choix dans le menu local.
Pour vous authentifier, cliquez sur l’icône représentant un verrou et tapez le nom et le
mot de passe d’un administrateur du domaine de répertoire. Authentifiez-vous en tant
qu’administrateur dont le type de mot de passe est Open Directory, de façon à pouvoir
créer des comptes d’utilisateur dont le type de mot de passe est également Open
Directory, option recommandée pour les comptes d’utilisateur Windows.
4 Cliquez sur Serveur > Nouvel utilisateur, ou cliquez sur Nouvel utilisateur dans la barre
d’outils.
5 Spécifiez des réglages pour l’utilisateur dans les onglets fournis.
Consultez “Utilisation des réglages élémentaires pour utilisateurs” à la page 36 et
“Utilisation des réglages d’impression pour les utilisateurs” à la page 40 pour plus de
détails.
Pour créer un utilisateur, vous pouvez également utiliser un préréglage ou un fichier
d’importation. Pour plus d’informations, consultez le guide de gestion des utilisateurs.
Modification de comptes d’utilisateur Windows
Vous pouvez utiliser le Gestionnaire de groupe de travail pour modifier un compte
d’utilisateur Windows. Le compte peut résider soit sur un ordinateur Mac OS X Server
qui constitue le contrôleur de domaine principal (CDP) Windows, soit dans un autre
domaine de répertoire.
Pour apporter des modifications à un compte d’utilisateur :
1 Assurez-vous que les services de répertoire de l’ordinateur Mac OS X Server que
vous utilisez ont été configurés de manière à accéder au domaine de répertoires qui
vous intéresse.
Mac OS X Server peut toujours accéder à son propre domaine de répertoire local.
Un serveur qui est contrôleur de domaine principal peut accéder à son propre domaine
de répertoire LDAP. Utilisez Format de répertoire pour configurer l’accès au domaine
de répertoire LDAP d’un autre serveur. Pour obtenir des instructions, consultez le guide
d’administration Open Directory.
2 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur le bouton
Utilisateur.
3 Ouvrez le domaine de répertoire dans lequel vous souhaitez modifier des comptes
d’utilisateur et authentifiez-vous en tant qu’administrateur du domaine.36 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Pour ouvrir un domaine de répertoire, cliquez sur la petite icône de globe au-dessus
de la liste des utilisateurs et faites votre choix dans le menu local.
Pour vous authentifier, cliquez sur l’icône de cadenas et tapez le nom et le mot
de passe d’un administrateur du domaine de répertoire. Authentifiez-vous en tant
qu’administrateur dont le type de mot de passe est Open Directory, de façon à pouvoir
modifier des comptes d’utilisateur dont le type de mot de passe est également Open
Directory, option recommandée pour les comptes d’utilisateur Windows.
4 Sélectionnez le compte à modifier.
5 Modifiez les réglages pour l’utilisateur dans les onglets fournis.
Pour plus d’informations, consultez les sections “Utilisation des réglages élémentaires
pour utilisateurs” (ci-après) à “Utilisation des réglages d’impression pour les utilisateurs”
à la page 40.
Utilisation des réglages élémentaires pour utilisateurs
Les réglages élémentaires sont un ensemble d’attributs devant être définis pour tous
les utilisateurs. Les réglages élémentaires sont accessibles via le panneau Élémentaire
d’une fenêtre de compte d’utilisateur de Gestionnaire de groupe de travail. Pour
obtenir des instructions détaillées sur les opérations suivantes, consultez le chapitre
du guide de gestion des utilisateurs concernant les comptes d’utilisateur :
• Définition de noms d’utilisateur
• Définition de noms abrégés
• Choix de noms abrégés permanents
• Eviter les doublons de noms
• Eviter les doublons de noms abrégés
• Définition d’identifiants d’utilisateur
• Définition de mots de passe
• Attribution de droits d’administrateur sur un serveur
• Attribution de droits d’administrateur sur un domaine de répertoire
Utilisation des réglages Windows pour les utilisateurs
Un compte d’utilisateur qui peut servir à se connecter à un domaine Windows possède
des réglages de répertoire de départ, de profil d’utilisateur itinérant et de script de
connexion Windows. Vous pouvez contrôler ces réglages via le panneau Windows
d’une fenêtre de compte d’utilisateur du Gestionnaire de groupe de travail.
Pour configurer les réglages Windows d’un compte d’utilisateur :
1 Dans le Gestionnaire de groupe de travail, ouvrez le compte d’utilisateur avec lequel
vous souhaitez travailler.
Pour ouvrir un compte, cliquez sur le bouton Comptes, puis sur la petite icône de globe
située sous la barre d’outils et ouvrez le domaine de répertoire dans lequel se trouve le
compte de l’utilisateur. Pour modifier les réglages Windows, cliquez sur le verrou pour
être authentifié, puis sélectionnez l’utilisateur dans la liste des utilisateurs.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 37
2 Cliquez sur Windows et modifiez les réglages selon vos besoins.
Chemin du profil d’utilisateur : spécifie le chemin d’accès au profil de l’utilisateur.
Ne remplissez pas ce champ si vous souhaitez utiliser le point de partage par défaut
pour les profils d’utilisateur, à savoir /Utilisateurs/Profiles/ sur le serveur CDP. Ce point
de partage SMB ne s’affiche pas dans le Gestionnaire de groupe de travail.
Pour utiliser un point de partage différent pour le profil d’utilisateur, tapez le chemin
en utilisant le format UNC (Universal Naming Convention) :
\\nom_serveur\nom_partage\nom_abrégé_utilisateur
où nom_serveur est le nom NetBIOS du serveur CDP ou d’un serveur membre du
domaine Windows sur lequel vous souhaitez stocker le point de partage utilisateur ;
nom_partage est le nom du point de partage sur le serveur ; et nom_abrégé_utilisateur
est le premier nom abrégé du compte d’utilisateur que vous configurez. Pour afficher
le nom NetBIOS du serveur, ouvrez Admin Serveur, cliquez sur Windows dans la liste
Ordinateurs et services, cliquez sur Réglages, puis sur Général afin de lire le nom qui
se trouve dans le champ Nom de l’ordinateur.
Script d’ouverture de session : indique le chemin d’accès relatif à un script
d’ouverture de session situé dans /etc/logon sur le serveur CDP. Par exemple, si un
administrateur place un script nommé config.bat dans /etc/logon, le champ Script
d’ouverture de session doit contenir “config.bat”.
Disque dur : indique la lettre d’unité que Windows met en correspondance avec le
répertoire de départ de l’utilisateur. Si vous ne remplissez pas ce champ, la lettre H est
utilisée par défaut.
Chemin : désigne le chemin d’accès au répertoire de départ de l’utilisateur. Ne
remplissez pas ce champ si vous souhaitez utiliser le même répertoire de départ
pour la connexion à Windows et à Mac OS X, comme indiqué dans le panneau
Répertoire de départ du Gestionnaire de groupe de travail. Vous pouvez également
spécifier ce répertoire de départ en tapant un chemin UNC n’incluant pas de point de
partage : \\nom_serveur\nom_abrégé_utilisateur.
Pour spécifier un répertoire de départ Windows distinct du répertoire de départ
Mac OS X, tapez un chemin UNC incluant un point de partage SMB :
\\nom_serveur\point_partage\nom_abrégé_utilisateur
Vous devez vous assurer que le point de partage spécifié est partagé via SMB.
En outre, vous devez créer le dossier du répertoire de départ de l’utilisateur dans le
point de partage. Le dossier que vous créez doit porter le même nom que le premier
nom abrégé de l’utilisateur. (Mac OS X Server crée automatiquement un dossier de
répertoire de départ uniquement dans le point de partage spécifié dans le panneau
Répertoire de départ.)
3 Cliquez sur Enregistrer.38 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Pour plus d’informations, consultez les sections “Configuration d’un répertoire de
départ pour un utilisateur Windows” à la page 39 et “Gestion des points de partage
SMB” à la page 45.
Utilisation des réglages avancés pour les utilisateurs
Les réglages avancés incluent les réglages de connexion Mac OS X, la politique de
validation des mots de passe et un commentaire. Vous pouvez contrôler ces réglages
via le panneau Avancé d’une fenêtre de compte d’utilisateur du Gestionnaire de
groupe de travail.
• Le mot de passe d’utilisateur doit être de type Open Directory ou shadow pour les
utilisateurs Windows.
• Les réglages en haut et en bas du panneau Avancé s’appliquent uniquement lorsque
l’utilisateur se connecte à partir d’un ordinateur Mac OS X. Les réglages suivants ne
sont pas utilisés pour les services Windows : Autoriser les ouvertures de session
simultanées, Shell d’accès et Mots-clés.
Pour des instructions détaillées sur la modification des réglages avancés, consultez le
chapitre consacré aux comptes d’utilisateur dans le guide de gestion des utilisateurs.
Fourniture de services d’authentification sécurisée pour les
utilisateurs Windows
Mac OS X Server propose trois moyens sécurisés pour valider les mots de passe des
utilisateurs Windows :
• Open Directory Password Server
• Mot de passe shadow
• Cryptage du mot de passe à l’aide du Gestionnaire d’authentification activé
(technologie héritée)
Open Directory Password Server constitue l’approche recommandée. Il stocke les mots
de passe de manière sécurisée et gère de nombreuses méthodes d’authentification.
Open Directory Password Server vous permet d’implémenter des politiques de mot de
passe et gère les comptes d’utilisateur des répertoires LDAP et des anciens domaines
NetInfo.
Un mot de passe shadow fournit l’authentification des gestionnaires NT et LAN
pour les comptes d’utilisateur stockés dans le domaine NetInfo local. Un mot de passe
shadow peut être utilisé pour authentifier les services de fichiers Windows fournis par
Mac OS X Server.
Un mot de passe crypté à l’aide du Gestionnaire d’authentification activé offre la
compatibilité pour les comptes d’utilisateur sur un serveur mis à niveau à partir de
Mac OS X Server version 10.1. Après la mise à niveau du serveur avec Mac OS X Server
version 10.3, ces comptes d’utilisateur doivent être modifiés pour utiliser l’authentification
Open Directory, méthode plus sûre que l’ancien Gestionnaire d’authentification. Pour plus
d’informations, consultez le guide d’administration Open Directory.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 39
Utilisation des réglages de groupe pour les utilisateurs
Les réglages de groupe identifient les groupes dont un utilisateur est membre. Vous
pouvez utiliser ces réglages dans le volet Groupes d’une fenêtre de compte d’utilisateur
du Gestionnaire de groupe de travail. Pour des instructions détaillées sur les opérations
suivantes, consultez le chapitre sur les comptes d’utilisateur dans le guide de gestion
des utilisateurs :
• Définition du groupe principal d’un utilisateur
• Ajout d’un utilisateur à des groupes
• Suppression d’un utilisateur dans un groupe
• Examen de l’appartenance d’un utilisateur à des groupes
Configuration d’un répertoire de départ pour un utilisateur
Windows
Un utilisateur Windows peut posséder un répertoire de départ utilisé pour la connexion
à un domaine Windows. En général, cet utilisateur peut se connecter à un ordinateur
Mac OS X et utiliser le même répertoire de départ.
Vous pouvez soit créer un répertoire de départ pour un utilisateur Windows dans
n’importe quel point de partage existant, soit créer le répertoire de départ dans
le dossier /Utilisateurs, qui est un point de partage prédéfini. Si vous souhaitez créer
un répertoire de départ sur un nouveau point de partage, créez d’abord ce point
de partage. Pour obtenir des instructions, consultez la section “Gestion des points de
partage SMB” à la page 45.
Pour obtenir des informations générales sur les répertoires de départ, consultez le
chapitre correspondant dans le guide de gestion des utilisateurs.
Pour créer un répertoire de départ sur un point de partage existant :
1 Assurez-vous que le point de partage possède un enregistrement de montage
configuré pour les répertoires de départ.
Dans le Gestionnaire de groupe de travail, cliquez sur Partage, sur Points de partage
(à gauche), sélectionnez le point de partage dans la liste, cliquez sur Montage réseau
(à droite) et assurez-vous que les options “Créer un enregistrement de montage pour
ce point de partage” et “Répertoires de départ utilisateur” sont également sélectionnées.
Pour modifier ces réglages, vous devez utiliser le menu local Emplacement afin de choisir
le domaine de répertoire dans lequel réside le compte d’utilisateur, cliquer sur l’icône de
cadenas, puis vous authentifier en tant qu’administrateur du domaine de répertoire.
2 Dans le Gestionnaire de groupe de travail, ouvrez le compte d’utilisateur pour lequel
vous souhaitez créer un répertoire de départ. 40 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Pour ouvrir un compte, cliquez sur le bouton Comptes, puis sur l’icône représentant
un petit globe sous la barre d’outils et ouvrez le domaine de répertoire dans lequel se
trouve le compte de l’utilisateur. Pour modifier les informations de répertoire de départ,
cliquez sur le verrou pour être authentifié, puis sélectionnez l’utilisateur dans la liste
des utilisateurs.
3 Cliquez sur Départ.
4 Dans la liste des points de partage, sélectionnez /Utilisateurs ou le point de partage à
utiliser.
5 Cliquez sur Créer Départ, puis sur Enregistrer.
Après avoir créé un répertoire de départ pour un utilisateur Windows, assurez-vous
que les réglages du panneau Windows sont correctement configurés. Pour obtenir
des instructions, consultez la section “Utilisation des réglages Windows pour les
utilisateurs” à la page 36.
Utilisation des réglages de courrier pour les utilisateurs
Un utilisateur Windows peut posséder un compte de courrier Mac OS X Server. Pour créer
un compte de courrier pour un utilisateur, spécifiez les réglages de courrier de l’utilisateur
dans le panneau Courrier d’une fenêtre de compte d’utilisateur du Gestionnaire de
groupe de travail. Pour des instructions détaillées sur les opérations suivantes, consultez
le chapitre sur les comptes d’utilisateur dans le guide de gestion des utilisateurs :
• Désactivation du service de courrier d’un utilisateur
• Activation des options de compte de service de courrier
• Faire suivre le courrier d’un utilisateur
Pour utiliser un compte de messagerie, il suffit que l’utilisateur configure un logiciel
client pour identifier son nom d’utilisateur, son mot de passe, son service de courrier et
son protocole de courrier spécifiés dans le volet Courrier.
Pour plus d’informations sur la configuration et la gestion du service de courrier
Mac OS X Server, consultez le guide d’administration du service de courrier.
Utilisation des réglages d’impression pour les utilisateurs
Les réglages d’impression associés au compte d’un utilisateur définissent la
possibilité pour cet utilisateur d’imprimer sur des files d’attente accessibles à partir
d’un ordinateur Mac OS X Server, alors que le service d’impression impose des quotas
d’impression. Le guide d’administration du service d’impression explique comment
configurer des files d’attente d’impression imposant des quotas.
Le panneau Impression d’une fenêtre de compte d’utilisateur du Gestionnaire de
groupe de travail permet de contrôler les quotas d’impression d’un utilisateur :
• Par défaut, un utilisateur n’a accès à aucune des files d’attente d’impression qui
imposent des quotas.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 41
• Vous pouvez autoriser un utilisateur à accéder à toutes les files d’attente d’impression
imposant des quotas.
• Vous pouvez permettre à un utilisateur d’imprimer vers des files d’attente
d’impression spécifiques imposant des quotas.
Pour des instructions détaillées sur l’utilisation des réglages d’impression pour les
utilisateurs, consultez le chapitre sur les comptes d’utilisateur dans le guide de gestion
des utilisateurs.
Définition d’un utilisateur invité
Vous pouvez configurer des services Windows et d’autres services en vue de gérer
les utilisateurs anonymes, lesquels ne possèdent pas de comptes d’utilisateur. Ces
utilisateurs invités ne peuvent pas être authentifiés, car ils ne possèdent pas de nom
d’utilisateur ni de mot de passe. Il n’est pas nécessaire de créer un compte d’utilisateur
pour gérer les utilisateurs invités.
Les services suivants peuvent prendre en charge l’accès en invité :
• Les services de fichiers, d’impression, d’exploration et de résolution de nom Windows
(pour plus d’informations sur la configuration, consultez la section “Autorisation de
l’accès en invité aux services Windows” à la page 62) ;
• Les service de fichiers Apple (pour plus d’informations sur la configuration, consultez
le guide d’administration des services de fichiers) ;
• Le service FTP (pour plus d’informations sur la configuration, consultez le guide
d’administration des services de fichiers) ;
• Le service Web (pour plus d’informations sur la configuration, consultez le guide
d’administration des technologies Web).
Les utilisateurs se connectant à un serveur de manière anonyme sont limités aux
fichiers, dossiers et sites Web dont les autorisations sont accordées à Tous.
Suppression d’un compte d’utilisateur Windows
Vous pouvez utiliser le Gestionnaire de groupe de travail pour supprimer un compte
d’utilisateur à partir d’un domaine de répertoire de Mac OS X Server.
Pour supprimer un compte d’utilisateur à l’aide de Gestionnaire de groupes de
travail :
1 Dans le Gestionnaire de groupe de travail, cliquez sur le bouton Comptes, puis sur le
bouton Utilisateur.
2 Ouvrez le domaine de répertoire contenant le compte d’utilisateur que vous souhaitez
supprimer et authentifiez-vous en tant qu’administrateur du domaine.
Pour ouvrir un domaine de répertoire, cliquez sur l’icône représentant un petit globe
au-dessus de la liste des utilisateurs et faites votre choix dans le menu local.
3 Sélectionnez le compte à supprimer, puis choisissez Serveur > Effacer l’utilisateur
sélectionné. 42 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Désactivation d’un compte d’utilisateur Windows
Pour désactiver un compte d’utilisateur Windows, vous pouvez :
• Désélectionner l’option “L’utilisateur peut ouvrir une session” dans le panneau
Élémentaire du Gestionnaire de groupe de travail.
• Définir une stratégie de mot de passe qui désactive la connexion (pour un compte
d’utilisateur dont le type de mot de passe est Open Directory). Pour obtenir des
instructions, consultez le chapitre relatif à l’authentification des utilisateurs dans
le guide d’administration Open Directory.
• Supprimer le compte. Pour obtenir des instructions, consultez la section précédente,
à savoir “Suppression d’un compte d’utilisateur Windows”
• Remplacer le mot de passe de l’utilisateur par une valeur inconnue. Pour obtenir
des instructions, consultez la section “Utilisation des réglages élémentaires pour
utilisateurs” à la page 36.
Gestion des groupes pour les utilisateurs Windows
Un compte de groupe permet de gérer facilement un ensemble d’utilisateurs
aux besoins similaires. Un compte de groupe stocke les identités des utilisateurs
appartenant au groupe, ainsi que d’autres informations qui s’appliquent uniquement
aux utilisateurs Mac OS X. Bien que certaines informations relatives aux groupes
ne s’appliquent pas aux utilisateurs Windows, vous pouvez ajouter des utilisateurs
Windows aux groupes que vous créez. Des autorisations d’accès spéciales aux fichiers
et aux dossiers peuvent être affectées à un groupe, comme décrit dans le guide
d’administration des services de fichiers.
Les procédures de gestion des comptes de groupe sont les mêmes pour les groupes
dont les membres incluent des utilisateurs Windows et pour ceux contenant uniquement
des utilisateurs Mac OS X. Le Gestionnaire de groupe de travail permet d’administrer
les comptes de groupe. Pour des instructions détaillées sur les opérations suivantes,
consultez le chapitre sur les comptes de groupe dans le guide de gestion des utilisateurs :
• Création de comptes de groupe
• Modification des informations relatives aux comptes de groupe
• Ajout d’utilisateurs à un groupe
• Suppression d’utilisateurs d’un groupe
• Attribution d’un nom à un groupe
• Définition d’un ID de groupe
• Suppression de comptes de groupeChapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 43
Utilisation des réglages de dossier de groupe pour les groupes
Windows
Si vous utilisez le panneau Dossier de groupe du Gestionnaire de groupe de travail
pour configurer un dossier pour les membres d’un groupe particulier, le dossier du
groupe n’est pas monté automatiquement sur les stations de travail Windows lorsque
les membres du groupe se connectent au domaine Windows. Si le point de partage du
dossier de groupe est partagé via SMB, un utilisateur Windows peut accéder à Favoris
réseau (ou Voisinage réseau) et accéder au contenu du dossier de groupe. Pour plus
d’informations sur les dossiers de groupe, consultez le chapitre relatif aux comptes de
groupe dans le guide de gestion des utilisateurs.
Gestion des stations de travail Windows dans le compte
Ordinateurs Windows
Chaque ordinateur Windows géré par le contrôleur de domaine principal de Mac OS X
Server doit faire partie du compte Ordinateurs Windows. L’ajout d’un ordinateur à un
compte d’ordinateurs crée un enregistrement pour cet ordinateur. Cet enregistrement
identifie l’ordinateur Windows par son nom NetBIOS. L’enregistrement d’un ordinateur
Windows contient également des informations pour l’authentification de l’ordinateur
en tant que station de travail approuvée dans le domaine Windows. Mac OS X Server
crée ces informations (un identifiant d’utilisateur et un identifiant de groupe) pour
chaque ordinateur ajouté au compte Ordinateurs Windows.
Pour obtenir des informations générales sur les comptes d’ordinateurs et l’ajout
d’ordinateurs à ces comptes, consultez le chapitre sur les comptes d’ordinateurs dans
le guide de gestion des utilisateurs.
Ajout d’ordinateurs au compte Ordinateurs Windows
Un CDP Mac OS X Server ajoute automatiquement un ordinateur Windows au compte
Ordinateurs Windows du serveur lorsque l’ordinateur se joint au domaine Windows
du CDP, mais vous pouvez également utiliser le Gestionnaire de groupe de travail pour
ajouter des ordinateurs au compte Ordinateurs Windows.
Pour ajouter des ordinateurs à la liste Ordinateurs Windows :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur le bouton
Comptes.
2 Ouvrez le domaine de répertoire LDAP et authentifiez-vous en tant qu’administrateur
du domaine.
Pour ouvrir le domaine de répertoire LDAP, cliquez sur l’icône représentant un petit
globe au-dessus de la liste des ordinateurs et faites votre choix dans le menu local.
Pour vous authentifier, cliquez sur l’icône représentant un verrou et tapez le nom et le
mot de passe d’un administrateur du domaine de répertoire.44 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
3 Cliquez sur Liste, puis sélectionnez Ordinateurs Windows dans la liste des comptes
d’ordinateurs.
4 Cliquez sur le bouton Ajouter, tapez le nom NetBIOS de l’ordinateur ainsi qu’une
description facultative, puis cliquez sur Ajouter.
5 Cliquez sur Enregistrer.
6 Continuez à ajouter des ordinateurs jusqu’à ce que la liste soit complète.
Suppression d’ordinateurs du compte Ordinateurs Windows
Grâce au Gestionnaire de groupe de travail, vous pouvez supprimer un ou plusieurs
ordinateurs du compte Ordinateurs Windows d’un contrôleur de domaine principal
(CDP) Mac OS X Server. Lorsque vous supprimez un ordinateur du compte Ordinateurs
Windows, l’ordinateur ne peut plus être utilisé pour la connexion au CDP.
Pour supprimer des ordinateurs de la liste Ordinateurs Windows :
1 Dans le Gestionnaire de groupe de travail, cliquez sur Comptes, puis sur le bouton
Ordinateurs.
2 Ouvrez le domaine de répertoire LDAP et authentifiez-vous en tant qu’administrateur
du domaine.
Pour ouvrir le domaine de répertoire LDAP, cliquez sur l’icône représentant un petit
globe au-dessus de la liste des ordinateurs et faites votre choix dans le menu local.
Pour vous authentifier, cliquez sur l’icône représentant un verrou et tapez le nom et le
mot de passe d’un administrateur du domaine de répertoire.
3 Cliquez sur Liste, puis sélectionnez Ordinateurs Windows dans la liste des comptes
d’ordinateurs.
4 Dans le tableau Liste, sélectionnez un ou plusieurs ordinateurs de la liste de ce compte.
Pour sélectionner plusieurs ordinateurs, cliquez dans la liste en maintenant enfoncée la
touche Commande ou Maj.
5 Cliquez sur Supprimer, puis sur Enregistrer.
Modification des informations relatives à un ordinateur du
compte Ordinateurs Windows
Si vous souhaitez modifier le nom ou la description d’un ordinateur du compte
Ordinateurs Windows, utilisez le Gestionnaire de groupe de travail pour supprimer
l’ordinateur, puis rajouter l’ordinateur avec les informations modifiées.
Placement d’un ordinateur Windows dans un autre compte
d’ordinateurs
Vous ne pouvez pas placer un ordinateur Windows du compte Ordinateurs Windows
dans un compte différent. Les ordinateurs Windows doivent faire partie du compte
Ordinateurs Windows et ils ne peuvent appartenir à plusieurs comptes à la fois.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 45
Suppression du compte Ordinateurs Windows
Le compte Ordinateurs Windows ne peut pas être supprimé.
Gestion des points de partage SMB
Les points de partage des répertoires de départ Windows et des profils d’utilisateurs
itinérants sont configurés automatiquement sur un contrôleur de domaine principal
(CDP) Mac OS X Server, mais vous pouvez configurer d’autres points de partage. Windows
utilise le protocole SMB (Server Message Block) pour accéder aux points de partage.
Le point de partage par défaut des répertoires de départ Windows est le même que le
point de partage des répertoires de départ Mac OS X. Le point de partage par défaut
des profils d’utilisateurs est le dossier /Utilisateurs/Profiles/ sur le serveur CDP. Ce point
de partage SMB ne s’affiche pas dans le Gestionnaire de groupe de travail. Vous pouvez
configurer des points de partage SMB alternatifs pour les répertoires de départ et les
profils utilisateur sur le serveur CDP ou sur des serveurs membres du domaine.
Vous pouvez configurer des points de partage supplémentaires pouvant être utilisés
de manière exclusive ou non par les utilisateurs Windows. Par exemple, vous pouvez
configurer un point de partage dans lequel les utilisateurs Windows et Mac OS
enregistrent les fichiers graphiques ou de traitement de texte qui peuvent être utilisés
sur les deux plates-formes. A l’inverse, vous pouvez configurer un point de partage pour
l’accès exclusif via SMB, de sorte que les utilisateurs Windows disposent d’un emplacement
réseau pour les fichiers ne pouvant pas être utilisés sur d’autres plates-formes.
Pour une vue d’ensemble des points de partage, notamment une étude des problèmes
dont vous devez tenir compte avant leur création, consultez le chapitre relatif aux
points de partage dans le guide d’administration des services de fichiers.
Verrouillage opportuniste (oplocks)
Les points de partage SMB de Mac OS X Server prennent en charge l’amélioration
des performances offerte par le verrouillage opportuniste (“oplocks”).
En général, le verrouillage des fichiers empêche plusieurs clients de modifier les mêmes
informations en même temps ; un client verrouille le fichier (ou une partie du fichier)
afin d’y accéder de manière exclusive. Le verrouillage opportuniste accorde cet accès
exclusif, mais autorise également le client à mettre en cache localement ses
modifications (sur l’ordinateur client) afin d’améliorer les performances.
Pour activer le verrouillage opportuniste, modifiez les réglages de protocole Windows
d’un point de partage à l’aide du Gestionnaire de groupe de travail.
Important : n’activez pas le verrouillage opportuniste pour un point de partage qui
utilise tout autre protocole que SMB.46 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Verrouillage strict
Il incombe généralement à une application client de déterminer si un fichier est
verrouillé avant d’essayer de l’ouvrir. Une application mal écrite peut échouer lors
de la détection d’un éventuel verrouillage et peut endommager un fichier déjà utilisé
par quelqu’un d’autre.
Le verrouillage strict, qui est activé par défaut, permet d’empêcher cela. Lorsque
le verrouillage strict est activé, le serveur SMB recherche et applique lui-même le
verrouillage des fichiers.
Création d’un point de partage SMB et définition des
autorisations
Vous pouvez utiliser le module Partage du Gestionnaire de groupe de travail pour
partager des volumes (tels que des disques, des CD et des DVD), des partitions et
des dossiers individuels en configurant des points de partage. Lorsque vous créez un
point de partage, vous pouvez le configurer afin qu’il soit partagé via n’importe quelle
combinaison des protocoles AFP, FTP, SMB et NFS. Vous pouvez également contrôler
l’accès au point de partage et à son contenu en configurant des autorisations d’accès.
Remarque : n’utilisez pas de barre oblique (/) dans le nom d’un dossier ou volume que
vous prévoyez de partager. Les utilisateurs qui tentent d’accéder au point de partage
risquent de rencontrer des difficultés pour l’afficher.
Pour créer un point de partage SMB et définir des autorisations :
1 Ouvrez le Gestionnaire de groupes de travail et cliquez sur Partage.
2 Cliquez sur Tous et sélectionnez l’élément que vous souhaitez partager.
3 Cliquez sur Général.
4 Sélectionnez “Partager cet élément et son contenu”.
5 Pour contrôler qui a accès au point de partage, changez le propriétaire ou le groupe
de l’élément partagé. Tapez les noms ou faites-les glisser à partir du tiroir Utilisateurs
et groupes.
Pour ouvrir le tiroir, cliquez sur Utilisateurs et groupes. Si vous ne voyez pas un
utilisateur ou groupe créé récemment, cliquez sur Actualiser. Pour modifier la fréquence
d’actualisation automatique, cliquez sur Gestionnaire de groupe de travail > Préférences.
6 Sélectionnez le type d’autorisation pour le Possesseur, le Groupe et Tous dans les
menus locaux correspondants.
“Tous” désigne l’ensemble des utilisateurs pouvant se connecter au serveur de
fichiers, utilisateurs enregistrés et invités.
7 (Facultatif) Pour appliquer la propriété et les autorisations du point de partage à tous
les fichiers et dossiers qu’il contient, cliquez sur Copier. Cela permet d’annuler les
autorisations éventuellement définies par d’autres utilisateurs.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 47
8 Cliquez sur Protocoles (à droite) et sélectionnez Réglages de fichiers Windows dans
le menu local.
9 Pour fournir l’accès SMB au point de partage, sélectionnez “Partager cet élément via SMB”.
10 Pour permettre aux utilisateurs non enregistrés d’accéder au point de partage,
sélectionnez “Autoriser l’accès comme invité SMB”.
Pour plus de sécurité, ne sélectionnez pas cet élément.
11 Pour modifier le nom que les clients voient lorsqu’ils naviguent vers le point de
partage et s’y connectent via SMB, tapez un nouveau nom dans le champ “Nom SMB
personnalisé”.
La modification du nom SMB personnalisé n’affecte pas le nom du point de partage
proprement dit, mais uniquement le nom que voient les clients SMB.
12 Pour autoriser les clients à utiliser le verrouillage opportuniste des fichiers, sélectionnez
“Activer oplock”.
N’activez pas les oplocks pour un point de partage qui utilise tout autre protocole
que SMB. Pour plus d’informations sur le verrouillage opportuniste, consultez la section
“Verrouillage opportuniste (oplocks)” à la page 45.
Pour que les clients utilisent le verrouillage standard sur les fichiers du serveur,
sélectionnez “Activer le verrouillage strict”.
13 Choisissez une méthode pour affecter des autorisations d’accès par défaut aux
nouveaux fichiers et dossiers du point de partage.
Pour que les nouveaux éléments adoptent les autorisations de l’élément parent,
sélectionnez “Recevoir les autorisations des parents”.
Pour affecter des autorisations spécifiques, sélectionnez “Affecter comme suit” et
configurez les autorisations Possesseur, Groupe et Tous à l’aide des menus locaux.
14 Pour empêcher l’accès AFP au nouveau point de partage, choisissez Réglages de
fichiers Apple dans le menu local, puis désélectionnez “Partager cet élément via AFP”.
15 Pour empêcher l’accès FTP au nouveau point de partage, choisissez Réglages FTP dans
le menu local, puis désélectionnez “Partager cet élément via FTP”.
16 Pour empêcher l’accès NFS au nouveau point de partage, choisissez Réglages
d’exportation NFS dans le menu local, puis désélectionnez “Exporter cet élément et son
contenu vers”.
17 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également configurer un point de partage à l’aide de la commande
sharing de Terminal. Pour plus d’informations, consultez le chapitre relatif aux services
de fichiers dans le guide d’administration par ligne de commande.48 Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows
Modification des réglages Windows (SMB) d’un point de partage
Vous pouvez utiliser le Gestionnaire de groupe de travail pour déterminer si un point
de partage est disponible via SMB et pour modifier des réglages tels que le nom du
point de partage vu par les clients SMB, l’autorisation ou non de l’accès en invité,
l’autorisation ou non du verrouillage opportuniste ou encore les autorisations par
défaut des nouveaux éléments.
Pour modifier les réglages d’un point de partage SMB :
1 Ouvrez le Gestionnaire de groupes de travail et cliquez sur Partage.
2 Cliquez sur Points de partage et sélectionnez le point de partage.
3 Cliquez sur Protocoles (à droite) et sélectionnez Réglages de fichiers Windows dans le
menu local.
4 Pour fournir l’accès SMB au point de partage, sélectionnez “Partager cet élément via SMB”.
5 Pour permettre aux utilisateurs non enregistrés d’accéder au point de partage,
sélectionnez “Autoriser l’accès comme invité SMB”.
Pour plus de sécurité, ne sélectionnez pas cet élément.
6 Pour modifier le nom que les clients voient lorsqu’ils naviguent vers le point de
partage et s’y connectent via SMB, tapez un nouveau nom dans le champ “Nom SMB
personnalisé”.
La modification du nom SMB personnalisé n’affecte pas le nom du point de partage
proprement dit, mais uniquement le nom que voient les clients SMB.
7 Pour autoriser les clients à utiliser le verrouillage opportuniste des fichiers, sélectionnez
“Activer oplock”.
Pour que les clients utilisent le verrouillage standard sur les fichiers du serveur,
sélectionnez “Activer le verrouillage strict”.
N’activez pas le verrouillage opportuniste pour un point de partage qui utilise tout
autre protocole que SMB. Pour plus d’informations sur le verrouillage opportuniste,
consultez la section “Verrouillage opportuniste (oplocks)” à la page 45.
8 Choisissez une méthode pour affecter des autorisations d’accès par défaut pour les
nouveaux fichiers et dossiers du point de partage.
Pour que les nouveaux éléments adoptent les autorisations de l’élément parent,
sélectionnez “Recevoir les autorisations des parents”.
Pour affecter des autorisations spécifiques, sélectionnez “Affecter comme suit” et
configurez les autorisations Possesseur, Groupe et Tous à l’aide des menus locaux.
9 Cliquez sur Enregistrer.Chapitre 3 Administration des utilisateurs, groupes, ordinateurs et points de partage Windows 49
À partir de la ligne de commande
Vous pouvez également modifier les réglages SMB d’un point de partage en utilisant la
commande sharing de Terminal. Pour plus d’informations, consultez le chapitre relatif
aux services de fichiers dans le guide d’administration par la ligne de commande.
Gestion des points de partage
Pour plus d’informations sur les tâches quotidiennes typiques que vous pouvez
effectuer après avoir configuré des points de partage sur votre serveur, consultez
le chapitre sur les points de partage dans le guide d’administration des services de
fichiers. Il décrit les tâches suivantes :
• Désactivation d’un point de partage
• Désactivation d’un protocole pour un point de partage
• Affichage des points de partage
• Copie d’autorisations vers des éléments inclus
• Affichage des réglages des points de partage
• Modification des réglages du propriétaire du point de partage et des autorisations
d’accès
• Modification de l’étendue client d’un point de partage NFS
• Autorisation de l’accès en invité à un point de partage
• Configuration d’une boîte de dépôt4
51
4 Migration d’utilisateurs d’un
serveur Windows vers Mac OS X
Server
Vous pouvez configurer des comptes d’utilisateur et des
répertoires de départ Mac OS X Server afin de remplacer
ceux des serveurs Windows NT, Windows 2000 et
Windows 2003 existants.
Le schéma ci-après récapitule la procédure qui suit.
Clients Windows
Configuration
de Mac OS X
Server.
2 Configuration de
l'infrastructure des
répertoires de départ.
3 Exportation
des utilisateurs.
4 Importation
des utilisateurs.
5 Transfert des
scripts d'ouverture
de session.
7 Transfert des fichiers
et réglages.
Mac OS X Server
6 Connexion au domaine
CPD Windows.
Serveur
Windows52 Chapitre 4 Migration d’utilisateurs d’un serveur Windows vers Mac OS X Server
Étape 1 : Configuration de Mac OS X Server
Suivez les instructions du guide de démarrage :
1 Installez le logiciel serveur.
2 Procédez à la configuration initiale du serveur, en prenant soin de créer un domaine
maître Open Directory et un contrôleur de domaine principal (CDP) Windows sur le
serveur. Le CDP Windows permet aux utilisateurs des stations de travail Windows NT,
Windows 2000 et Windows XP de se connecter au CDP, de modifier des mots de passe
lors de la connexion et de disposer de profils d’utilisateurs itinérants et de répertoires
de départ en réseau sur Mac OS X Server.
Dans le panneau Utilisation du répertoire de l’Assistant du serveur, sélectionnez Maître
Open Directory dans le menu local “Réglez l’utilisation du répertoire sur”. Sélectionnez
ensuite Activer le contrôleur de domaine principal Windows et tapez un nom
d’ordinateur et un nom de domaine/groupe de travail :
Dans le champ Nom de l’ordinateur, tapez le nom que les utilisateurs Windows doivent
voir lorsqu’ils se connectent au serveur. Il s’agit du nom NetBIOS du serveur. Ce nom ne
doit pas compter plus de 15 caractères, sans caractères spéciaux ni ponctuation. Si vous
trouvez cela pratique, faites correspondre le nom du serveur avec son nom d’hôte DNS
non qualifié. Par exemple, si votre serveur DNS possède une entrée “serveur.exemple.com”
pour votre serveur, nommez ce dernier “serveur”.
Dans le champ Domaine/groupe de travail, tapez le nom du domaine Windows qui sera
hébergé par le serveur. Le nom d’un domaine ne peut comporter plus de 15 caractères.
Étape 2 : Configuration de l’infrastructure des répertoires de départ
Lorsque vous importez des utilisateurs, il faut identifier un emplacement pour leurs
répertoires de départ. Vous pouvez utiliser l’un des points de partage prédéfinis, tels que
le dossier /Utilisateurs. Vous pouvez également configurer votre propre point de partage.
1 Si vous utilisez un point de partage prédéfini, sélectionnez-le dans le Gestionnaire
de groupe de travail et passez à l’étape 3 de cette séquence. Dans le cas contraire,
exécutez d’abord l’étape 2.
Pour sélectionner un point de partage prédéfini dans le Gestionnaire de groupe de travail, cliquez sur Partage. Cliquez sur Points de partage et sélectionnez le point de partage.
2 Si vous souhaitez configurer votre propre point de partage sur Mac OS X Server, créez le
dossier que vous souhaitez utiliser comme point de partage du répertoire de départ, puis
utilisez le Gestionnaire de groupe de travail pour faire de ce dossier un point de partage.
Dans Gestionnaire de groupe de travail, cliquez sur Partage. Cliquez sur Tous et
sélectionnez le dossier. Cliquez sur Général et sélectionnez “Partager cet élément
et son contenu”. Configurez les autorisations, puis cliquez sur Enregistrer. Cliquez sur
Protocoles et assurez-vous que le dossier est partagé via AFP ou NFS. Cliquez de
nouveau sur Enregistrer.
3 Configurez le point de partage afin qu’il soit monté automatiquement sur les postes
de travail clients. Chapitre 4 Migration d’utilisateurs d’un serveur Windows vers Mac OS X Server 53
Le point de partage étant sélectionné dans le Gestionnaire de groupe de travail,
cliquez sur Montage réseau. Sélectionnez le répertoire LDAP du serveur CDP dans
le menu local Emplacement. Cliquez sur le cadenas à droite de ce menu local et
authentifiez-vous en tant qu’administrateur du répertoire LDAP. Sélectionnez “Créer un
enreg. de montage pour ce point partagé”. Sélectionnez AFP ou NFS dans le menu local
Protocole. Sélectionnez “Répertoires de départ utilisateur” en regard de “Utiliser pour”,
puis cliquez sur Enregistrer.
4 Configurez les autorisations par défaut d’accès aux fichiers pour les utilisateurs Windows.
Cliquez sur Protocoles, sélectionnez Réglages de fichiers Windows dans le menu local
et spécifiez les autorisations sous “Autorisations par défaut pour les nouveaux fichiers
et dossiers”. Cliquez sur Enregistrer.
Étape 3 : Exportation d’utilisateurs à partir du domaine de serveur Windows
1 Ouvrez l’application de gestion des utilisateurs (telle que Gestionnaire des utilisateurs
pour Windows NT 4.0 Server) sur votre serveur Windows.
2 Exportez les utilisateurs dans un fichier délimité par des tabulations.
Les noms complets et les noms abrégés sont exportés. Sous Windows NT, ils
correspondent respectivement au nom et au nom d’utilisateur. Sous Windows 2000
Active Directory, ils correspondent respectivement au nom et au nom d’ouverture de
session antérieur à Windows 2000.
Étape 4 : Importation d’utilisateurs sous Mac OS X Server
1 Assurez-vous que les services Windows sont en cours d’exécution.
Ouvrez Admin Serveur, sélectionnez Windows dans la liste Ordinateurs et services,
puis cliquez sur Démarrer le service si nécessaire.
2 Sur le serveur Windows, mettez en correspondance un lecteur réseau avec Mac OS X Server.
3 Connectez-vous sous le nom d’utilisateur administrateur que vous avez défini lors
de la configuration de Mac OS X Server.
4 Copiez le fichier d’exportation dans Mac OS X Server.
5 Sous Mac OS X Server, modifiez le fichier d’exportation :
a Remplacez les fins de ligne Windows par des fins de ligne UNIX. Vous pouvez pour
cela utiliser l’éditeur à ligne de commande vi. La commande suivante ouvre vi pour
un fichier nommé MonFichier, avec des fins de ligne de type UNIX :
vi -c "set fileformat=unix" MonFichier
b Supprimez l’en-tête inséré lors de l’exportation.
c Réorganisez les colonnes afin que le nom abrégé apparaisse en premier. Un tableur
s’avère utile pour ce type d’édition.
d Ajoutez l’en-tête suivant comme première ligne du fichier :
0x0D 0x5C 0x09 0x2C dsRecTypeStandard:Users 2
dsAttrTypeStandard:RecordName dsAttrTypeStandard:RealName54 Chapitre 4 Migration d’utilisateurs d’un serveur Windows vers Mac OS X Server
6 Ouvrez Gestionnaire de groupes de travail. Assurez-vous que le bouton Comptes
est sélectionné dans la barre d’outils et que le bouton Utilisateurs est sélectionné audessus de la liste des comptes (à gauche). Le répertoire LDAP du serveur CDP doit être
le domaine de répertoire en cours. Si tel n’est pas le cas, cliquez sur le petit globe sous
la barre d’outils afin de sélectionner le répertoire LDAP du serveur.
7 Définissez un préréglage pour le compte d’utilisateur dans le répertoire LDAP du
serveur. Les réglages que vous associez à un préréglage sont affectés à chaque utilisateur
importé, ce qui simplifie la définition du chemin d’accès au profil d’utilisateur, du script
d’ouverture de session, du point de partage du répertoire de départ et d’autres valeurs.
Cliquez sur Nouvel utilisateur et spécifiez les valeurs dont tous les utilisateurs
Windows importés doivent hériter. Pour plus d’informations sur l’utilisation de la
plupart des réglages d’utilisateur, consultez le guide de gestion des utilisateurs. Pour
plus d’informations sur les réglages des utilisateurs Windows, consultez la section
“Gestion des comptes pour les utilisateurs Windows” à la page 33.
Configurez des options de mot de passe afin d’imposer aux utilisateurs de changer
leur mot de passe lors de leur prochaine connexion. L’utilisation de cette approche
signifie que vous n’avez pas besoin de spécifier individuellement des mots de passe
pour chaque utilisateur dans le fichier d’exportation ou dans le Gestionnaire de groupe
de travail après avoir importé les utilisateurs. Pour accéder aux réglages des options de
mot de passe, cliquez sur Avancé, puis sur Options.
Lorsque vous avez terminé de spécifier les valeurs, cliquez sur Enregistrer le préréglage
dans le menu local correspondant.
8 Dans le Gestionnaire de groupe de travail, sélectionnez Serveur > Importer.
9 Accédez au fichier d’exportation des utilisateurs et sélectionnez-le. Choisissez ensuite
une option de gestion dupliquée, identifiez le préréglage que vous souhaitez utiliser,
puis indiquez éventuellement un premier identifiant d’utilisateur et un identifiant de
groupe principal.
10 Cliquez sur Importer.
11 Vous pouvez éventuellement définir des comptes de groupe pour contrôler l’accès
aux fichiers.
Sur les ordinateurs Mac OS X, les autorisations d’accès aux fichiers et aux dossiers
(Lecture et écriture, Lecture seule, Écriture seule ou Accès interdit) peuvent être
spécifiées pour un possesseur (un utilisateur), un groupe et tous les utilisateurs (“Tous”).
Mac OS X Server ne gère pas les listes de contrôle d’accès (ACL). D’autres groupes
peuvent être utilisés pour configurer des autorisations au niveau de groupe pour
les fichiers transférés à partir du serveur Windows.
Pour définir un groupe, sélectionnez la liste des groupes dans le Gestionnaire de groupe
de travail, cliquez sur Nouveau groupe, puis tapez le nom et l’identifiant d’un groupe.
Pour ajouter des utilisateurs au groupe, cliquez sur Ajouter (+), sélectionnez les
utilisateurs qui doivent appartenir au groupe, puis faites-les glisser dans la liste Membres.Chapitre 4 Migration d’utilisateurs d’un serveur Windows vers Mac OS X Server 55
Étape 5 : Transfert des scripts d’ouverture de session vers Mac OS X Server
1 Copiez les scripts d’ouverture de session du serveur Windows dans /etc/netlogon/ sur
Mac OS X Server.
2 Dans le Gestionnaire de groupe de travail, sélectionnez chaque utilisateur du CDP
Windows et assurez-vous que l’emplacement du script d’ouverture de session est
correctement spécifié. Le champ Script d’ouverture de session doit contenir le chemin
d’accès relatif à un script d’ouverture de session situé dans /etc/logon/. Par exemple,
si vous avez copié un script nommé config.bat dans /etc/logon/, le champ Script
d’ouverture de session doit contenir config.bat.
Étape 6 : Jonction des clients Windows à un CDP Mac OS X Server
Sur la station de travail de chaque utilisateur Windows pour lequel vous avez créé un
compte sur l’ordinateur Mac OS X Server, joignez le domaine CDP Windows au serveur
afin de permettre l’authentification Open Directory des utilisateurs qui se connectent à
la station de travail.
Désormais, lorsqu’un utilisateur d’une station de travail Windows se connecte à
Mac OS X Server, son répertoire de départ est automatiquement créé et monté sur la
station de travail Windows.
Étape 7 : Transfert des fichiers et réglages clients vers les répertoires de
départ Mac OS X Server
Chaque utilisateur de station de travail Windows peut désormais placer des
fichiers du serveur Windows dans son répertoire de départ sur Mac OS X Server.
1 Sur un client Windows qui a été configuré pour se joindre au domaine Mac OS X
Server, mettez en correspondance un lecteur réseau avec Mac OS X Server et
connectez-vous en tant qu’un des utilisateurs importés.
La première fois qu’un utilisateur Windows se connecte, son répertoire de départ est
monté sur la station de travail Windows.
2 Mettez en correspondance un lecteur réseau avec le serveur Windows sur lequel se
trouvent les fichiers à transférer.
3 Copiez les fichiers qui vous intéressent dans le répertoire de départ Mac OS X Server.
Les autorisations par défaut définies à l’étape 2 sont affectées à chaque fichier.
Lorsque vous vous déconnectez, les réglages d’utilisateur (tels que l’image d’arrièreplan) sont enregistrés dans Mac OS X Server et utilisés lors de la prochaine connexion.5
57
5 Gestion des services Windows
Vous pouvez utiliser Admin Serveur pour démarrer
et arrêter les services Windows, les surveiller, modifier
l’identité Windows de leur serveur, gérer l’accès à ces
services, gérer leurs historiques ou encore modifier leurs
réglages avancés.
Pour la description des tâches de gestion et les instructions qui s’y rapportent,
consultez :
• “Démarrage et arrêt des services Windows” sur cette page
• “Surveillance des services Windows” à la page 58
• “Modification de l’identité Windows du serveur” à la page 60
• “Gestion de l’accès aux services Windows” à la page 62
• “Gestion de la consignation pour les services Windows” à la page 63
• “Gestion des réglages avancés des services Windows” à la page 64
Démarrage et arrêt des services Windows
Vous pouvez démarrer et arrêter les services Windows.
Démarrage des services Windows
Vous pouvez utiliser Admin Serveur pour démarrer les services Windows s’ils sont
arrêtés.
Pour démarrer les services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Démarrer le service.
À partir de la ligne de commande
Vous pouvez également démarrer les services Windows à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif aux
services de fichiers dans le guide d’administration via la ligne de commande.58 Chapitre 5 Gestion des services Windows
Arrêt des services Windows
Vous pouvez utiliser Admin Serveur pour démarrer les services Windows.
Important : lorsque vous arrêtez les services Windows, les utilisateurs connectés
perdent toutes les informations qu’ils n’ont pas encore sauvegardées.
Pour arrêter les services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Arrêter le service.
À partir de la ligne de commande
Vous pouvez également arrêter les services Windows à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
aux services de fichiers dans le guide d’administration via la ligne de commande.
Surveillance des services Windows
Vous pouvez vérifier l’état des services Windows, afficher les historiques des services
Windows ou encore afficher la liste des utilisateurs actuellement connectés aux
services Windows.
Affichage de l’état des services Windows
Vous pouvez utiliser Admin Serveur pour examiner l’état des services Windows.
Pour vérifier l’état des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Vue d’ensemble afin de déterminer si le service est en cours d’exécution,
ainsi que le nombre d’utilisateurs connectés.
3 Cliquez sur Historiques pour afficher les historiques du service de fichiers et du serveur
de noms Windows.
Le menu local Afficher permet de choisir l’historique à consulter.
4 Cliquez sur Connexions pour afficher la liste des utilisateurs actuellement connectés
aux services Windows.
La liste comprend les noms et les adresses IP des utilisateurs, ainsi que la durée
des connexions. Pour déconnecter un utilisateur, cliquez sur Se déconnecter.
5 Cliquez sur Graphiques pour consulter les graphiques de débit ou des utilisateurs
connectés.
Utilisez le curseur pour régler l’échelle de temps.Chapitre 5 Gestion des services Windows 59
À partir de la ligne de commande
Vous pouvez également examiner l’état des services Windows à l’aide de la commande
serveradmin dans Terminal ou via la commande cat ou tail pour afficher les fichiers
d’historique dans /var/log/samba. Pour plus d’informations, consultez le chapitre relatif
aux services de fichiers dans le guide d’administration via la ligne de commande.
Affichage des historiques des services Windows
Vous pouvez utiliser Admin Serveur pour afficher les historiques des services Windows.
Pour afficher les historiques des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Historiques afin d’afficher les historiques du service de fichiers et du serveur
de noms Windows.
3 Le menu local Afficher permet de choisir l’historique à consulter.
À partir de la ligne de commande
Vous pouvez également afficher les historiques des services Windows à l’aide de
la commande cat ou tail dans Terminal, afin de consulter les fichiers d’historique
dans /var/log/samba. Pour plus d’informations, consultez le chapitre relatif aux services
de fichiers dans le guide d’administration via la ligne de commande.
Affichage des connexions aux services Windows
Vous pouvez utiliser Admin Serveur pour voir quels sont les utilisateurs connectés
aux services Windows et vous pouvez forcer la déconnexion des utilisateurs.
Important : les utilisateurs qui sont déconnectés perdent les modifications non
enregistrées dans les fichiers ouverts.
Pour afficher les connexions aux services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Connexions pour afficher la liste des utilisateurs actuellement connectés
aux services Windows.
La liste comprend les noms et les adresses IP des utilisateurs, ainsi que la durée des
connexions.
Pour déconnecter un utilisateur, cliquez sur Se déconnecter.
À partir de la ligne de commande
Vous pouvez également déterminer le nombre de connexions aux services Windows à
l’aide de la commande serveradmin dans Terminal. Pour plus d’informations, consultez
le chapitre relatif aux services de fichiers dans le guide d’administration via la ligne de
commande.60 Chapitre 5 Gestion des services Windows
Affichage des graphiques des services Windows
Vous pouvez utiliser Admin Serveur pour afficher les graphiques des utilisateurs
Windows connectés ou le débit des services Windows.
Pour afficher les graphiques des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Graphiques pour consulter les graphiques de débit ou des utilisateurs
connectés.
3 Utilisez le curseur pour régler l’échelle de temps.
Déconnexion d’utilisateurs Windows
Vous pouvez utiliser Admin Serveur pour forcer la déconnexion des utilisateurs des
services Windows.
Important : les utilisateurs qui sont déconnectés perdent le travail non enregistré dans
les fichiers ouverts.
Pour forcer la déconnexion des utilisateurs des services Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Connexions pour afficher la liste des utilisateurs actuellement connectés
aux services Windows.
La liste comprend les noms et les adresses IP des utilisateurs, ainsi que la durée des
connexions.
3 Sélectionnez les utilisateurs dont vous souhaitez forcer la déconnexion, puis cliquez
sur Déconnecter.
Modification de l’identité Windows du serveur
Vous pouvez modifier l’identité d’un serveur pour les clients des services Windows en
modifiant soit le nom d’ordinateur Windows du serveur, soit son domaine ou groupe
de travail Windows.
Modification du nom d’ordinateur Windows du serveur
Admin Serveur vous permet de modifier le nom d’ordinateur sous lequel Mac OS X
Server est connu dans un domaine ou un groupe de travail Windows. Si le serveur est
le contrôleur de domaine principal (CDP) ou un membre d’un domaine Windows, le
nom d’ordinateur est le nom NetBIOS du serveur dans le domaine. Si le serveur fournit
des services Windows autonomes, mais n’est pas le CDP ou un membre de domaine,
le nom d’ordinateur est le nom NetBIOS du serveur dans le groupe de travail.
Les utilisateurs Windows voient ce nom lorsqu’ils se connectent au serveur. Chapitre 5 Gestion des services Windows 61
Pour modifier le nom d’ordinateur Windows de Mac OS X Server :
1 Dans la liste Ordinateurs et services d’Admin Serveur, sélectionnez Windows pour
le serveur dont vous souhaitez modifier le nom d’ordinateur Windows.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Général (vers le haut).
3 Tapez le nom d’ordinateur, puis cliquez sur Enregistrer.
Ce nom ne doit pas compter plus de 15 caractères, sans caractères spéciaux ni
ponctuation. Si vous trouvez cela pratique, faites correspondre le nom du serveur
avec son nom d’hôte DNS non qualifié. Par exemple, si votre serveur DNS possède
une entrée “serveur.exemple.com” pour votre serveur, nommez ce dernier “serveur”.
4 Si le serveur est le CDP ou un membre de domaine Windows, vous devez vous
authentifier en tapant le nom et le mot de passe d’un compte d’utilisateur pouvant
administrer le domaine de répertoire LDAP sur le serveur CDP.
Dans la mesure où les groupes de travail sont ad hoc, vous n’avez pas besoin de vous
authentifier comme administrateur pour modifier le nom d’ordinateur d’un serveur qui
offre uniquement des services Windows autonomes.
À partir de la ligne de commande
Vous pouvez également modifier le nom du serveur à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
aux services de fichiers dans le guide d’administration par ligne de commande.
Modification du domaine Windows du serveur
Vous pouvez utiliser Admin Serveur pour modifier le domaine Windows d’un serveur
membre de domaine.
Pour modifier le domaine Windows de Mac OS X Server :
1 Dans la liste Ordinateurs et services d’Admin Serveur, sélectionnez Windows pour le
serveur dont vous souhaitez modifier le domaine Windows.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Général (vers le haut).
3 Tapez le nom du domaine Windows, puis cliquez sur Enregistrer.
Avertissement : ne modifiez pas le nom de domaine d’un serveur CDP si ce n’est pas
absolument indispensable. Si vous modifiez le nom du domaine CDP, les stations de
travail Windows qui étaient membres du domaine devront rejoindre le domaine sous
son nouveau nom. 62 Chapitre 5 Gestion des services Windows
Modification du groupe de travail Windows du serveur
Vous pouvez utiliser Admin Serveur pour modifier le nom du groupe de travail d’un
serveur offrant uniquement des services Windows autonomes (fichiers, impression,
exploration ou WINS). Les utilisateurs Windows peuvent visualiser le nom du groupe de
travail dans la fenêtre Voisinage réseau. Si votre sous-réseau comporte des domaines
Windows, utilisez l’un d’eux comme nom du groupe pour faciliter la communication
entre sous-réseaux. Sinon, consultez votre administrateur de réseau Windows qui vous
fournira le nom correct.
Pour modifier le nom du groupe de travail Windows de Mac OS X Server :
1 Dans la liste Ordinateurs et services d’Admin Serveur, sélectionnez Windows pour le
serveur dont vous souhaitez modifier le domaine Windows.
2 Cliquez sur Réglages (vers le bas de la fenêtre), puis sur Général (vers le haut).
3 Tapez un nom dans le champ Groupe de travail, puis cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également modifier le nom du groupe de travail Windows à l’aide de la
commande serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre
relatif aux services de fichiers dans le guide d’administration par ligne de commande.
Gestion de l’accès aux services Windows
Vous pouvez gérer l’accès aux services Windows en autorisant ou en interdisant l’accès
en invité au service de fichiers Windows, ainsi qu’en limitant le nombre de clients
Windows connectés.
Autorisation de l’accès en invité aux services Windows
Vous pouvez utiliser Admin Serveur pour activer ou désactiver l’accès en invité au
service de fichiers Windows. Les utilisateurs invités peuvent accéder au service de
fichiers Windows sur votre serveur sans fournir de nom ni de mot de passe. Pour plus
de sécurité, il vaut mieux ne pas autoriser l’accès en invité.
Les utilisateurs doivent toujours taper un nom et un mot de passe pour se connecter
au domaine Windows d’un contrôleur de domaine principal Mac OS X Server à partir
d’une station de travail Windows. Le service d’impression Windows fourni par Mac OS X
Server ne nécessite pas d’authentification. Les services d’exploration et de résolution
de nom Windows ne nécessitent pas d’authentification non plus.
Pour permettre l’accès en invité au service de fichiers Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis cliquez sur Accès.
3 Cliquez sur “Autoriser l’accès en invité”, puis sur Enregistrer.Chapitre 5 Gestion des services Windows 63
Si l’option “Autoriser l’accès en invité” est sélectionnée, les utilisateurs peuvent se
connecter au service de fichiers Windows sans nom d’utilisateur ni mot de passe.
Si l’option “Autoriser l’accès en invité” n’est pas sélectionnée, les utilisateurs doivent
fournir un nom d’utilisateur et un mot de passe valides pour utiliser le service de
fichiers Windows.
À partir de la ligne de commande
Vous pouvez également activer ou désactiver l’accès invité au service de
fichiers Windows à l’aide de la commande serveradmin dans Terminal. Pour plus
d’informations, consultez le chapitre relatif aux services de fichiers dans le guide
d’administration par ligne de commande.
Limitation du nombre de clients Windows connectés
Vous pouvez utiliser Admin Serveur pour limiter les ressources potentielles consommées
par les services Windows, en limitant le nombre maximum de connexions.
Pour fixer le nombre maximal de connexions :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis cliquez sur Accès.
3 Sélectionnez “maximum __” et tapez le nombre maximum de connexions.
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également limiter les connexions client en utilisant la commande
serveradmin dans Terminal afin de limiter le nombre de processus SMB. Pour plus
d’informations, consultez le chapitre relatif aux services de fichiers dans le guide
d’administration par ligne de commande.
Gestion de la consignation pour les services Windows
Vous pouvez utiliser Admin Serveur pour choisir le niveau de détail des historiques des
services Windows.
Pour spécifier le contenu de l’historique :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Consignation (vers le haut).
3 Choisissez une option du menu local “Niv. de détail de l’historique” pour définir le
niveau de détail que vous souhaitez appliquer, puis cliquez sur Enregistrer.
Plus la consignation sera détaillée, plus le fichier d’historique sera volumineux. 64 Chapitre 5 Gestion des services Windows
Le tableau ci-dessous présente le niveau de détail correspondant à chaque option.
À partir de la ligne de commande
Vous pouvez également modifier les réglages de consignation des services Windows en
utilisant la commande serveradmin dans Terminal. Pour plus d’informations, consultez
le chapitre relatif aux services de fichiers dans le guide d’administration via la ligne de
commande.
Gestion des réglages avancés des services Windows
Vous pouvez utiliser le volet Avancé des réglages des services Windows dans Admin
Serveur afin de choisir le code de la page client, de configurer le serveur en tant que
groupe de travail ou explorateur maître du domaine, de spécifier l’inscription WINS du
serveur et d’activer des points de partage virtuels pour les répertoires de départ des
utilisateurs.
Modification de la page de codes Windows
Vous pouvez utiliser Admin Serveur pour modifier la page de codes qui détermine le jeu
de caractères utilisé pour les services Windows.
Pour modifier la page de codes Windows :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis cliquez sur Avancé.
3 Sélectionnez dans le menu local “Code de la page” le jeu de caractères qui sera utilisé
par les clients, puis cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également modifier la page de codes Windows à l’aide de la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif aux
services de fichiers dans le guide d’administration par ligne de commande.
Activation de l’exploration des domaines Windows
Si aucun serveur Microsoft ne se trouve sur votre sous-réseau ou réseau pour contrôler
l’exploration des domaines, vous pouvez utiliser ces options pour limiter l’exploration à
un seul sous-réseau ou l’autoriser sur l’ensemble du réseau.
Événements consignés Faible Moyen Élevé
Avertissements et erreurs Oui Oui Oui
Démarrage et arrêt du service Oui Oui
Échecs de connexion des
utilisateurs
Oui Oui
Enregistrements de noms dans
l’explorateur
Oui Oui
Événements d’accès aux fichiers OuiChapitre 5 Gestion des services Windows 65
Pour activer l’exploration de domaines :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis cliquez sur Avancé.
3 En regard de Services, sélectionnez Navigateur maître de groupe de travail, Navigateur
maître du domaine, ou les deux.
Sélectionnez Navigateur maître pour permettre à vos clients de rechercher des serveurs
sur un seul sous-réseau.
Sélectionnez Navigateur maître du réseau pour permettre à vos clients de rechercher
des serveurs sur tout votre réseau (plusieurs sous-réseaux).
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également modifier les réglages d’exploration des domaines Windows en
utilisant la commande serveradmin dans Terminal. Pour plus d’informations, consultez
le chapitre relatif aux services de fichiers dans le guide d’administration via la ligne de
commande.
Inscription auprès d’un serveur WINS
Le service WINS (Windows Internet Naming Service) fait correspondre les noms
de serveurs et les adresses IP. Vous pouvez soit utiliser votre serveur comme serveur
de résolution des noms locaux, soit vous inscrire sur un serveur WINS externe.
Pour inscrire votre serveur sur un serveur WINS :
1 Ouvrez Admin Serveur et sélectionnez Windows dans la liste Ordinateurs et services.
2 Cliquez sur Réglages, puis cliquez sur Avancé.
3 Sélectionnez l’une des options sous Inscription WINS.
Choisissez “Désactivé” pour empêcher votre serveur de s’inscrire à un quelconque
serveur WINS externe ou serveur local de résolution de nom.
Sélectionnez “Activer le serveur WINS” pour que le serveur de fichiers fournisse
les services de résolution des noms locaux. Cela permet aux clients se trouvant sur
plusieurs sous-réseaux différents de réaliser la résolution d’adresses et de noms.
Choisissez “S’inscrire sur serveur WINS” si vos clients et votre serveur Windows
n’appartiennent pas au même sous-réseau et que votre réseau dispose d’un serveur
WINS. Saisissez ensuite l’adresse IP ou le nom DNS du serveur WINS.
4 Cliquez sur Enregistrer.
À partir de la ligne de commande
Vous pouvez également modifier les réglages WINS en utilisant la commande
serveradmin dans Terminal. Pour plus d’informations, consultez le chapitre relatif
aux services de fichiers dans le guide d’administration par ligne de commande.6
67
6 Résolution des problèmes liés aux
services Windows
Si vous rencontrez des problèmes lors de l’utilisation
des services Windows de Mac OS X Server, vous trouverez
probablement la solution dans ce chapitre.
Les problèmes sont répertoriés dans les catégories suivantes :
• Problèmes liés à un contrôleur de domaine principal
• Problèmes liés au service de fichiers Windows
• Problèmes liés au service d’impression Windows
Problèmes liés à un contrôleur de domaine principal
Les problèmes liés à un contrôleur de domaine principal (CDP) peuvent avoir plusieurs
origines.
L’utilisateur ne parvient pas à se connecter au domaine Windows
• Assurez-vous que le compte d’utilisateur est configuré pour utiliser l’authentification
Open Directory. Si le compte d’utilisateur a été créé dans une version antérieure
de Mac OS X Server (version 10.1 ou antérieure) et qu’il est toujours configuré pour
utiliser le Gestionnaire d’authentification (mot de passe de type crypté), modifiez
le compte afin d’utiliser l’authentification Open Directory.
• Assurez-vous que la station de travail a rejoint le domaine CDP.
L’utilisateur Windows ne possède pas de répertoire de départ
• Assurez-vous que l’emplacement correct du répertoire de départ est sélectionné
dans le panneau Répertoire de départ du Gestionnaire de groupe de travail.
• Assurez-vous que le chemin du répertoire de départ est correct dans le panneau
Windows du Gestionnaire de groupe de travail.
• Utilisez Admin Serveur pour vous connecter au serveur sur lequel réside le répertoire
de départ de l’utilisateur. Sélectionnez Windows dans la liste Ordinateurs et services,
cliquez sur Avancé, puis assurez-vous que l’option “Activer les points de partage
virtuels” est sélectionnée. 68 Chapitre 6 Résolution des problèmes liés aux services Windows
• La lettre d’unité choisie pour l’utilisateur peut être en conflit avec une lettre d’unité
déjà utilisée sur la station de travail Windows. Solution : modifiez la lettre d’unité
dans le panneau Windows du Gestionnaire de groupe de travail ou les mises en
correspondance des autres lettres d’unité sur la station de travail.
Les valeurs par défaut des réglages du profil de l’utilisateur
Windows ont été rétablies
• Assurez-vous que l’emplacement correct du répertoire de départ est sélectionné
dans le volet Répertoire de départ du Gestionnaire de groupe de travail.
• Assurez-vous que le chemin du répertoire de départ est correct dans le volet
Windows du Gestionnaire de groupe de travail.
• La lettre d’unité choisie pour l’utilisateur peut être en conflit avec une lettre
d’unité déjà utilisée sur la station de travail Windows. Solution : modifiez la lettre
d’unité dans le volet Windows du Gestionnaire de groupe de travail ou les mises
en correspondance des autres lettres d’unité sur la station de travail.
L’utilisateur Windows perd le contenu du dossier Mes documents
• Assurez-vous que l’emplacement correct du répertoire de départ est sélectionné
dans le volet Répertoire de départ du Gestionnaire de groupe de travail.
• Assurez-vous que le chemin du profil utilisateur est correct dans le volet Windows
du Gestionnaire de groupe de travail. Le contenu de Mes documents est stocké
dans le profil d’utilisateur.
• La lettre d’unité choisie pour l’utilisateur peut être en conflit avec une lettre
d’unité déjà utilisée sur la station de travail Windows. Solution : modifiez la lettre
d’unité dans le volet Windows du Gestionnaire de groupe de travail ou les mises
en correspondance des autres lettres d’unité sur la station de travail.
Problèmes liés au service de fichiers Windows
Vous pouvez résoudre certains problèmes courants concernant le service de fichiers
Windows et les services de fichiers en général.
L’utilisateur ne peut pas s’authentifier pour le service de fichiers
Windows
Si un utilisateur ne peut pas s’authentifier pour le service de fichiers Windows,
assurez-vous que le compte d’utilisateur est configuré pour utiliser l’authentification
Open Directory. Si le compte d’utilisateur a été créé dans une version antérieure de
Mac OS X Server (version 10.1 ou antérieure) et qu’il est toujours configuré pour utiliser
le Gestionnaire d’authentification, modifiez le compte afin d’utiliser l’authentification
Open Directory. Vous pouvez utiliser pour cela le volet Avancé d’une fenêtre de compte
d’utilisateur du Gestionnaire de groupe de travail.Chapitre 6 Résolution des problèmes liés aux services Windows 69
L’utilisateur ne voit pas le serveur Windows dans le Voisinage
réseau
• Assurez-vous que l’ordinateur de l’utilisateur est correctement configuré pour
TCP/IP et que les logiciels réseau Windows appropriés y sont installés.
• Accédez à l’invite DOS de l’ordinateur client et tapez “ping adresse IP”, où adresse IP
est l’adresse de votre serveur. Si la commande ping échoue, cela signifie qu’il existe
un problème réseau TCP/IP.
• Si l’ordinateur de l’utilisateur se trouve sur un sous-réseau différent de celui du
serveur, essayez l’opération suivante :
• Assurez-vous que l’option “Activer le serveur WINS” est sélectionnée ou que
l’option “S’inscrire sur serveur WINS” est sélectionnée et correctement configurée.
Ces options se trouvent dans le panneau Réglages des services Windows dans
Admin Serveur.
• Sur l’ordinateur Windows, sélectionnez Affichage > Actualiser pour forcer Windows
à découvrir les ressources réseau ajoutées récemment, autrement cette opération
risque de prendre plusieurs minutes.
• Sur l’ordinateur Windows, mettez en correspondance un point de partage
Mac OS X Server avec une lettre d’unité. Vous pouvez pour cela ouvrir Voisinage
réseau et choisir Outils > Connecter un lecteur réseau.
Remarque : si les ordinateurs Windows sont correctement configurés pour la mise en
réseau et qu’ils sont connectés au réseau, les utilisateurs client peuvent se connecter au
service de fichiers Windows de Mac OS X Server même si l’icône du serveur ne s’affiche
pas dans la fenêtre Voisinage réseau.
Problèmes généraux liés aux services de fichiers
Pour trouver des solutions possibles aux problèmes suivants liés aux services de
fichiers, consultez le chapitre du guide d’administration des services de fichiers
concernant la résolution des problèmes.
• Impossible de trouver un élément partagé
• Impossible de visualiser le contenu d’un point de partage
• Impossible de trouver un volume ou répertoire à utiliser comme point de partage
Problèmes liés au service d’impression Windows
Vous pouvez résoudre certains problèmes courants concernant le service d’impression
Windows et les services d’impression en général.70 Chapitre 6 Résolution des problèmes liés aux services Windows
Les utilisateurs Windows ne parviennent pas à imprimer
Si les clients Windows NT 4.x ne parviennent pas à imprimer sur le serveur, assurez-vous
que la file d’attente ne porte pas le même nom que l’adresse TCP/IP de l’imprimante ou du
serveur. Utilisez le nom d’hôte DNS plutôt que l’adresse de l’imprimante ou du serveur ; s’il
n’existe pas, tapez le nom d’une file d’attente contenant uniquement des lettres et des
chiffres. Le nom d’une file d’attente d’impression SMB ne doit pas dépasser 15 caractères.
Problèmes généraux liés aux services d’impression
Pour découvrir d’autres problèmes et solutions possibles, consultez le chapitre du
guide d’administration du service d’impression concernant la résolution des problèmes.
• Le service d’impression ne démarre pas
• Les clients ne peuvent pas ajouter une file d’attente
• Les tâches d’une file d’attente d’impression ne s’impriment pas
• La file d’attente devient indisponible 71
Glossaire
Glossaire
Active Directory Le service de répertoire des serveurs Microsoft Windows 2000 et 2003.
administrateur Utilisateur disposant d’autorisations d’administration de serveur ou de
domaine de répertoires. Les administrateurs sont toujours membres du groupe “admin”
prédéfini.
adresse IP Adresse numérique unique identifiant un ordinateur sur Internet.
authentification Processus de certification de l’identité d’un utilisateur, typiquement
basé sur la validation d’un nom et d’un mot de passe utilisateur. L’authentification
précède généralement le processus d’autorisation déterminant le niveau d’accès de
l’utilisateur à une ressource. Par exemple, le service de fichiers autorise l’accès total
aux dossiers et fichiers que possède un utilisateur authentifié.
autorisation Processus par lequel un service détermine s’il doit permettre
à un utilisateur l’accès à une ressource et quel degré d’accès il doit lui accorder.
L’autorisation suit généralement le processus d’authentification prouvant l’identité
de l’utilisateur. Par exemple, le service de fichiers autorise l’accès total aux dossiers et
fichiers que possède un utilisateur authentifié.
autorisations Réglages qui définissent le type d’accès aux éléments partagés dont
bénéficient les utilisateurs. Vous pouvez attribuer quatre types d’autorisations d’accès à
un point de partage, un dossier ou un fichier : lecture et écriture, lecture seule, écriture
seule et aucune (pas d’accès).
BSD (Berkeley System Distribution) Version d’UNIX, sur laquelle repose le logiciel
Mac OS X.
compte d’ordinateurs Liste d’ordinateurs partageant les mêmes réglages de
préférences et accessibles aux mêmes utilisateurs et groupes.
domaine de répertoire Base de données spécialisée qui stocke des informations de
référence sur les utilisateurs et les ressources réseau nécessaires au logiciel système et
aux applications. La base de données est optimisée pour gérer de nombreuses requêtes
d’informations et trouver et obtenir rapidement ces informations. Le domaine de
répertoires peut également être appelé nœud de répertoire ou simplement répertoire.72 Glossaire
domaine local Domaine de répertoires accessible uniquement à partir de l’ordinateur
sur lequel il réside.
file d’attente d’impression Zone d’attente ordonnée dans laquelle les tâches
d’impression attendent qu’une imprimante soit disponible. Le service d’impression
de Mac OS X Server utilise des files d’attente d’impression sur le serveur afin de faciliter
la gestion.
FTP (File Transfer Protocol) Protocole permettant aux ordinateurs de transférer des
fichiers sur un réseau. Les clients FTP dont le système d’exploitation gère le protocole
FTP peuvent se connecter à un serveur de fichiers et télécharger des fichiers, en
fonction des autorisations d’accès dont ils bénéficient. La plupart des navigateurs
Internet et bon nombre d’applications gratuites (“freeware”) peuvent être utilisés
pour accéder à un serveur FTP.
groupe Ensemble d’utilisateurs ayant les mêmes besoins. Les groupes simplifient
l’administration des ressources partagées.
groupe de travail Ensemble d’utilisateurs pour lesquels vous définissez des
préférences et des autorisations de groupe. Toutes les préférences que vous définissez
pour un groupe sont stockées dans son compte de groupe.
IP (Internet Protocol) Également désigné par IPv4. Méthode utilisée conjointement
avec le protocole TCP (Transmission Control Protocol) pour envoyer des données d’un
ordinateur à un autre via un réseau local ou via Internet. Le protocole IP envoie les
paquets de données, alors que le protocole TCP se charge du suivi de ces paquets.
LDAP (Lightweight Directory Access Protocol) Protocole client-serveur standard pour
accéder à un domaine de répertoires.
Mac OS X Version la plus récente du système d’exploitation d’Apple. Mac OS X associe
la fiabilité d’UNIX à la simplicité d’utilisation de Macintosh.
Mac OS X Server Plate-forme de serveur puissante qui gère de façon native les clients
Mac, Windows, UNIX et Linux et offre un ensemble de services réseau et de groupes de
travail évolutifs, ainsi que des outils avancés de gestion à distance.
NetBIOS (Network Basic Input/Output System) Programme permettant aux
applications installées sur des ordinateurs différents de communiquer au sein
d’un réseau local.
NetInfo Un des protocoles Apple d’accès à un domaine de répertoires.
Open Directory Architecture des services de répertoires Apple, qui peut accéder
à des informations de référence sur les utilisateurs et les ressources réseau à partir
de domaines de répertoires utilisant les protocoles LDAP, NetInfo ou Active Directory ;
les fichiers de configuration BSD ; et les services de réseau.Glossaire 73
open source Terme désignant le développement collaboratif de logiciels par la
communauté Internet. Le principe de base consiste à impliquer le plus grand nombre
de personnes possible dans l’écriture et le débogage du code, en publiant le code
source et en encourageant la constitution d’une large communauté de développeurs
pouvant proposer des modifications et des améliorations.
page de codes Définit les extensions du jeu de caractères pour Microsoft Windows.
Le jeu de caractères de base, défini par le code ASCII (American Standard Code for
Information Interchange), met en correspondance les lettres de l’alphabet latin, les
chiffres, la ponctuation et les caractères de contrôle avec les nombres de 0 à 127. La
page de codes fait correspondre des caractères supplémentaires, tels que les lettres
accentuées d’une langue particulière ou encore des symboles, aux nombres 128 à 255.
point de partage Dossier, disque dur (ou partition de disque dur) ou CD accessible via
le réseau. Un point de partage constitue le point d’accès situé au premier niveau d’un
groupe d’éléments partagés. Les points de partage peuvent être partagés à l’aide des
protocoles AFP, Windows SMB, NFS (“exportation”) ou FTP.
protocole Ensemble de règles qui déterminent la façon dont les données sont
échangées entre deux applications.
protocole AFP (Apple Filing Protocol) Protocole client/serveur utilisé par le service
de fichiers Apple sur les ordinateurs Macintosh et compatibles pour partager des
fichiers et des services en réseau. AFP utilise TCP/IP et d’autres protocoles pour les
communications entre ordinateurs d’un réseau.
répertoire de départ Dossier destiné à l’usage personnel d’un utilisateur. Mac OS X
utilise également le répertoire de départ pour, par exemple, stocker des préférences
système et des réglages d’utilisateur géré pour les utilisateurs Mac OS X.
service NFS (Network File System) Protocole client/serveur utilisant TCP/IP pour
permettre aux utilisateurs distants d’accéder à des fichiers comme s’ils se trouvaient
sur leur disque. Le service NFS exporte les volumes partagés vers les ordinateurs en
fonction de l’adresse IP, plutôt que du nom et mot de passe utilisateur.
SMB (Server Message Block) Protocole permettant à des ordinateurs clients d’accéder
à des fichiers et à des services de réseau. Il peut être utilisé via TCP/IP, Internet ou
d’autres protocoles. Les services Windows utilisent le protocole SMB pour fournir l’accès
aux serveurs, imprimantes et autres ressources de réseau.
sous-réseau Regroupement d’ordinateurs clients faisant partie du même réseau,
structuré en fonction de l’emplacement physique (les différents étages d’un bâtiment,
par exemple) ou de l’utilisation (tous les élèves d’une même classe par exemple).
L’utilisation de sous-réseaux permet de simplifier les tâches d’administration.74 Glossaire
TCP (Transmission Control Protocol) Méthode utilisée avec le protocole IP (Internet
Protocol) pour envoyer, via Internet, des données sous forme d’unités de messages
entre ordinateurs. Le protocole IP se charge de gérer le transfert des données, alors que
le protocole TCP effectue le suivi individuel des unités de données (appelées “paquets”).
Chaque message est fractionné en plusieurs unités afin d’assurer un routage efficace à
travers Internet.
utilisateur invité Utilisateur pouvant se connecter à votre serveur sans fournir de nom
ni de mot de passe.
WINS (Windows Internet Naming Service) Service de résolution de noms utilisé par
les ordinateurs Windows pour faire correspondre les noms des clients avec des adresses
IP. Un serveur WINS peut se trouver soit sur le réseau local, soit sur Internet.75
Index
Index
A
accès en invité
service de fichiers 62
administration du serveur 14
Admin Serveur
activation de l'exploration des domaines pour les
services Windows 65
activation des historiques des services
Windows 63
affichage des connexions aux services
Windows 59
affichage des graphiques des services
Windows 60
affichage des historiques des services
Windows 59
arrêt des services Windows 58
autorisation de l'accès en invité aux services
Windows 62
déconnexion des utilisateurs Windows 60
démarrage des services Windows 26
inscription des services Windows auprès de
WINS 65
limitation des connexions aux services
Windows 63
modification de la page de codes 64
modification du domaine Windows d'un
serveur 61
modification du groupe de travail Windows d'un
serveur 62
modification du nom d'ordinateur du serveur 60
réglages avancés des services Windows 25
réglages de consignation des services
Windows 24
réglages généraux des services Windows 24
surveillance des services Windows 58
attribution de noms aux points de partage 46
authentification
CDP 20, 22
consignation des erreurs 24
Gestionnaire d'authentification 19, 38
mot de passe crypté 38
mot de passe shadow 38
Open Directory 67
serveur de mot de passe Open Directory 38
serveur membre d'un domaine 13, 21
service d'impression 62
services Windows 19, 38
VPN 14
autorisations, points de partage 46
C
CDP (contrôleur de domaine principal)
configuration 22
connexion à un domaine 12
jonction 13
problèmes 67
profils d'utilisateurs 12
répertoires de départ 12
rôle 20
clients, Windows. Voir clients Windows, stations de
travail Windows
clients Windows
Voir aussi stations de travail Windows
configuration TCP/IP 27
limitation 63
règles pour différentes plates-formes 18
utilisation de services de fichiers 27
compte d'ordinateurs
définition 31
Ordinateurs Windows 32, 43
Voir aussi compte Ordinateurs Windows
compte Ordinateurs Windows
ajout d'ordinateurs à 43
déplacement d'un ordinateur à partir de 44
modification des informations relatives à un
ordinateur 44
suppression 45
suppression d'ordinateurs 44
comptes d'utilisateur
CDP 33
définition 31
désactivation 42
emplacements 33
invité 41
modification 35
réglages du répertoire de départ 3976 Index
répertoire en lecture/écriture 34
suppression 41
comptes de groupe
définition 31
gestion 42
réglages de dossier de groupe 43
utilisateurs Windows dans 32
connexion. Voir connexion à un domaine
connexion à un domaine
authentification 19
CDP pour 12, 22
comptes d'utilisateur pour 33
connexions
limitation 63
service Windows, affichage 59
D
domaine, modification 61
dossier de groupe 43
E
état, services Windows 58
exploration du domaine 25, 64
F
favoris réseau, connexion à partir de 27
G
Gestionnaire d'authentification 19, 38
Gestionnaire de groupe de travail 15
ajout au compte Ordinateurs Windows 43
configuration d'un point de partage SMB 48
configuration d'un répertoire de départ 39
création de comptes d'utilisateur 33, 34
création de points de partage 46
désactivation d'un compte d'utilisateur 42
gestion des comptes de groupe 42
modification de comptes d'utilisateur 35
réglages avancés 38
réglages d'impression 40
réglages de courrier 40
réglages de groupe 39
réglages élémentaires 36
réglages Windows 36
suppression d'un compte d'utilisateur 41
suppression du compte Ordinateurs Windows 44
graphiques, services Windows 60
groupe de travail, modification 62
guides d'administration du serveur 8
H
historiques
affichage 59
options de consignation Windows 24, 63
M
Mac OS X Server
applications d'administration 14
documentation 8
mot de passe crypté 38
mot de passe shadow 19, 38
N
nom d'ordinateur, modification 60
O
oplocks. Voir verrouillage opportuniste
P
page de codes, modification 64
points de partage
attribution de noms 46
création 46
définition 31
gestion SMB 45
planification 32
pour utilisateurs Windows 18
problèmes de compatibilité multiplate-forme pour le
service de fichiers 18
profils d'utilisateurs 12, 37
profils d'utilisateurs itinérants 12, 37
protocole SMB (Server Message Block) 13
R
réglages avancés, services Windows 38
réglages d'impression, dans les comptes
d'utilisateur 40
réglages de courrier, dans les comptes
d'utilisateur 40
réglages de groupe, dans les comptes
d'utilisateur 39
réglages des comptes d'utilisateur Windows 36
réglages élémentaires 36
répertoires de départ
accès 13
réglages des comptes d'utilisateur 39
réseaux TCP/IP 27
S
serveur de mot de passe Open Directory 19, 38
service d'impression
clients Windows 29
configuration d'une file d'attente pour les clients
Windows 26
configuration du partage SMB 26
problèmes 69
service de fichiers
accès invité 24, 62
authentification 19
connexion à partir de Windows 27, 28Index 77
fourniture 13
historique 58, 59
problèmes 68
services Windows
accès en invité 62
affectation d'un serveur à un groupe de travail 62
arrêt 58
authentification 19
configuration TCP/IP 27
connexion à partir de Voisinage Réseau 27
connexion par nom ou adresse 28
déconnexion d'utilisateurs 59, 60
démarrage 26, 57
état 58
exploration du domaine 25, 64
graphiques 60
historiques 59, 63
inscription auprès d'un serveur WINS 65
limitation des connexions 63
page de codes 64
planification 18
réglages avancés 25, 64
réglages d'accès 62
réglages de l'accès 25
réglages généraux 24
surveillance 58, 59, 60
utilisateurs connectés 59
validation des mots de passe 19
services Windows autonomes 20
stations de travail Windows
ajout au compte Ordinateurs Windows 43
configuration de l'impression 29
connexion au CDP 32
connexion au service de fichiers 27, 28
suppression du compte Ordinateurs Windows 44
U
utilisateur invité 41
utilisateurs, déconnexion 60
V
validation des mots de passe. Voir authentification
verrouillage
opportuniste SMB 45
strict SMB 46
verrouillage opportuniste
activation 47, 48
description 45
verrouillage strict
activation 47, 48
description 46
Voisinage réseau, connexion à partir de 27
W
WINS (Windows Internet Naming Service)
inscription 65
serveurs 25
User’s Guide• •
Manuel de l’utilisateur•
Benutzerhandbuch
Manual del usuario•
Manuale Utente•
Guia do Usuário•
Gebruikershandleiding•
Handbok
Brukerhåndbok•
Brugerhåndbog•
Käsikirja• • •
iBook
034-2095-A_UMCvr 11/28/01 10:50 AM Page 11
To get started using your iBook, plug in the power adapter and connect a phone cord from a wall
jack to the modem port. Then press the power button and follow the onscreen guide to connect
to the Internet. Read on to learn more about using your iBook:
2 Your iBook at a glance
4 Mac OS X basics
8 What you can do with your iBook
10 Listen to music on your computer or on the go
12 Make your own movie or watch a movie on DVD
14 Search the Internet
16 Get more out of the Internet
18 Send and receive email
20 Organize, plan, and create
22 Keep your iBook’s software up-to-date
24 Learn more and solve problems
30 Install memory and an AirPort Card
34 Work more comfortably
36 Safety and cleaning2
Your iBook at a glance
Your computer has these built-in features:
Volume and
brightness controls
Adjust sound volume and
screen brightness.
Two built-in
stereo speakers
Listen to music, movies,
games, and multimedia.
Optional AirPort
wireless Internet
and networking
(underneath keyboard)
Using the optional
AirPort Card, you can
connect to the Internet,
use email, share files,
play network games, and
more—without any
wires to hold you down.
Sleep indicator light
Pulsating light indicates
that the computer
is in sleep.
Built-in microphone
Record sound or control
your computer with
spoken commands.
® Power button
Turn your computer on,
put it to sleep, or shut it
down.
Media Eject (F12) key
Press and hold to eject
a CD or DVD or to open
the optical drive tray.
¯ Power adapter
connector
Plug in the power adapter
(included) to recharge your
iBook’s battery.
Optical disc drive
Install and run software
or listen to music CDs.
Play DVD videos if you
have the DVD/CD-RW
or Combo drive, or
create your own CDs if
you have the CD-RW or
combo drive.3
Kensington
security slot
Attach a lock and cable
to prevent theft.
Modem
Connect to the Internet,
browse the World Wide
Web, and send and
receive electronic mail.
Ethernet
Share files with another
computer or access a
computer network.
FireWire
Connect a digital video
camera and use it to
create your own desktop
movies. You can also
connect FireWire hard
disks, printers, and more.
USB
Connect printers, Zip
and other disk drives,
digital cameras, joysticks,
and more.
VGA port
Connect an external
monitor (using the
included Apple VGA
Display Adapter).
Reset button
Use during
troubleshooting to restart
your computer.
Audio/video port
Connect headphones or
external speakers.
Connect a TV or video
projector using the
optional Apple AV cable.
Battery level indicator
(underneath) When you
press the button on the
battery, one to four lights
glow to show how much
charge is left.
To learn more about your iBook’s features:
m Choose Mac Help from the Help menu.
Then click Go under “iBook at a glance.”4
Mac OS X basics
The Macintosh desktop is your starting place.
Finder icon
Click to open a
Finder window so
you can see the files
and applications on
your computer.
Window buttons
Click the red button to
close the window, the
yellow one to minimize it
into the Dock, and the
green one to resize it.
Apple menu
Use to change
system settings, open
recent items, and restart
or shut down your
computer. To see the
menu, click the apple
() in the menu bar.
View buttons
Click to see your
files as icons, in lists,
or in columns.
Toolbar button
Click to show or hide
the toolbar.
Toolbar icons
Click to navigate quickly
to different folders.
Your home folder
contains your personal
documents.
Trash
Drag an item here to
delete it. Items remain
here until you choose
Empty Trash from the
Finder menu.
To learn more about Mac OS X:
m See the Welcome to Mac OS X document in the
Documents folder on your hard disk.
Modem status
Use this menu
to connect to and
disconnect from
the Internet using
a dialup modem.5
Dock
Click icons in the Dock
to open applications,
documents, folders,
or minimized windows.
Application menu
Shows the name of the
application you’re using.
Use to set preferences
or quit applications
(other than the Finder).
Document
Documents are files that
you create with an
application (such as a
letter you create with your
word processor). Doubleclick the icon to open the
file in the application used
to create it.
Folder
Folders help organize
your files and
applications. Doubleclick a folder to
see what’s inside.
Disc
This appears when a CD
or DVD is in the disc drive.
Double-click the icon to
see what’s on the disc.
To eject a disc, press and
hold the Media Eject ( )
key on the keyboard.
Application
Applications are software
programs (such as a
game or word processor)
that you use with your
computer. Double-click
an application’s icon to
open the application.6
Change the Mac OS to suit your preferences.
There are lots of ways to customize Mac OS X.
To change the size of
the Dock or move it to
a different place, open
System Preferences
and click Dock.
To change Finder
settings, choose
Preferences from the
Finder menu.
To change icon sizes
or the background of a
Finder window, choose
Show View Options from
the View menu.
Choose System
Preferences from
the Apple menu to
change most of your
computer’s settings.
To select a desktop
background picture, open
System Preferences and
click Desktop.7
Click the icons in the Dock or toolbar to find and open files and applications.
The triangle indicates the
application is open. Drag this bar up or down to
resize the Dock.
.Drag applications,
files, and folders
into the Dock for
one-click access.
This side of the Dock
shows application icons.
To set up the toolbar the
way you want it, choose
Customize Toolbar from
the Finder’s View menu,
then drag items to
the toolbar.
Press a folder icon to
see its contents and open
items in it.
This side of the Dock
shows files, windows,
and folders.8
Make your own CDs. Use iTunes to transfer music from your CD collection. If your iBook
has a CD-RW or Combo drive, burn your own music CDs. Transfer music to an iPod or other MP3
player to listen on the go. Make a movie. Shoot video on a DV camcorder and import it into
iMovie . Then rearrange, edit, polish, and add titles and soundtracks. Connect to the
Internet to send emailand browse the Web, or use iTools to post digital photos to the Web
for everyone to see.
Browse through the next few pages to find out more.
What you can do with your iBook
Not sure how to get the most out of your new iBook? Read on for a few ideas.9
Send digital photos to
friends and family.
The iBook is your
digital hub.
Watch DVD movies. Listen to music and
burn your own CDs.
Send email and surf
the 'Net.
Import and edit
homemade movies.
Put 1,000 songs in
your pocket.10
Listen to music on your computer or on the go.
Use iTunes to create a library of music and make your own CDs.
Library
Your collection of
songs, imported from
your own audio CDs or
downloaded from the
Internet. Easily browse
or search for music.
Radio Tuner
Choose from hundreds
of Internet radio
stations – jazz, rock,
talk, and more.
Audio CDs
Play an audio CD on your
computer. Import songs
to your Library to play
them without the CD.
To learn more about iTunes:
m See iTunes Help, available in the Help menu.
m Go to www.apple.com/itunes
Burn CDs
If your iBook has a
CD-RW or Combo drive,
make your own audio
CDs that play in standard
CD players.
Playlists
Make personalized
playlists using songs
from your Library.
Arrange your music by
mood, artist, genre, or
however you like.
Equalizer
Adjust the sound to
your tastes using
the 10-band EQ with
22 presets.11
If you have an iPod, you can transfer up to 1,000 songs.
1.
Connect iPod using the FireWire cable included with iPod.
iTunes automatically transfers your music Library to iPod.
2.
Unplug
iPod.
3.
Browse for a song on iPod and
press the Play button.
To learn more about iPod:
m Open iTunes and choose iPod Help from the Help menu.
m Go to www.apple.com/ipod 12
Make your own movie or watch a movie on DVD.
Use iMovie to edit video from a digital video camera.
Playback controls
Use these to play the movie in the
iMovie monitor. Click the Play Full
Screen button to use the
entire screen.
To learn more about iMovie:
m Open iMovie and choose iMovie Help from the
Help menu.
m Go to www.apple.com/store to find compatible
DV cameras or to purchase a FireWire cable.
. Shoot video
with a digital video
camera. Then
connect the
camera using a
6-pin to 4-pin
FireWire cable and
import your clips.
iMovie monitor
Preview your movie or
view video from a
connected DV camera.
Viewers
Click the clip viewer
(eye tab) to edit and
place clips. Click the
timeline viewer (clock tab)
to edit sound.
Editing buttons
Click to open panels for
adjusting and selecting
sounds, video effects,
titles, and transitions.
Shelf
Clips appear here when
you import them. Move
clips to the viewer
to make them part of
your movie.
. You can export
your finished
movie to a
tape in your DV
camera or to a
QuickTime file.13
If your computer has a DVD drive or Combo drive, you can watch DVD movies.
2.
Use the controller to play the movie
1. or see the DVD’s special features.
Insert a DVD video disc. DVD Player
opens automatically.
To learn more about DVD Player:
m Choose DVD Player Help from the Help menu. 14
Search the
Internet.
If you know the Internet
address, you can go
there directly.
1
2
1.
Click the icon in the Dock to open
Internet Explorer.
To learn more about Internet Explorer:
m Open Internet Explorer and choose
Internet Explorer Help from the Help menu.
2.
Type the Internet address and press
Return on your keyboard.
. If you have a dialup connection, you can use
the modem status icon (W) to connect to and
disconnect from the Internet.
1
215
1
1.
Click the icon in the Dock to
open Sherlock.
2.
Click the Internet icon and type
a question in the search field.
3.
Click the Search button ( ). Then
double-click an item in
the list of sites.
. Click the other buttons to find people, read the
news, shop, and more.
. Click the hard disk icon to search the files on
your computer.
Or you can search the Internet
with Sherlock.
2
316
Get more out of the Internet with iTools.
iTools is a suite of Internet services integrated into Mac OS X.
iDisk
Your own storage space on Apple’s Internet
server. Share photos, movies, and other
files over the Internet. Access your files from
another Macintosh or PC.
HomePage
Build a personal Web site in three easy
steps. Create a photo album, publish
an iMovie, post your résumé, and more.
Anyone can view your site on the World
Wide Web.
iCards
Send an elegant iCard, just right for any
occasion. Choose a ready-made photo, or
create a personalized iCard using a photo
on your iDisk.
Email
Get your own Mac.com email address.
It’s easy and works with your favorite
email application.
To learn more about iTools:
m Go to www.apple.com/itools and click Help on the
iTools menu bar.
. If you signed up for iTools when you first turned
on your computer, you already have an account.
Go to www.apple.com/itools to get started.
. To sign up for a new iTools account, open
System Preferences and click Internet. Then
click Sign Up.17
Store pictures, movies, documents, and other files remotely.
1
2
2.
Drag files to a folder on your iDisk
1. to copy them.
Choose iDisk from
the Go menu.
. To access your files from another
computer, log into your iTools account at
www.apple.com/itools
. Anyone can access the files in your Public folder.
. To find out how to use pictures and other
files from your iDisk to create a personal Web
site, go to www.apple.com/itools and click the
HomePage icon. 18
Send and
receive email.
Follow these steps to create
and send a message.
1
1.
Click the Mail icon in the Dock
to open the Mail application.
. To check for new messages, click Get Mail.
To view a message, click its subject.
. If you entered email information or got a
Mac.com account when you first turned on your
computer, Mail is already set up. To set up a
new email account, choose Preferences from
the Mail menu, then click Accounts.19
To learn more about Mail:
m Open Mail, then choose Mail Help from the
Help menu.
m Go to www.apple.com/macosx/applications/
mail.html
2
3
2.
To create a new email message,
click Compose. 3.
Type the email address and a
subject. Then type your message
and click Send.20
Organize, plan, and create using AppleWorks.
Use AppleWorks for writing, drawing, making presentations, and more.
Layout capabilities
Add photos, tables,
charts, and sidebars.
Link text frames, layer
graphics, and wrap text.
Word processing
Write letters, create
brochures, make
greeting cards and
party invitations.
Presentation tool
Create an onscreen
slide presentation.
Add movies, art,
graphs, and charts.
Database
Keep records, save
addresses, make
inventories. Merge
mailing information with
the word processor to
send form letters.
Customizable
templates
Choose from a wide
range of predesigned
documents and modify
them as needed.
Spreadsheet
Compute data easily
using over 100 built-in
functions, then use
formatting options to
make it stand out.
Painting
Create art from scratch
or apply effects to
existing pictures
or scanned photos.
Extensive
clip art libraries
Choose from over
25,000 high-quality
clip art images.21
. Click the Web tab to download more templates
from the Internet.
To learn more about AppleWorks:
m See AppleWorks Help, available in the Help menu.
m Go to the AppleWorks Web site at
www.apple.com/appleworks
1.
Click the icon in the Dock
to open AppleWorks. 2.
Click the type of document you want
to create, or click the Templates tab to
modify a ready-made document.
To get started using AppleWorks:
1
222
Keep your iBook’s
software up-to-date.
Use Software Update to
get the latest updates
and drivers.
1.
Click the icon in the Dock
to open System Preferences. 2.
Click
Software Update.
1
2
. To use Software Update, you must have an
Internet connection.23
3.
Then click
Update Now. 4.
Select the software you want to
update and then click Install.
3
4
. Click the name of a software item to learn
more about it.
. You can schedule your computer to check
automatically for software updates.24
Learn more
about using your
computer.
Look in Mac Help for
more information on using
your computer.
1
1.
Click the Finder icon
in the Dock.
2.
Then choose Mac Help from
the Help menu.
3.
Type a question
and click Ask.
4.
Click an item in the list
of Help topics.
. To browse the features of your computer, click
Go under “At a glance.”
. Click Quick Clicks topics for answers to
frequently asked questions.
. To look at Help for other applications, click
the ? button.
2
3
425
These Apple Web sites will help you get the most out of your computer.
Apple Service and Support
www.apple.com/support
Product support, software updates, and
technical information.
Apple Store
www.apple.com/store
Purchase the latest Apple and third-party hardware,
software, and accessories.
Macintosh Products Guide
www.apple.com/guide
For great hardware and software products
for your Mac, check the Web site or look for
the Mac symbol. Also get contact and
support information for third-party software
manufacturers.
. From these Web sites you can quickly link to
other Apple Web sites around the world.26
If you don’t find the answer to your problem
on the following pages:
Look in Mac Help.
m In Mac Help (see page 24), you can find a great deal of troubleshooting
advice, including information to help you solve problems with
m Connecting to the Internet
m Using software installation and restore discs
m Changing your computer’s settings
m Printing
m And more
m Click the Finder icon in the Dock, then choose Mac Help from the
Help menu. Type a question in the search window (for example,
type “How do I eject a disc?”) and click Ask.
Switching between Mac OS X and Mac OS 9
Your iBook is set to use Mac OS X. Most applications made for Mac OS 9
will work in the Mac OS X Classic environment. Just open the application
as you normally would. You can also start up your computer using
Mac OS 9.
To set your computer to use Mac OS 9:
m Choose System Preferences from the Apple (K) menu in Mac OS X.
m Click the Startup Disk icon to open the Startup Disk pane.
m Select the Mac OS 9 folder as your startup disk. If the icons are
dimmed, click the padlock icon and enter the password you chose
when you first set up Mac OS X.
m Click Restart.
To set your computer to use Mac OS X again:
m Choose Control Panels from the Apple (K) menu.
m Open the Startup Disk control panel.
m Click the triangle next to the hard disk that contains your operating
system folders.
m Select the Mac OS X System as your startup disk.
m Click Restart.
Advice and troubleshooting27
If the computer won’t respond:
Try to cancel what the computer is doing.
m Try to force problem applications to quit. Hold down the Option and
Command (x) keys, then press the Esc key. Select the application and
click Force Quit.
If that doesn’t work, restart the computer.
m Hold the Power button for several seconds. When the computer turns
off, press the Power button again to restart it.
m If that doesn’t work, hold down the Control and Command (x) keys
and then press the Power button.
m If that doesn’t work, gently press the Reset ( ) button by inserting the
end of a paper clip into the small hole above the audio/video port,
wait a few seconds, and then press the Power (®) button.
Then do this:
If the problem occurs frequently when you use a particular
application:
m Check with the application’s manufacturer to see if it is compatible with
your computer.
m For support and contact information about the software that came
with your computer, go to www.apple.com/guide
If the problem occurs frequently:
m You may need to reinstall your system software. Choose Mac Help from
the Help menu and type “install system software” for more
information.
If you see a flashing question mark
during startup:
If the computer doesn’t start up after a delay, hold down the
Option key and restart your computer.
m When your computer starts up, click the hard disk icon, then click
the arrow.
Then do this:
After the computer starts up:
m Open System Preferences and click Startup Disk. Select a local
Mac OS X System folder.
If the problem occurs frequently:
m You may need to reinstall your system software. Choose Mac Help
from the Help menu and type “install system software” for more
information.28
If the computer won’t turn on or start up:
First, make sure the power adapter is plugged into the
computer and into a functioning power outlet.
m Your battery may need to be recharged. Press the small button on the
battery. One to four lights glow indicating the battery’s level of charge.
If that doesn’t work or if you hear a strange sound during
startup:
m If you recently installed additional memory, make sure that it is
correctly installed. Try removing the memory; if the computer starts up
normally, the memory is not compatible with your computer.
m If that doesn’t work, gently press the Reset ( ) button by inserting the
end of a paper clip into the small hole above the audio/video port, wait
a few seconds, and then press the Power (®) button.
m See the service and support information that came with your iBook for
information on having your computer serviced.
If you can’t log into your computer:
Make sure you are typing your user name and password
correctly.
m Make sure you are using the same capitalization and punctuation that
you used originally. Check to see if the Caps Lock key has been
pressed.
If that doesn’t work, reset your password.
m Insert the Mac OS X software install CD that came with your computer.
Restart your computer while holding down the C key. When the
Installer appears, choose Reset Password from the Installer menu and
follow the onscreen instructions.
If you can’t eject a CD or DVD or open the
optical drive tray:
Make sure the disc is not in use.
m Quit all applications that are using files on the disc.
m Then press the Media Eject ( ) key at the top-right corner of
the keyboard.
m If that doesn’t work, hold down the function (fn) key and press
the Media Eject key.
m If that doesn’t work, drag the disc’s icon to the Trash.
m If that doesn’t work, restart the computer, then hold down the mouse
button. To restart, choose Restart from the Apple (K) menu.
If the disc still won’t eject, eject it manually:
m Carefully insert the end of a straightened paper clip into the
emergency eject hole on the drive tray.29
Other problems:
If you have a problem with your Internet connection:
m Make sure the telephone line is connected to the modem (W) port
and the line is functioning properly.
If that doesn’t work, make sure your Internet settings are
configured correctly.
m Open the Internet Connect application in the Applications folder to
check your dialup or AirPort settings. Open System Preferences and
click Network to check your Internet settings.
m If you’re not sure of the correct information for your Internet settings,
contact your Internet service provider.
If you have a problem connecting other devices:
m Make sure that the device is properly connected. Try unplugging and
plugging in the device again.
m Check to see if the devbice has software that needs to be installed.
m If that doesn’t work, contact the device manufacturer.
If you have a problem with an application:
m For problems with software, contact the software manufacturer.
m For support and contact information about the software that came
with your computer, go to www.apple.com/guide
If you didn’t find the information you were looking for on this
page:
m Look in Mac Help. Click the Finder icon in the Dock, then choose
Mac Help from the Help menu. Type a question in the search window
(for example, type “How do I eject a disc?”) and click Ask.
If you suspect there may be a problem with your computer
hardware:
m You can use the Apple Hardware Test CD to help you determine if
there is a problem with one of your computer’s components, such as
the memory or processor.30
Install memory and an AirPort Card.
For detailed instructions, refer to Mac Help (see page 24).
2.
Release the keyboard by sliding the
two plastic tabs away from the display.
Then lift the keyboard, flip it over, and
lay it on the palm rests.
1.
Shut down your computer. Then
disconnect the power adapter and
phone cord. Turn the computer over
and remove the battery.
3.
If necessary, remove the metal clip
and pull the AirPort Card from the
adapter. The adapter is not used with
the iBook.
. If the keyboard doesn’t pop up, it may be
locked. Locate the plastic tab next to the
Num Lock key. Use a small flathead screwdriver
to turn the screw counter-clockwise 1/2 turn.31
4.
Flip up the wire bracket and connect
the end of the antenna to the AirPort
Card. Touch a metal surface inside the
computer.
5.
Slide the AirPort Card (with the
AirPort ID and barcode facing up)
under the wire bracket and into
the slot.
6.
Press the wire bracket down to secure
the card. Then replace the keyboard
and battery.32
Add additional memory.
2.
Release the keyboard by sliding the
two plastic tabs away from the display.
Then lift the keyboard, flip it over, and
lay it on the palm rests.
1.
Shut down your computer. Then
disconnect the power adapter and
phone cord. Turn the computer over
and remove the battery.
3.
If necessary, remove the
AirPort Card.
. Your iBook has one expansion slot that accepts
a standard PC-100 compliant, SO-DIMM
memory module (1.25-inch or shorter). For
more information on installing memory, look in
Mac Help, available in the Help menu.
. If the keyboard doesn’t pop up, it may be
locked. Locate the plastic tab next to the Num
Lock key. Use a small flathead screwdriver to
turn the screw counter-clockwise 1/2 turn.
. To prevent scratching, place a soft cloth
between the AirPort Card and the iBook case.33
4.
Remove the two screws that secure
the RAM shield, then carefully lift
it out.
5.
Insert the RAM into the slot at an
angle and press down to lock it in
place. Replace the RAM shield and
AirPort Card (if necessary).
6.
Replace the keyboard and battery.
. If you already have a memory card installed,
remove it first.
. For more information on the type of memory
to use with your computer, choose Mac Help
from the Help menu. Then type “memory” and
click Ask.
. Never turn your computer on unless all of its
internal and external parts are in place.34
Keyboard and trackpad
When you use the keyboard and trackpad, your shoulders should be
relaxed. Your upper arm and forearm should form an angle that is
slightly greater than a right angle, with your wrist and hand in roughly
a straight line.
Use a light touch when typing or using the trackpad and keep your hands
and fingers relaxed. Avoid rolling your thumbs under your palms.
Change hand positions often to avoid fatigue. Some computer users may
develop discomfort in their hands, wrists, or arms after intensive work
without breaks. If you begin to develop chronic pain or discomfort in your
hands, wrists, or arms, consult a qualified health specialist.
This Not this
This Not this
Work more comfortably35
Chair
An adjustable chair that provides firm, comfortable support is best. Adjust
the height of the chair so your thighs are horizontal and your feet flat on
the floor. The back of the chair should support your lower back (lumbar
region). Follow the manufacturer’s instructions for adjusting the backrest
to fit your body properly.
You may have to raise your chair so your forearms and hands are at the
proper angle to the keyboard. If this makes it impossible to rest your feet
flat on the floor, you can use a footrest with adjustable height and tilt to
make up for any gap between the floor and your feet. Or you can lower
the desktop to eliminate the need for a footrest. Another option is to use
a desk with a keyboard tray that’s lower than the regular work surface.
External mouse
If you use an external mouse, position the mouse at the same height as
your keyboard and within a comfortable reach.
Built-in display
Adjust the angle of the display to minimize glare and reflections from
overhead lights and windows.
You can adjust the brightness of the screen when you take the computer
from one work location to another, if the lighting in your work area
changes.
For more information
For additional ergonomic information, see the Apple ergonomic
Web site at www.apple.com/about/ergonomics36
When setting up and using your computer, remember the following:
m Read all the installation instructions carefully before you plug your
computer into a wall socket.
m Keep these instructions handy for reference by you and others.
m Follow all instructions and warnings dealing with your system.
m Use only the Apple Portable Power Adapter that came with your
computer. Adapters for other electronic devices may look similar, but
they may damage your computer.
m Always leave space around your power adapter. Do not use this
equipment in a location where airflow around the power adapter is
confined, such as a bookcase.
m Always disconnect the power adapter, phone line, and any other cables
before opening the computer to perform procedures such as installing
memory.
m Never turn on your computer unless all of its internal and external
parts are in place. Operating the computer with missing parts can be
dangerous and damage your computer.
m Do not connect a digital telephone line to the modem, because the
wrong type of line could damage the modem.
m When using your computer or when charging the battery, it is normal
for the bottom of the case to get warm. The bottom of the computer
case functions as a cooling surface that transfers heat from inside the
computer to the cooler air outside. The bottom of the case is raised
slightly to allow airflow that keeps the unit within normal operating
temperatures.
m Keep your computer away from sources of liquids, such as drinks,
washbasins, bathtubs, shower stalls, and so on.
m Protect your computer from dampness or wet weather, such as rain,
snow, and so on.
Warning Electrical equipment may be hazardous if misused.
Operation of this product, or similar products, must always
be supervised by an adult. Do not allow children access to the
interior of any electrical product and do not permit them to handle
any cables.
Never push objects of any kind into this product through the
openings in the case. Doing so may result in fire or a dangerous
electric shock.
Safety and cleaning37
For your own safety and that of your equipment, always disconnect the
power plug (by pulling the plug, not the cord), disconnect the phone line,
and remove the battery if any of the following conditions exists:
m you want to remove any parts (leave the power cord disconnected as
long as the keyboard is open)
m the power cord or plug becomes frayed or otherwise damaged
m you spill something into the case
m your computer is exposed to rain or any other excess moisture
m your computer has been dropped or the case has been otherwise
damaged
m you suspect that your computer needs service or repair
m you want to clean the case (use only the recommended procedure)
Important The only way to disconnect power completely is to unplug
the power plug, disconnect the phone cord, and remove the battery.
Make sure at least one end of the power cord is within easy reach so that
you can unplug the computer when you need to.
Your iBook has a unique appearance and finish that may contain minor
imperfections, some of which may increase over time. Exposing your
iBook to extreme temperatures or humidity may cause this process to
accelerate. Proper care and handling, as described in this manual, will help
keep your iBook looking its best.
To clean the case, do the following:
1 Disconnect the power plug and phone cord and remove the battery.
(Pull the plug, not the cord.)
2 Wipe the surfaces lightly with a clean, soft cloth.
Warning Do not use any substance containing isopropyl alcohol. It
can damage the case. If necessary, use products made specifically for
cleaning computers.
Warning To avoid damage to your computer, Apple recommends
that only an Apple-certified technician install additional RAM or an
AirPort Card. Consult the service and support information that came
with your computer for instructions on how to contact an Appleauthorized service provider or Apple for service. If you attempt to
install additional RAM or an AirPort Card yourself, any damage you
may cause to your equipment will not be covered by the limited
warranty on your computer. See an Apple-authorized dealer or
service provider for additional information about this or any other
warranty question.38
Communications, Telephone, and Modem
Regulation Information
For information on FCC regulations, radio and television interference, and
telephone and modem information related to this product, see the files in the
Communications Regulations folder, inside the Documents folder on your hard disk.
Laser Information
Warning Making adjustments or performing procedures other than those specified in
your equipment’s manual may result in hazardous radiation exposure.
Do not attempt to disassemble the cabinet containing the laser. The laser beam
used in this product is harmful to the eyes. The use of optical instruments, such as
magnifying lenses, with this product increases the potential hazard to your eyes.
For your safety, have this equipment serviced only by an Apple-authorized
service provider.
Service Warning Label
Apple Portable Power Adapter
The Apple Portable Power Adapter that comes with your computer is a high-voltage
component and should not be opened for any reason, even when the computer is turned
off. If your computer needs service, contact your Apple-authorized dealer or service
provider.
Battery
Warning Risk of explosion if battery is replaced by an incorrect type. Dispose of used
batteries according to your local environmental guidelines. Do not puncture or
incinerate.
High-Risk Activities Warning
This computer system is not intended for use in the operation of nuclear facilities, aircraft
navigation or communications systems, or air traffic control machines, or for any other
uses where the failure of the computer system could lead to death, personal injury, or
severe environmental damage.
iPod Information
The Apple iPod pictured on page 11 of this manual is not included with this product. For
more information on iPod, go to www.apple.com/ipod
ENERGY STAR
®
As an ENERGY STAR®
partner, Apple Computer has determined that standard
configurations of this product meet the ENERGY STAR®
guidelines for energy efficiency.
The United States Environmental Protection Agency’s ENERGY STAR®
program is a
partnership with office product equipment manufacturers to promote energy-efficiency.
Reducing energy consumption of office products saves money and reduces pollution by
eliminating wasted energy.
This information applies to the standard configurations of the computer using the
Mac OS X operating system.
Every effort has been made to ensure that the information in this manual is accurate.
Apple is not responsible for printing or clerical errors.
Where’s the fine print?www.apple.com
© 2002 Apple Computer, Inc. All rights reserved.
AirPort, Apple, the Apple logo, AppleWorks, FireWire, the FireWire logo, iBook, Mac, the Mac logo, Macintosh, QuickTime, and Sherlock are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.
Finder, iMovie, iPod, and iTunes are trademarks of Apple Computer, Inc. ENERGY STAR®
is a U.S. registered trademark. Digital imagery copyright 1998 PhotoDisc, Inc.
034-2095-A Printed in Taiwan
034-2095-A_UMCvr 11/28/01 10:50 AM Page 2
Nouvelles
fonctionnalités de
Logic Express 7.2K Apple Computer, Inc.
© 2006 Apple Computer, Inc. Tous droits réservés.
Selon les lois sur le copyright, ce manuel ne peut pas
être copié, en tout ou partie, sans l’accord écrit d’Apple.
Le logo Apple est une marque d’Apple Computer, Inc.
déposée aux États-Unis et dans d’autres pays. L’utilisation du logo Apple du “clavier” (Option +1) à des fins
commerciales sans l’accord écrit préalable d’Apple peut
constituer une violation de marque et un acte de concurrence déloyale.
Tous les efforts ont été faits pour garantir la précision
des informations de ce manuel. Apple n’est pas responsable des erreurs de frappe ou d’impression.
Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com
Apple, le logo Apple, Final Cut, Final Cut Pro, FireWire,
iBook, iMac, iTunes, Logic, Mac, Macintosh, Mac OS,
PowerBook et QuickTime sont des marques d’Apple Computer, Inc., déposées aux États-Unis et dans d’autres pays.
Finder et GarageBand sont des marques
d’Apple Computer, Inc.
Les autres noms d’entreprises et de produits mentionnés dans ce document sont des marques de leurs propriétaires respectifs. La mention de produits tiers est à
titre purement informatif et ne constitue ni une approbation, ni une recommandation. Apple n’assume aucune
responsabilité concernant les performances ou l’utilisation de ces produits.
LP00002 3
1 Table des matières
Préface 7 Nouvelles fonctionnalités de Logic Express 7.2
8 Vue d’ensemble des fonctionnalités de Logic Express 7.2
Chapitre 1 11 Améliorations générales
11 Mode plug and play des interfaces audio
11 Changements de l’interface
13 Barres de menus et barres de défilement masquées dans les Screensets
14 Nouvelle préférence Masquer automatiquement le Dock
Chapitre 2 15 Améliorations du montage
15 Améliorations des raccourcis clavier
19 Modification de la longueur de boucle
20 Création de plusieurs pistes
21 Fonctionnalité de marqueur
22 Outil Automation
23 Suppression de films
23 Gestion des régions pour l’arrangement
Chapitre 3 25 Utilisation de l’audio
25 Lecture directe des fichiers audio compressés
26 Utilisation de la fonction Suivre Tempo
28 Création plus rapide des vues d’ensemble
28 Renommer les fichiers stéréo séparés
Chapitre 4 29 Utilisation des fenêtres du mixeur
29 Utilisation des performances de bande de canal
31 Sélection multiple de bandes de canaux
32 Automatisation de l’état de contournement
33 Prise en charge des objets ReWire stéréo
34 Outil Main dans le mixeur de pistes et bande de canal de l’Arrangement
35 Améliorations du bouncing
Chapitre 5 39 Importation de fichiers
39 Importation de fichiers MIDI4 Table des matières
Chapitre 6 41 Prise en charge des surfaces de contrôle
41 Prise en charge de surfaces de contrôle supplémentaires
42 Utilisation de la barre de contrôle des pistes
43 Nouvelle fonction de répétition de touche
43 Arrêt intermédiaire à la valeur par défaut
44 Affichage des boîtes de dialogue modales
44 Prise en charge du mode Mackie Control
45 Améliorations de l’éditeur d’assignations de contrôleur
Chapitre 7 47 Utilisation de boucles Apple Loops
48 Boucles Apple Loops vertes et bleues
49 Ajout de boucles Apple Loops
50 Utilisation du navigateur de boucles
54 Création de boucles Apple Loops
69 Pistes globales et boucles Apple Loops
70 Conversion de boucles Apple Loops en fichiers audio
71 Boucles Apple Loops et fréquences d’échantillonnage
71 Fondu de boucles Apple Loops
72 Chemins des fichiers Apple Loop
Chapitre 8 73 Chemins d’accès aux fichiers mis à jour
73 Préférences
73 Modèles de morceaux
74 Réglages de modules
75 Instruments GarageBand
75 Réglages de bande de canal
75 Instruments EXSP
76 Conversion d’échantillon EXSP
76 Icônes utilisateur
76 Plug-ins de surface de contrôle
76 Tuning Tables
76 Répertoires par défaut
Chapitre 9 77 Améliorations des modules
77 Utilisation du gestionnaire AU
79 Utilisation de la compensation de retard de module
82 Ajustement des paramètres des modules avec la molette de la souris
82 Prise en charge des modules Générateur Audio Units
83 EXSP24 mkII
84 Instruments GarageBand
85 Amplificateur de basse
87 Nouveau module Ducker
88 Nouveau module Speech EnhancerTable des matières 5
89 Effet Améliorer le contrôle du temps
90 Effet Vocal Transformer
91 Effet Enhance Pitch
91 Curseur de mixage de Platinum Verb et Tape Delay
92 Prise en charge des instruments Audio Units multicanaux
92 Conversion des modules Audio Units EVP73, EXSP24 et ET1
Annexe 93 Corrections apportées à la documentation Logic Express 7 7
Préface
Nouvelles fonctionnalités de
Logic Express 7.2
Ce document décrit les fonctionnalités qui ne sont pas
traitées dans les manuels de Logic Express 7.
Il contient des informations détaillées sur les améliorations et modifications contenues
dans les mises à jour de Logic Express publiées depuis la version Logic Express 7.
Important : les descriptions de ce document remplacent les sections correspondantes
des manuels de Logic Express 7 !
Pour obtenir des informations de dernière minute sur Logic Express 7.2, reportez-vous
au document “Informations de dernière minute”. Ce document est publié en ligne et
peut être mis à jour à mesure que de nouvelles informations sont disponibles. Vous
pouvez accéder au document Informations de dernière minute en choisissant Aide >
Informations de dernière minute dans Logic.
Pour rester au fait des mises à jour de produits, des conseils et des techniques, rendez-vous
sur le site Web de Logic Express, à l’adresse http://www.apple.com/fr/logicexpress.
Ce document combine les descriptions des nouvelles fonctionnalités de Logic Express
7.1 et Logic Express 7.2 ainsi que les informations des documents “Informations de dernière minute” de Logic Express 7.0 et Logic Express 7.1. Vous disposez ainsi d’une réfé-
rence unique et unifiée contenant les descriptions des nouvelles fonctionnalités et des
modifications, qui seraient à défaut réparties sur quatre manuels distincts. Si seules les
modifications apportées depuis la version de Logic Express 7.1 vous intéressent, reportez-vous à la section suivante. Elle contient une liste détaillée des fonctionnalités de
Logic Express 7.2. Pour des informations détaillées sur ces fonctionnalités et modifications, suivez les liens des sections correspondantes.
La documentation mise à jour comprend également un chapitre complet sur les
boucles Apple Loops. Vous y trouverez des informations détaillées concernant
tous les sujets relatifs à l’audio dans ce format.8 Préface Nouvelles fonctionnalités de Logic Express 7.2
Vue d’ensemble des fonctionnalités de Logic Express 7.2
Cette section offre une vue d’ensemble des fonctionnalités de Logic Express 7.2.
Pour plus d’informations sur ces fonctionnalités et leur utilisation, reportez-vous
aux chapitres correspondants de ce document.
Lecture des formats de fichier compressés
Logic Express 7.2 permet la lecture directe des formats de fichier compressés, tels que
AAC. Ces fichiers ne doivent plus être convertis automatiquement lors de l’importation
dans Logic. Pour plus d’informations, reportez-vous à la section “Lecture directe des
fichiers audio compressés” à la page 25.
Performances de bande de canal
Logic Express 7.2 vous permet de basculer entre les réglages de bande de canal en
envoyant des messages de changement de programme MIDI. Pour plus d’informations,
reportez-vous à la section “Utilisation des performances de bande de canal” à la
page 29.
Basculement de l’état de contournement du logement Insertion
Logic Express 7.2 vous permet d’activer ou de désactiver l’état de contournement des
logements “Insertion d’objets audio” à l’aide de la valeur 64 du contrôleur MIDI. Pour
plus d’informations, reportez-vous à la section “Automatisation de l’état de contournement” à la page 32.
Prise en charge des objets ReWire stéréo
Logic Express 7.2 prend désormais en charge les objets ReWire stéréo, offrant ainsi plus
de souplesse et une utilisation simplifiée des applications ReWired telles que Reason.
Pour plus d’informations, reportez-vous à la section “Prise en charge des objets ReWire
stéréo” à la page 33.
Préférence Masquer automatiquement le Dock
Logic Express 7.2 offre une nouvelle préférence qui vous permet de masquer le Dock
pendant l’exécution de Logic afin d’agrandir l’espace disponible à l’écran. Pour plus
d’informations, reportez-vous à la section “Nouvelle préférence Masquer automatiquement le Dock” à la page 14.
Prise en charge améliorée des surfaces de contrôle
Logic Express 7.2 prend désormais en charge la surface de contrôle iControl GarageBand
distribuée par M-Audio. Pour plus d’informations sur les affectations de surfaces de contrôle individuelles ou sur la modification des affectations par défaut, reportez-vous au
document Prise en charge des surfaces de contrôle, disponible dans le dossier Documentation du DVD d’installation de Logic Express 7.Préface Nouvelles fonctionnalités de Logic Express 7.2 9
Logic Express 7.2 comprend en outre une barre de contrôle de piste : il s’agit d’une
barre colorée qui indique les pistes de la fenêtre Arrangement faisant l’objet d’un accès
par une surface de contrôle. Pour des informations détaillées, reportez-vous à la section “Utilisation de la barre de contrôle des pistes” à la page 42.
Logic Express 7.2 offre des modules de surface de contrôle mis à jour qui prennent en
charge la fonction de répétition de touches (si cela est utile et applicable au périphérique). Lorsque cette fonction est activée, la fonction de raccourci clavier déclenchée par
une affectation de contrôleur est exécutée de manière répétée aussi longtemps que le
bouton ou le commutateur est maintenu enfoncé. Pour plus d’informations sur la fonction de répétition de touche, consultez la section “Nouvelle fonction de répétition de
touche” à la page 43.
Changements des raccourcis clavier
La mise à jour Logic Express 7.2 comporte les changements de raccourci clavier
suivants :
 Aller au début du morceau—Nouveau
 Supprimer le film—Nouveau
 Enregistrer en tant que performance—Nouveau
 Aller à la fin de la sélection—Nouveau. Ce raccourci clavier de l’Éditeur
d’échantillons définit le SPL à la fin de la section sélectionnée du fichier audio.
Le raccourci clavier de l’option “Aller à la sélection” a été renommée “Aller au début de
la sélection”.
Pour obtenir la liste complète de tous les changements de raccourci clavier depuis la
version Logic Express 7.0, consultez la section “Améliorations des raccourcis clavier” à la
page 15.
Nouveau module Ducker
Ce module réduit automatiquement le niveau d’un mixage musical pendant une
annonce (doublage). Une fois l’annonce terminée, la musique reprend automatiquement son niveau de volume original. Les détails concernant l’utilisation du module
Ducker se trouvent dans la section intitulée “Nouveau module Ducker” à la page 87.
Nouveau module Speech Enhancer
Ce module améliore l’intelligibilité et le son des enregistrements vocaux effectués avec
les microphones Macintosh intégrés, tels que ceux des iBooks et des PowerBooks. Pour
en savoir plus sur l’utilisation du module Speech Enhancer, lisez la section “Nouveau
module Speech Enhancer” à la page 88. 10 Préface Nouvelles fonctionnalités de Logic Express 7.2
Le navigateur de boucles offre de nouvelles catégories d’effets sonores
Logic Express 7.2 est livré avec un certain nombre de boucles Apple Loops supplémentaires, conçues pour une utilisation en tant qu’effets sonores. Ces boucles se trouvent
dans la nouvelle vue Effets sonores du navigateur de boucles, lequel affiche de nouveaux boutons avec des balises spéciales pour les effets et les jingles. Vous pouvez
activer cette vue du navigateur de boucles en cliquant sur le bouton Vue comportant
l’icône Cloche. Le fait de cliquer sur l’icône Note bascule vers la vue Bouton des versions antérieures de Logic. Pour plus d’informations, reportez-vous à la section
“L’interface du navigateur de boucles” à la page 50.
Option Suivre Tempo pour les boucles Apple Loops
La zone Paramètre de région des boucles Apple Loops avec boucle (et non les boucles
one-shot) offre désormais l’option Suivre Tempo. Si cette option est désactivée, la boucle Apple Loop ne suit pas le tempo et la tonalité du morceau. Pour plus d’informations sur l’option Suivre Tempo, reportez-vous à la section “Utilisation de la fonction
Suivre Tempo” à la page 26. Pour plus d’informations sur les boucles Apple Loops,
reportez-vous à la section “Utilisation de boucles Apple Loops” à la page 47.
L’option “Calcul plus rapide des vues d’ensemble” est enregistrée
Logic mémorise désormais l’état de l’option de calcul plus rapide des vues d’ensemble
dans la zone de dialogue de création de vue d’ensemble. Pour plus d’informations,
reportez-vous à la section “Création plus rapide des vues d’ensemble” à la page 28.
Fenêtre “Réglages audio AAC améliorée”
Logic Express 7.2 comprend une fenêtre Réglages audio AAC améliorée et unifiée qui simplifie la création de ce type de fichier compressé. Pour plus d’informations, reportez-vous
à la section “Fenêtre Réglages audio AAC rationalisée” à la page 35.
Prise en charge d’un maximum de 32 sorties mono pour les instruments Audio Units
Logic prend désormais en charge un maximum de 32 sorties mono pour les instruments Audio Units multicanaux. Pour plus d’informations, reportez-vous à la section
“Prise en charge des instruments Audio Units multicanaux” à la page 92.1
11
1 Améliorations générales
Ce chapitre décrit toutes les améliorations générales
apportées depuis la version Logic Express 7.
Ces modifications rationalisent et simplifient l’utilisation et la configuration de Logic.
Elles comprennent :
 Mode plug-and-play des interfaces audio
 Améliorations d’interface
 Améliorations des préférences et des réglages de morceaux
Mode plug and play des interfaces audio
Logic Express prend en charge le mode plug-and-play pour les interfaces audio, ce qui
permet la connexion et l’activation d’une interface audio nouvelle ou supplémentaire
pendant l’exécution de Logic. Une alerte apparaît lorsque vous vous connectez à un nouveau périphérique, vous invitant à sélectionner et à configurer l’interface/le gestionnaire
audio que vous souhaitez utiliser.
Changements de l’interface
L’interface de Logic a été améliorée dans les domaines suivants depuis la sortie de
Logic Express 7:
 De nombreuses zones de dialogue offrent des options supplémentaires de gestion
des fichiers audio.
 Les menus ont été nettoyés, certains présentent des noms plus clairs.
 Cases à cocher des paramètres : les paramètres qui ne présentent que deux états
s’affichent sous forme de cases à cocher.
Lisez les sections suivantes pour plus de détails. 12 Chapitre 1 Améliorations générales
Améliorations des zones de dialogue
Un certain nombre de modifications ont été apportées aux zones de dialogue
Logic suivantes :
 Éditeur d’échantillons : Fichier audio > Enregistrer Sélection Sous, Fichier audio >
Enregistrer une copie sous. Les deux boîtes de dialogue vous permettent de définir la
fréquence d’échantillonnage souhaitée, la conversion stéréo et le type de diffusion
du fichier de destination. Les zones de dialogue comportent en outre une option
“Ajouter le fichier résultant dans la fenêtre Audio”.
 Fenêtre Audio : Fichier audio > Enregistrer Région sous, Fichier audio > Copier/convertir le fichier sous : Les deux boîtes de dialogue offrent les menus de conversion de
fichier détaillés ci-dessus pour l’Éditeur d’échantillons, ce qui permet la conversion ou
la copie d’un(e) ou plusieurs régions/fichiers sélectionné(e)s. La zone de dialogue
Copier/convertir le fichier sous contient également une option “Ajouter le fichier
résultant dans la fenêtre Audio”.
 Fenêtre Arrangement : La zone de dialogue Audio > Convertir Région en Fichier offre
les menus de conversion de fichier décrits ci-dessus pour l’Éditeur d’échantillons.
 La zone de dialogue Fichier > Exporter > Région en tant que fichier audio comporte
l’option “Ajouter le fichier résultant dans la fenêtre Audio”.
Modifications apportées aux menus
L’élément de menu Audio > Réglages audio a été supprimé, car il s’agissait d’un
doublon de l’élément Logic > Préférences > Audio.
Les éléments de menu Logic > Préférences > Surfaces de contrôle > Détecter et
Logic > Préférences > Surfaces de contrôle > Installation ont été déplacés dans le
menu local Nouvelle de la fenêtre Configuration que vous retrouverez par les menus
Logic >
Préférences > Surfaces de contrôle > Configuration.
L’élément de menu local Éditeur matriciel dans les menus Présentation > Fond blanc a
été renommé en Présentation > Fond clair.
Certaines boîtes de
dialogue de fichiers
comportent des
réglages supplémentaires
de conversion de fichier.Chapitre 1 Améliorations générales 13
Cases à cocher des paramètres
Tous les paramètres avec seulement deux états (par exemple activé/désactivé) sont
activés et désactivés avec des cases à cocher.
Il suffit de cliquer dessus pour activer (case cochée) ou désactiver (case non cochée) le
paramètre. Les paramètres ayant été mis à jour pour fonctionner ainsi comprennent :
 Région : Loop (boucle)
 Objet Arpège : Repeat (répéter)
 Afficher le paramètre dans l’éditeur de partitions : Interpretation, Syncopation, No
Overlap, Lyric (interprétation, syncope, pas de superposition, paroles)
Barres de menus et barres de défilement masquées dans les
Screensets
Logic Express vous permet d’enregistrer l’état des barres des menus et barres de défilement masquées dans des Screensets. Les barres des menus et barres de défilement
masquées sont également enregistrées lorsque vous fermez une fenêtre. Exemple :
masquez la barre des menus et les barres de défilement de la fenêtre Arrangement,
puis fermez cette dernière. Lorsque vous rouvrez la fenêtre Arrangement, les barres
de menus et de défilement restent masquées.
Pour masquer les barres de menus et de défilement locales d’une fenêtre :
m Cliquez dans la barre de titre de la fenêtre tout en cliquant sur Option et
sur Commande.
Cette fonction est pratique lorsque vous souhaitez configurer de petites fenêtres
d’environnement flottantes contenant des objets de fondu, utilisés comme
interrupteurs, par exemple.14 Chapitre 1 Améliorations générales
Nouvelle préférence Masquer automatiquement le Dock
La sous-fenêtre Général des préférences d’affichage de Logic Express 7.2 propose
l’option de masquage automatique du Dock.
L’activation de cette préférence masque automatiquement le Dock pendant l’exécution de Logic, ce qui a pour effet d’optimiser l’espace à l’écran pour les fenêtres Logic.
Pour activer la préférence Masquer automatiquement le Dock :
1 Choisissez Logic > Préférences.
2 Cliquez sur le bouton Affichage.
3 Activer la case Masquer automatiquement dans la section Dock de la sous-fenêtre
Général.
Remarque : cette option est également disponible dans l’Assistant réglages de Logic.
Préférence Masquer
automatiquement
le Dock2
15
2 Améliorations du montage
Ce chapitre décrit les améliorations concernant le montage
apportées depuis Logic Express 7.
Ces modifications incluent entre autres un certain nombre de raccourcis clavier
nouveaux ou modifiés, de nouvelles fonctionnalités de création de pistes, ainsi
qu’une gestion améliorée des marqueurs.
Améliorations des raccourcis clavier
La section qui suit décrit toutes les améliorations des raccourcis clavier apportées
depuis la version Logic Express 7. Cela comprend plusieurs nouvelles raccourcis clavier
pouvant accélérer le flux de travaux, ainsi qu’un nouvel avertissement de raccourci
clavier pouvant vous aider à effectuer le suivi des attributions des raccourcis.
Nouveaux raccourcis clavier
Le tableau suivant décrit tous les raccourcis clavier ajoutés depuis la sortie de
Logic Express 7.16 Chapitre 2 Améliorations du montage
Fonctions de menu globales
Les raccourcis clavier généraux suivants ont été ajoutés.
Raccourci clavier Fonction/Explication
Ouvrir les Préférences Globales
Ouvrir les Préférences Audio
Ouvrir les Préférences MIDI
Ouvrir les Préférences Affichage
Ouvrir les préférences de la partition
Ouvrir les Préférences Vidéo
Ouvrir les Préférences Automatisation
Ouvrir les Préférences Surfaces
de contrôle
Ouvrir les Préférences Surround
Ouvre les préférences correspondantes.
Ouvrir les réglages de morceau pour
la synchronisation
Ouvrir les réglages de morceau pour
le métronome
Ouvrir les réglages d’optimisation
des morceaux
Ouvre les préférences correspondantes des morceaux.
Réglages du projet Ouvre la fenêtre Réglages du projet.
Purger le projet Affiche tous les fichiers audio ou instruments EXS inutilisés de votre dossier de projet, ce qui vous permet de les
supprimer.
Consolider le projet Déplace dans un dossier tous les fichiers associés
à un projet.
Renommer le projet Ouvre une zone de dialogue vous permettant de
renommer votre projet.
Enregistrer comme projet Enregistre un morceau ou un projet. Si le morceau ouvert
n’est pas déjà un projet, un état de projet est affecté au
morceau.
Enregistrer une copie sous Permet d’enregistrer une copie d’un morceau ou d’un
projet sous un autre nom.
Enregistrer comme modèle Enregistre le morceau (avec tous les réglages de mixeur,
de piste et d’environnement) en tant que modèle,
pouvant être utilisé pour les projets ultérieurs.
Importer Fichier Audio Ajoute un fichier audio à votre projet.
Navigateur de boucles Lance la fenêtre Navigateur de boucles.
Ouvrir le Clavier d’entrée pas à pas Affiche la fenêtre Step Input Clavier.
Activer/désactiver la compensation
de retard de module : tout/pistes
et instruments
Bascule la préférence Compensation de retard de module
entre “Tous” et “Pistes et instruments audio”.Chapitre 2 Améliorations du montage 17
Menu Arrangement
Les fonctions suivantes du menu Arrangement local (fenêtre Arrangement) sont désormais également accessibles via des raccourcis clavier :
Éditeur Hyper
Les fonctions Éditeur Hyper locales suivantes sont également disponibles via
des raccourcis clavier :
Mixeur de pistes
Tous les boutons de filtrage peuvent être activés et désactivés par l’intermédiaire de
raccourcis clavier.
Nom du raccourci clavier Fonction/Explication
Créer des pistes multiples Ouvre une zone de dialogue qui vous permet de créer de
manière séquentielle le nombre défini de pistes.
Supprimer les pistes audio redondantes Supprime les pistes audio inutilisées.
Ouvrir dans l’utilitaire de boucle Apple Ouvre la région audio sélectionnée dans l’Utilitaire de
boucles Apple Loops.
Copier boucle ReCycle Comme son nom l’indique.
Coller boucle ReCycle Comme son nom l’indique.
Chercher le point zéro Active/désactive les recherches automatiques des points
zéro dans les fichiers audio et les régions. L’activation de
cette possibilité facilite la création des boucles audio.
Nom du raccourci clavier Fonction/Explication
Créer Hyper Set Permet de définir un nombre limité de contrôleurs MIDI
en tant que Hyper Set.
Créer Set Batterie GM Comme son nom l’indique.
Créer Hyper Set pour les événements
courants
Un Hyper Set est créé, basé sur les informations de
contrôleur des régions sélectionnées.
Effacer Hyper Set Supprime toutes les définitions de contrôleur d’un
Hyper Set.
Nom du raccourci clavier Fonction/Explication
Activer/désactiver les instruments MIDI Affiche/masque les bandes de canaux d’instruments MIDI.
Activer/désactiver les pistes audio Affiche/masque les bandes de canaux de pistes audio.
Activer/désactiver les instruments audio Affiche/masque les bandes de canaux d’instruments audio.
Activer/désactiver les aux. audio Affiche/masque les bandes de canaux auxiliaires.
Activer/désactiver les bus audio Affiche/masque les bandes de canaux de bus.
Activer/désactiver les sorties audio Affiche/masque les bandes de canaux audio de sortie.18 Chapitre 2 Améliorations du montage
Réglages de bande de canal
Les raccourcis clavier suivants ont été ajoutés :
Menu Glissement
Toutes les entrées du menu Glissement peuvent désormais être sélectionnées par
l’intermédiaire de raccourcis clavier. Recherchez le terme “Glissement” dans la fenêtre
Raccourcis clavier afin de trouver ces entrées.
Éditeur d’échantillons
L’Éditeur d’échantillons offre le nouveau raccourci clavier “Aller à la fin de la sélection”,
qui déplace le SPL vers la fin de la sélection (dans un fichier audio). Le raccourci clavier
“Aller à la sélection” a été renommée “Aller au début de la sélection”.
Nouvel avertissement de raccourci clavier
Lorsqu’une combinaison de raccourcis clavier existante est utilisée lors de l’affectation
d’une nouvelle combinaison globale, le message d’avertissement suivant apparaît :
Nom du raccourci clavier Fonction/Explication
Réglage de tranche de piste suivant Charge le réglage de bande de canal suivant dans la liste
des réglages.
Réglage de tranche de piste précédent Comme ci-dessus, mais pour le réglage précédent.
Réglage de tranche de piste ou
Programme ou Instrument EXS suivant
Charge le réglage de bande de canal ou de module
(ou instrument EXS) suivant dans la liste des réglages.
Réglage de tranche de piste ou Programme ou Instrument EXS précédent
Comme ci-dessus, mais pour le réglage précédent.
Enregistrer réglage de tranche de
piste sous
Vous permet d’enregistrer un réglage de bande de canal
sous un autre nom.
Copier réglage de tranche de piste Copie le réglage de bande de canal sélectionné dans le
presse-papiers.
Coller réglage de tranche de piste Colle le réglage de bande du presse-papiers dans la bande
de canal sélectionnée.
Enregistrer comme performance Enregistre le réglage de bande de canal en tant que
réglage de performance numéroté (et nommé), ce qui
vous permet d’y accéder via un message de changement
de programme.Chapitre 2 Améliorations du montage 19
Vous avez alors trois possibilités : Annuler, Remplacer ou OK.
 Annuler ne modifie pas les affectations existantes.
 Remplacer remplace par la fonction sélectionnée le raccourci existant (affecté
au raccourci clavier choisi).
 OK affecte le raccourci clavier à la fonction sélectionnée, tout en conservant
le raccourci clavier/la fonction existant (dans une autre classe).
Important : il existe une hiérarchie de classes de raccourcis clavier, lesquels ne sont pas
simplement répartis en raccourcis généraux et locaux. Par exemple, il existe une classe
de raccourcis qui s’applique à toutes les fenêtres qui affichent des séquences. Cette
classe est prioritaire à celle des raccourcis généraux, mais pas à celle des raccourcis
de fenêtre locales (Arrangement, Partition, Matrice, etc.).
Modification de la longueur de boucle
La fonction Boucle de Logic a été enrichie d’une fonction Édition de la longueur de
boucle, facile d’emploi.
Pour définir la longueur d’une séquence en boucle :
1 Placez le curseur à la fin de la séquence que vous voulez mettre en boucle.
Il prend l’apparence d’une flèche circulaire (boucle) lorsqu’il est positionné dans
la moitié supérieure de la région.
2 Cliquez et, tout en maintenant le bouton de la souris enfoncé, faites glisser l’extrémité
de la séquence vers la longueur souhaitée.
Remarque : lorsque vous placez le curseur dans la moitié supérieure de la zone en
boucle, il se transforme en flèche circulaire et autorise ainsi le changement de longueur. Si vous souhaitez sélectionner la région en boucle (pour la déplacer, par exemple), cliquez dans la moitié inférieure de la zone en boucle. Vous pouvez aussi appuyer
sur la touche Maj tout en cliquant sur la zone supérieure. 20 Chapitre 2 Améliorations du montage
Le curseur prend la forme d’une flèche circulaire (permettant d’éditer la longueur d’une
boucle) uniquement lorsque la taille de la piste est suffisante. Si la hauteur de la piste
est minimale, appuyez sur la touche Option tout en cliquant sur l’extrémité de la région
pour accéder à la fonction de modification de longueur de boucle. Cela vaut aussi si les
données d’automatisation sont visibles sur une piste.
Important : la désactivation du paramètre Region Loop (boucle de région) réinitialise
la longueur de boucle. Lors de la prochaine utilisation du paramètre Loop (boucle), la
région sera répétée jusqu’à ce qu’elle trouve une autre région sur la même piste ou
jusqu’à ce qu’elle atteigne la fin du morceau.
Création de plusieurs pistes
Cette fonctionnalité, accessible via l’option de menu Pistes > Créer plusieurs de la fenê-
tre Arrangement (et via le raccourci clavier correspondant), fait exactement ce qu’elle
indique. Lorsque vous la sélectionnez, une zone de dialogue apparaît, qui vous permet
de choisir le :
 Driver (gestionnaire) : ce menu déroulant permet de sélectionner le gestionnaire
de périphérique audio à utiliser avec vos nouvelles pistes.
 Track Type (type de piste) : ce menu déroulant vous laisse le choix entre les pistes
Audio, Instruments audio et Auxiliaires.
 Number of Tracks (nombre de pistes) : tapez ici le nombre de pistes souhaité. Huit (8)
est la valeur par défaut.
 Mode : il suffit de cliquer sur le bouton radio Mono ou Stéréo, afin de créer plusieurs
pistes mono ou stéréo du type choisi.
La fonction “Créer des pistes multiples” est intelligente car elle gère des pistes et les
objets audio sous-jacents. Pour le comprendre, supposons qu’un morceau contienne
quatre pistes dans la fenêtre Arrangement et huit objets audio sur la couche audio de
l’environnement. Utilisez la fonction “Créer des pistes multiples” pour ajouter les quatre
pistes dans la fenêtre Arrangement. Les quatre pistes existantes utilisent les objets
audio 1 à 4 ; les nouvelles pistes, les objets audio 5 à 8.Chapitre 2 Améliorations du montage 21
Fonctionnalité de marqueur
Les fonctionnalités de marqueur de Logic Express 6 ont été rétablies dans Logic Express 7.1.
Les marqueurs sont très utiles pour baliser des positions temporelles ou sections
particulières dans un morceau. Ils apparaissent sous forme de chaînes de texte
dans les règles de mesure de toutes les fenêtres Logic qui en contiennent.
Pour créer un marqueur :
1 Placez le curseur sur le tiers inférieur de la règle de mesure à l’emplacement
du morceau souhaité.
2 Cliquez tout en appuyant sur les touches Option et Commande.
3 Tapez le nom du marqueur dans le champ Marqueur.
La longueur du marqueur est définie automatiquement : le marqueur s’étend jusqu’au
point de départ du marqueur suivant, ou jusqu’à la fin du morceau ou du dossier s’il
n’y a pas de marqueurs.
Pour supprimer un marqueur :
m Sélectionnez-le avec la souris dans la règle de mesure, puis faites-le glisser vers le bas,
en dehors de la règle de mesure. Relâchez le bouton de la souris lorsque le curseur
devient une main contenant deux flèches (voir capture d’écran ci-dessous).
Les nouveaux marqueurs sont automatiquement nommés “marqueur ##”. La valeur “##”
indique leur ordre d’apparition dans la timeline, qui s’affiche dans la règle de mesure
sous “Marqueur 1”, “Marqueur 2”, etc. Le numéro fait toujours référence à l’ordre réel de
tous les marqueurs du morceau, y compris les marqueurs renommés. 22 Chapitre 2 Améliorations du montage
Pour modifier le nom d’un marqueur :
1 Double-cliquez sur le marqueur tout en maintenant les touches Contrôle
et Commande enfoncées.
2 Un champ de saisie de texte s’ouvre, vous permettant de modifier le nom du marqueur.
Pour changer la position d’un marqueur dans la règle de mesure :
1 Cliquez sur le marqueur dans la règle de mesure tout en maintenant la touche
Commande enfoncée.
2 Faites glisser le marqueur vers la gauche ou vers la droite.
Pour définir le SPL sur un marqueur :
m Cliquez sur le marqueur dans la règle de mesure tout en maintenant la touche Commande enfoncée. Le SPL est défini au point de départ du marqueur sur lequel vous avez
cliqué. Un double-clic permet de démarrer la lecture au point de départ du marqueur.
Remarque : vous pouvez faire glisser un marqueur vers le haut dans le tiers supérieur
de la règle de mesure. Cela permet de définir une zone Cycle correspondant à la position et à la longueur du marqueur (et donc aux positions du délimiteur). Si le séquenceur est arrêté lors de l’exécution de cette action, le SPL est déplacé vers le point de
départ de la zone Cycle.
Outil Automation
La boîte à outils Arrangement de Logic Express comprend l’outil Automation.
Cet outil permet l’automatisation d’un certain nombre de tâches. Lorsque l’automatisation de piste est activée par l’option de menu Présentation > Automatisation de piste,
un menu déroulant se trouvant sous la boîte à outils vous permet de définir les
fonctions que vous prévoyez à l’outil
Courbe
Si vous choisissez cette option, vous pouvez utiliser l’outil Automation pour courber
une ligne entre deux nœuds ou n’importe quelle sélection de plus de deux nœuds.
Quatre types de courbes sont à votre disposition :convexe, concave et deux types
de courbes en S différents.
Remarque : cette fonction est également disponible lorsque vous utilisez l’outil
Pointeur standard en appuyant sur la combinaison de touches Option + Contrôle.Chapitre 2 Améliorations du montage 23
Sélection
Si vous choisissez cette option, vous pouvez utiliser l’outil Automation pour “étirer” une
sélection de nœuds dans les données d’automatisation. Si vous cliquez ainsi sur une
région, tous les événements d’automatisation visibles à l’écran et se trouvant dans les
limites de la région sont alors sélectionnés. Ceci vous permet de déplacer librement la
sélection ainsi faite correspondant à la zone de la région (ou à la région toute entière
le cas échéant) à gauche ou à droite. Si vous appuyez en même temps sur la touche
Option, vous pouvez alors copier la sélection dans un autre emplacement. Il est important de noter que ces deux types d’opérations ne conservent pas les nœuds dans la
zone de destination.
Si vous cliquez en appuyant sur la touche Maj par l’outil Automation, vous pouvez alors
effectuer une sélection complémentaire d’autres zones à la sélection existante. Cela
vous permet de modifier simultanément des sélections non adjacentes.
Cliquer sur un nœud à l’aide de l’outil Automation tout en maintenant la touche Maj
enfoncée (aussi bien avant qu’après une sélection) vous permet d’étendre la sélection
en cours.
Suppression de films
Le menu Options > Séquences comporte une fonction Supprimer la séquence, qui vous
permet de supprimer totalement une séquence d’un morceau ou d’un projet Toutes les
références à la séquence dans le projet ou le morceau sont supprimées. Cette fonction
peut également être lancée avec le raccourci clavier de l’option Supprimer le film.
Gestion des régions pour l’arrangement
La gestion des régions dans la fenêtre Arrangement a été améliorée : les régions sélectionnées qui chevauchent des régions non sélectionnées sont affichées “au-dessus”.3
25
3 Utilisation de l’audio
De nombreuses fonctionnalités de montage audio ont été
améliorées depuis la sortie de Logic Express 7.
Logic Express 7.2 introduit la lecture directe des fichiers audio compressés ainsi que des
améliorations en ce qui concerne le changement de nom des fichiers stéréo séparés,
entre autres.
Lecture directe des fichiers audio compressés
Logic Express 7.2 vous permet de lire directement les formats de fichier audio
compressé suivants :
 AAC
 Fichiers Apple Lossless
Ces fichiers ne sont plus convertis automatiquement lors de l’importation dans Logic.
Le fichier audio compressé est ajouté à la fenêtre Arrangement et une région incluant
le fichier audio complet est créée. Vous pouvez modifier cette région de la même façon
qu’une région audio “normale” dans la fenêtre Arrangement : Vous pouvez la couper, la
boucler, la renommer, etc.
Remarque : il n’est pas possible d’affecter des fondus aux fichiers audio compressés,
pas plus que vous ne pouvez les modifier de façon destructrice.
Les régions audio qui pointent vers des fichiers audio compressés sont désignés avec
les symboles suivants :26 Chapitre 3 Utilisation de l’audio
Le gestionnaire de projet peut organiser ces types de fichiers audio compressés. La
catégorie Fichier audio de la vue Parcourir offre désormais la sous-catégorie Compressé. Le filtre Fichier audio en mode Recherche inclut également une nouvelle case
Compressé : activez-le afin de rechercher tous les fichiers audio AAC et Apple Lossless
compressés.
Vous pouvez convertir les fichiers audio AAC et Apple Lossless compressés en
effectuant l’une des opérations suivantes :
m Sélectionnez les régions Audio qui pointent vers le fichier audio souhaité dans la fenê-
tre Arrangement, puis choisissez Audio > Convertir Région en Fichier individuel dans
le menu de la fenêtre Arrangement locale (ou utilisez le raccourci clavier de l’option
“Convertir Région en Fichier individuel”, l’affectation par défaut étant Contrôle + F).
La partie du fichier audio couverte par la région Audio est convertie en un nouveau
fichier audio.
m Sélectionnez les fichiers audio dans la fenêtre Audio, puis choisissez Fichier audio >
Copier/Convertir fichier(s) dans le menu de la fenêtre Audio locale (ou utilisez le
raccourci clavier de l’option Copier/Convertir fichier(s)).
Important : les fichiers audio compressés protégés par DRM (Digital Rights Management) ne peuvent pas être ouverts dans Logic. La musique achetée dans la boutique
iTunes Music Store est généralement protégée par DRM.
Utilisation de la fonction Suivre Tempo
Les fichiers audio créés dans Logic Express 7.1 ou Logic Express 7.2 peuvent suivre le
tempo du morceau (y compris les changements de tempo) et la première signature
de tonalité définie dans les pistes globales.
Exemple : si vous enregistrez un solo de basse à 100 ppm, vous pouvez passer le
tempo du morceau à 120 ppm et le solo de basse est alors automatiquement lu au
nouveau tempo.
Cela fonctionne pour tous les fichiers audio enregistrés dans Logic Express 7.1 et
Logic Express 7.2 ou ayant fait l’objet d’un renvoi ou d’une exportation à partir de ces
versions. Cela fonctionne uniquement dans le morceau parent (c’est-à-dire celui dans
lequel les fichiers audio ont été créés). Si vous faites glisser un fichier enregistré dans
un morceau donné vers un autre morceau avec le Finder, le fichier ne peut pas suivre
le tempo du morceau. Les fichiers ayant fait l’objet d’un bounce ou d’une exportation
peuvent uniquement suivre le tempo du morceau si l’option “Ajouter les fichiers résultants à la fenêtre Audio” a été activée dans la fenêtre Export/Bounce avant le bounce/
exportation. Les fichiers copiés entre deux morceaux conservent la possibilité de suivre
le tempo du morceau. Chapitre 3 Utilisation de l’audio 27
Les informations de tempo du morceau sont utilisées pour baliser les temps dans
l’enregistrement. Le fonctionnement de cette fonction est optimal si vos fichiers audio
correspondent avec précision au tempo du morceau. Plus les fichiers audio sont longs,
plus la quantité de RAM nécessaire pour cette fonctionnalité est importante.
Pour qu’un fichier audio suive le tempo du morceau et la première signature
de tonalité :
1 Sélectionnez l’une des régions audio du fichier audio dans la fenêtre Arrangement.
Si votre fichier audio a été créé avec l’une des méthodes décrites ci-dessus, l’option
Suivre Tempo apparaît dans la zone des paramètres Région.
2 Activez l’option Suivre Tempo dans la zone Paramètre de région.
Tous les fichiers audio qui suivent le tempo du morceau et la première signature de
tonalité sont indiqués par les symboles suivants dans Logic :
Remarque : suivre Tempo est en fait une opération de tempo de fichier audio et non
une fonction de région, mais elle a été intégrée à la zone Paramètre de région par commodité. Elle est synchronisée pour toutes les régions qui utilisent le même fichier audio.
Suivre le tempo et les boucles Apple Loops
L’option Suivre Tempo ne crée pas de boucle Apple Loop !
Rappel : les boucles Apple Loops suivent les changements d’accords ; si vous enregistrez un solo sur un arrangement constitué de boucles Apple Loops avec des changements de transposition dans le temps, vous pouvez activer Suivre Tempo pour votre
solo, mais les doubles transpositions qui auront lieu ne vous plairont pas…
Pour créer une boucle Apple Loop, utilisez l’une des options suivantes :
 Choisissez Région > Ajouter à la bibliothèque de boucles Apple Loops dans la
fenêtre Arrangement. Cette méthode définit les éléments transitoires basés sur
les informations de tempo du morceau.28 Chapitre 3 Utilisation de l’audio
 Choisissez Audio > “Ouvrir dans l’utilitaire de boucle Apple” dans la fenêtre Arrangement. Cette fonctionnalité vous permet de définir manuellement les éléments
transitoires, indépendamment du tempo du morceau.
Consultez la section “Création de boucles Apple Loops” à la page 54 pour plus
d’informations sur la création de boucles Apple Loops.
La zone Paramètre de région des boucles Apple Loops avec boucle (et non les boucles
one-shot) offre également l’option Suivre Tempo. Si cette option est désactivée, la boucle Apple Loop ne suit pas le tempo et la tonalité du morceau. La désactivation de
l’option Suivre Tempo pour une boucle Apple Loop avec boucle (et non une boucle
one-shot) convertit la boucle Apple Loop en un fichier audio “standard”.
Création plus rapide des vues d’ensemble
La boîte de dialogue Création de vues d’ensemble comporte une option supplémentaire qui accélère la création des vues d’ensemble. Cette option rend la création de
vues d’ensemble aussi rapide que la création de vues d’ensemble “au premier plan”
dans Logic 6 (au prix du ralentissement des autres opérations, mais l’interaction avec
l’utilisateur n’est pas totalement bloquée).
Logic mémorise l’état de l’option “Calcul de vue d’ensemble plus rapide”.
Renommer les fichiers stéréo séparés
Vous pouvez désormais renommer indépendamment les fichiers stéréo déconnectés.
Avertissement : si vous renommez un seul fichier d’une paire de fichiers stéréo séparés
déconnectés, il n’est pas possible de reconnecter le fichier stéréo fractionné déconnecté. 4
29
4 Utilisation des fenêtres du mixeur
Logic Express 7.2 vous permet de basculer entre les bandes
de canaux en envoyant des messages de changement de
programme MIDI.
Il vous permet également d’échanger l’état de contournement des logements d’insertion avec une valeur de contrôleur. Le chapitre qui suit décrit toutes les améliorations
apportées au mixage et au bounce depuis Logic Express 7. Il s’agit notamment de la
prise en charge des objets ReWire stéréo, de l’outil Main dans les bandes de canaux des
fenêtres Mixeur de pistes et Arrangement, ainsi que des améliorations des fenêtres
Balance Surround et Bounce.
Utilisation des performances de bande de canal
Vous pouvez désormais basculer entre les réglages de bande de canal en envoyant des
messages de changement de programme MIDI. Cela vous permet de sélectionner vos
“sons” favoris (constitués d’un réglage de bande de canal pouvant contenir un instrument logiciel et des modules d’effets) en appuyant sur un bouton de votre clavier MIDI.
Cette fonctionnalité est appelée Performances de bande de canal.
Important : seuls les messages de changement de programme envoyés sur le canal
MIDI 1 basculeront entre les performances de bande de canal. Tous les messages de
changement de programme envoyés sur d’autres canaux MIDI sont transférés vers les
instruments Audio Units, si nécessaire.
Les performances de bande de canal peuvent être utilisées pour tous les types d’objets
audio. Elles sont enregistrées dans le sous-dossier Performances (dans ~/Bibliothèque/
Application Support/Logic/Channel Strip Settings/nom de l’objet audio). Les noms des
performances commencent par le numéro de changement de programme correspondant (par exemple : 001Piano, 045FlangeGuitar, 111ArcoCelloHall).
Il existe 128 performances (correspondant à 128 événements de changement de programme disponibles).30 Chapitre 4 Utilisation des fenêtres du mixeur
Pour créer un réglage de performance :
1 Configurez une bande de canal que vous souhaitez rendre disponible en tant que performance (en ouvrant un réglage de bande de canal dans la bibliothèque d’origine en
en apportant les modifications en fonction de vos besoins, par exemple).
2 Ouvrez le menu des réglages de bande de canal en cliquant sur le mot Insérer sur
n’importe quelle bande, puis choisissez “Enregistrer en tant que performance”.
3 Dans la zone de dialogue qui s’ouvre, entrez un nom pour la performance, choisissez
un numéro de changement de programme, puis cliquez sur OK.
Vous pouvez également définir le numéro de changement de programme en
l’envoyant à partir de votre contrôleur MIDI.
Remarque : par défaut, la zone de dialogue suggère d’utiliser le numéro de changement de programme le plus petit inutilisé. Une alerte vous informe de toute tentative
d’insérer un numéro de changement de programme déjà affecté. Cliquez sur Écraser si
vous souhaitez remplacer la performance existante affectée à ce numéro de changement de programme. Chapitre 4 Utilisation des fenêtres du mixeur 31
Dès lors qu’un objet audio reçoit un message de changement de programme sur le canal
MIDI 1 correspondant à un numéro de performance affecté, il charge cette performance.
Remarque : si une valeur de changement de programme non affectée est envoyée, la
bande de canal ignore le message et le réglage de bande actuellement chargé reste en
place.
Tous les réglages de performance enregistrés apparaissent dans le dossier Performances du menu de réglages de bande de canal.
Sélection multiple de bandes de canaux
La fonction Sélection multiple des bandes (dans les fenêtres du mixeur) a été améliorée : le fait de cliquer sur un arrière-plan de voie (sans maintenir la touche Maj enfoncée) vous permet également de sélectionner d’autres voies en les faisant glisser (en
arrière-plan).32 Chapitre 4 Utilisation des fenêtres du mixeur
Automatisation de l’état de contournement
Logic Express 7.2 vous permet de modifier l’état de contournement des logements
“Insertion d’objets audio” à l’aide d’une valeur de contrôleur unique : il s’agit de la
valeur de contrôleur 64.
L’ajout de cette fonctionnalité entraîne les comportements suivants pour les contrô-
leurs 56 à 60 :
 Une valeur de 0 désactive le contournement.
 Les valeurs 1 à 63 et 65 à 127 activent le contournement.
 L’utilisation répétée de la valeur 64 bascule entre les deux états de contournement.
Cela vous permet de basculer l’état de contournement des logements Insertion 1 à 5
via un bouton unique, affecté aux contrôleurs 56 à 60, avec l’envoi de la valeur 64. (Les
versions antérieures nécessitaient l’envoi de deux valeurs différentes : une pour activer
et une pour désactiver l’état de contournement.) Le tableau suivant répertorie le
numéro de contrôleur utilisé pour modifier l’état Contournement du logement Insertion correspondant.
Cette fonctionnalité peut s’avérer particulièrement utile si vous utilisez une surface de
contrôle n’offrant pas de commentaires. Imaginez la situation suivante : vous appuyez
sur le bouton de votre surface de contrôle, en envoyant une valeur qui désactive l’état
de contournement d’un logement d’insertion. L’état de contournement de cette insertion est réactivé (activé, avec la souris) dans Logic. Votre surface de contrôle ne reflète
pas cette modification si elle ne prend pas en charge les commentaires, ce qui fait que
rien ne se passe lorsque vous appuyez sur le bouton approprié de votre surface de contrôle. Cette nouvelle fonctionnalité vous permet d’utiliser un bouton unique pour basculer l’état de contournement, indépendamment de l’état (activé/désactivé) du
contournement.
Remarque : cette fonctionnalité s’applique également aux boutons Silence et Solo : si
le contrôleur 9 envoie la valeur 64, l’état du bouton Silence est modifié ; si le contrô-
leur 3 envoie la valeur 64, l’état du bouton Solo est défini sur activé/désactivé, en fonction de l’état actuel du bouton Solo.
Insertion
n˚ CC n˚
1 56
2 57
3 58
4 59
5 60Chapitre 4 Utilisation des fenêtres du mixeur 33
Prise en charge des objets ReWire stéréo
Logic Express 7.2 prend en charge les objets ReWire stéréo. Cela vous permet d’affecter
des flux ReWire stéréo à un objet audio unique et de configurer l’objet audio en stéréo.
Remarque : ReWire est un système de Propellerhead Software qui vous permet
d’échanger des flux audio en temps réel entre deux applications audio. Vous pouvez
par exemple utiliser ReWire pour envoyer les données audio du logiciel Reason de Propellerhead vers Logic. Vous trouverez davantage d’informations sur ReWire dans le
Guide de référence de Logic Pro 7.
Pour utiliser des objets ReWire stéréo dans Logic Pro 7.2 :
1 Démarrez Logic, puis démarrez votre application ReWire.
Logic affiche les retours audio des applications connectées à ReWire en tant que
canaux d’objets audio.
2 Sélectionnez l’objet audio souhaité dans l’environnement, puis choisissez le canal
ReWire dans le menu Canal de la zone Paramètre d’objet.
Si vous choisissez un canal ReWire stéréo, l’objet audio affiche le bouton Mono/Stéréo.
3 Cliquez sur ce bouton afin de configurer l’objet audio en tant que stéréo.
Le bouton affiche deux cercles liés, indiquant qu’il s’agit d’un objet stéréo. Vous pouvez
insérer des modules stéréo, comme dans les pistes audio stéréo normales. Le VU-mètre
se divise en deux zones discrètes, avec contrôle de balance.34 Chapitre 4 Utilisation des fenêtres du mixeur
Remarque : Logic peut uniquement fonctionner en tant qu’application hôte ReWire, ce
qui signifie que vous pouvez envoyer l’audio vers Logic, mais que vous ne pouvez pas
envoyer l’audio de Logic vers une autre application ReWired.
Outil Main dans le mixeur de pistes et bande de canal de
l’Arrangement
L’outil Main du Mixeur de pistes est utilisé pour déplacer et copier des modules entre
bandes.
Pour déplacer un module entre deux logements d’insertion :
1 Cliquez sur l’outil Main dans la boîte à outils Mixeur de pistes.
2 Sélectionnez le libellé du module (source) et faites-le glisser vers le logement cible souhaité.
Au cours de l’opération glisser/déposer, la destination potentielle s’affiche sous forme
de rectangle orange (logement vide) ou de ligne orange (lors du positionnement d’un
effet entre deux logements d’insertion, voir ci-dessous). L’appui sur Option au cours du
glissement copie le module, plutôt que de le déplacer.
Vous pouvez également utiliser l’outil Main dans la bande de canal de la fenêtre Arrangement en appuyant sur Commande (ou en cliquant avec le bouton droit) lorsque le
curseur passe sur le logement Instrument ou Insertion.
Remarque : l’outil Main est le deuxième outil par défaut dans le Mixeur de pistes. Le
fait d’appuyer sur la touche Commande lorsque vous cliquez vous permet de basculer
de l’outil Pointeur à l’outil Main. Cela vous permet de déplacer des modules en les faisant glisser tout en maintenant la touche Commande enfoncée, ou de les copier en les
faisant glisser tout en maintenant les touches Option et Commande enfoncées.
Si vous faites glisser une étiquette de module sur un logement de module utilisé dans
la même bande de canal, les modules sont permutés. Lors du glissement entre diffé-
rentes bandes de canaux, le module existant est remplacé.
Positionnement d’effets entre des logements d’insertion utilisés
Si vous déposez un effet entre deux logements d’insertion utilisés, l’effet est inséré
dans un nouveau logement entre les deux logements utilisés. Les effets sous le point
d’insertion sont décalés d’un logement vers le bas.Chapitre 4 Utilisation des fenêtres du mixeur 35
Si l’emplacement source de l’effet se situe au-dessus de l’emplacement de destination,
tous les modules entre les emplacements source et destination sont décalés d’une
position vers le haut. Si l’emplacement source du module se situe au-dessous de
l’emplacement de destination, tous les modules entre les emplacements source et destination sont décalés d’une position vers le bas.
Remarque : si les 5 logements d’insertion sont utilisés, vous ne pouvez pas placer
d’effets entre les logements d’insertion.
Améliorations du bouncing
Les fonctionnalités de Bounce de Logic ont été améliorées dans les domaines suivants
depuis la sortie de Logic Express 7 :
 Les options bounce de AAC sont désormais disponibles dans une fenêtre Réglages
audio unique.
 Le menu Périphérique de la zone de dialogue Bounce vous permet de choisir entre
les graveurs de CD reconnus connectés à votre système.
 Les valeurs par défaut des positions de début et de fin du bounce prennent en
compte une plage de sélection plus large.
Fenêtre Réglages audio AAC rationalisée
Les options bounce d’AAC (Advanced Audio Coding) sont désormais disponibles dans
une fenêtre Réglages audio unique.
Remarque : AAC offre un encodage audio haute qualité, bien adapté aux applications
de diffusion Internet, numérique et sans fil.
Pour accéder à la fenêtre Réglages audio d’AAC :
1 Choisissez Fichier > Bounce dans la barre des menus principale (ou utilisez le raccourci
clavier de l’option Bounce).36 Chapitre 4 Utilisation des fenêtres du mixeur
2 Dans la zone de dialogue Bounce, activez l’option AAC, choisissez un nom de fichier et
une destination, puis cliquez sur Bounce.
La fenêtre Réglages audio AAC offre les réglages suivants :
 Format : affiche le codec de compression sélectionné.
 Canaux : vous permet de choisir entre un fichier de sortie mono ou stéréo.
 Fréquence : un certain nombre de fréquences d’échantillonnage prédéfinies sont disponibles dans ce menu local, allant de 8000 Hz à 48 000 Hz. L’option Recommandé
sélectionne une fréquence basée sur les choix effectués dans les réglages avancés.
 Afficher les réglages avancés : cochez cette case pour afficher davantage de réglages
AAC dans la zone inférieure.
 Qualité (convertisseur de fréquence d’échantillonnage) : définit la qualité de la conversion de fréquence d’échantillonnage. La réduction de la qualité accélère le processus
de conversion, au détriment de la qualité audio. Conservez la valeur Optimale chaque fois que cela est possible.
 Format de débit : vous pouvez choisir entre un débit constant ou variable : l’encodage à débit variable (VBR, Variable Bit Rate) compresse davantage les passages plus
simples que ceux qui sont plus riches d’un point de vue harmonique. Tous les lecteurs AAC ne peuvent pas décoder les données AAC encodées au format VBR. C’est la
raison pour laquelle cette option est définie par défaut sur un débit constant.
 Débit cible : définit le débit de l’exportation AAC. Plus le nombre de kilobits par
seconde est élevé, meilleure est la qualité audio.Chapitre 4 Utilisation des fenêtres du mixeur 37
 Priorité : permet de lier le débit et la fréquence d’échantillonnage. Si vous définissez
l’option Priorité sur Fréquence d’échantillonnage, les débits cibles disponibles dépendent de la fréquence d’échantillonnage sélectionnée. Si vous définissez l’option Priorité sur Débit, les options disponibles dans le menu Fréquence d’échantillonnage
dépendent du débit sélectionné.
 Qualité (Encodeur AAC) : définit la qualité du flux encodé au format AAC. La réduction
de la qualité accélère le processus de conversion, au détriment de la qualité audio.
Définissez la qualité sur Optimale chaque fois que cela est possible.
Choix du graveur de CD
La zone de dialogue Bounce de Logic Express offre un menu Périphérique dans les
options Graver, qui vous permet de choisir parmi les graveurs de CD reconnus qui sont
connectés à votre système.
Valeurs par défaut des positions de début et de fin
Les valeurs par défaut des champs Position de départ et Position de fin dans la boîte de
dialogue Bounce tiennent également compte des sélections effectuées dans la fenêtre
Arrangement.
Cela signifie que les valeurs par défaut des positions de départ et de fin sont définies
de la façon suivante :
 Si la fonction Cycle est engagée, elles sont définies selon les positions du délimiteur.
 Si une sélection (d’une ou plusieurs régions) est effectuée dans la fenêtre Arrangement, elle est définie sur la zone sélectionnée.
 Si aucune des conditions ci-dessus n’est vraie, les valeurs des positions de départ et
de fin englobent l’ensemble du morceau Logic. 5
39
5 Importation de fichiers
L’importation des données de fichiers MIDI a été améliorée
depuis Logic Express 7.
Ces améliorations facilitent l’importation de données MIDI basées sur les événements
dans Logic Express.
Importation de fichiers MIDI
L’ouverture et l’importation de fichiers MIDI se comportaient de façon similaire dans les
versions antérieures de Logic. Les commandes Importer et Ouvrir chargeaient toutes les
données (y compris les informations globales, telles que les événements de tempo) dans
un nouveau morceau. Ce n’est pas forcément le comportement attendu pour une
“importation” : en général, une importation charge uniquement les données des régions
MIDI (notes, contrôleur, SysEx, courbure de tonalité, événements méta spécifiques) dans
un morceau ouvert. Ce comportement d’importation était disponible dans les versions
antérieures de Logic : lorsque vous faisiez glisser un fichier MIDI du Finder vers la fenê-
tre Arrangement, seules les données de la région MIDI étaient chargées. La commande
de menu Importation MIDI de Logic Express 7 entraîne une importation “réelle”.
Pour importer un fichier MIDI, effectuez l’une des opérations suivantes :
m Choisissez Fichier > Importer dans la barre des menus principale (ou utilisez le
raccourci clavier de l’option Importer), puis sélectionnez le fichier MIDI souhaité
dans la zone de sélection de fichier.
Remarque : vous pouvez uniquement importer des fichiers MIDI si un morceau “cible”
est déjà ouvert. Si aucun morceau n’est ouvert, l’élément Fichier > Importer est grisé.
Le fichier MIDI est placé à la position SPL, arrondie aux barres.
m Faites glisser le fichier MIDI du Finder vers la fenêtre Arrangement.
La position de la souris (lorsque le bouton est relâché) détermine la position, arrondie à
la mesure la plus proche, et la destination de la première piste du fichier importé.40 Chapitre 5 Importation de fichiers
Les deux méthodes chargent uniquement les données de la région MIDI (notes,
contrôleur, courbure de tonalité, SysEx, certains événements méta), alors que les
données globales (telles que les événements de tempo, les signatures, les accords,
les noms des pistes, le début SMPTE, etc.) sont ignorées.
Si vous souhaitez charger toutes les informations contenues dans un fichier MIDI,
vous devez l’ouvrir.
Pour ouvrir un fichier MIDI :
1 Choisissez Fichier > Ouvrir dans la barre des menus principale (ou utilisez le raccourci
clavier de l’option Ouvrir), puis sélectionnez le fichier MIDI souhaité dans la zone de
sélection de fichier.
Si un morceau est chargé, une zone de dialogue vous demande si vous souhaitez créer
un nouvel environnement ou copier l’environnement actuel du fichier MIDI.
2 Effectuez l’une des opérations suivantes :
 Cliquez sur Copier afin de répliquer l’environnement existant. Les pistes du fichier
MIDI sont automatiquement affectées aux instruments appropriés.
 Cliquez sur Nouveau pour charger l’environnement du modèle de morceau par
défaut (ce modèle est basé sur les choix effectués lorsque vous avez exécuté
l’Assistant réglages de Logic).
Le fichier MIDI est chargé en tant que nouveau morceau contenant tous les événements MIDI, y compris les positions temporelles et les affectations de canaux, les
noms des pistes individuelles, les noms et positions des marqueurs, les changements
de tempo et les marques de copyright.6
41
6 Prise en charge des surfaces de
contrôle
La vaste prise en charge des surfaces de contrôle a encore
été améliorée depuis Logic Express 7.
La prise en charge d’un certain nombre de surfaces de contrôle a été ajoutée, et plusieurs fonctionnalités essentielles en termes de simplicité d’utilisation et d’affectation
ont été améliorées. Cela concerne notamment la barre de contrôle de piste et les
fonctions de répétition de touches.
Prise en charge de surfaces de contrôle supplémentaires
Pour actualiser la prise en charge des surfaces de contrôle, les surfaces suivantes
sont désormais directement reconnues par Logic :
 M-Audio iControl
 Tascam US-2400
 Tascam FW-1082
 Frontier TranzPort
 JL Cooper CS-32
 JL Cooper FaderMaster 4/100
 Korg microKONTROL
 Korg KONTROL49
Remarque : pour plus d’informations sur les surfaces de contrôle individuelles,
reportez-vous au document Prise en charge des surfaces de contrôle disponible
dans le dossier Documentation du DVD d’installation de Logic Express 7.2. 42 Chapitre 6 Prise en charge des surfaces de contrôle
Utilisation de la barre de contrôle des pistes
Lorsqu’une surface de contrôle est connectée à Logic Express 7.2, la barre de contrôle
de piste s’affiche dans la fenêtre Arrangement. Cette barre indique les pistes faisant
actuellement l’objet d’un accès par votre surface de contrôle.
Cette barre est disponible pour tous les périphériques de surface de contrôle connectés à votre système. Vous pouvez affecter une couleur différente à la barre de contrôle
Piste de chaque surface de contrôle. La couleur de la barre est définie dans la zone de
paramètres Périphérique.
Pour changer la couleur de la barre de contrôle Piste :
1 Choisissez Logic > Préférences > Surfaces de contrôle > Réglages pour ouvrir la fenêtre
de configuration des surfaces de contrôle.
2 Cliquez sur l’icône de surface de contrôle appropriée.
La zone Paramètre de périphérique apparaît, affichant l’option Couleur.
3 Cliquez sur l’option Couleur.
Une palette de couleurs est lancée, vous permettant de choisir ou de créer la
couleur souhaitée.Chapitre 6 Prise en charge des surfaces de contrôle 43
Nouvelle fonction de répétition de touche
Logic Express 7.2 offre des modules de surface de contrôle mis à jour qui prennent en
charge la fonction de répétition de touches (si cela est utile et applicable au périphérique). Lorsque cette fonction est activée, la fonction de raccourci clavier déclenchée par
une affectation de contrôleur est exécutée de manière répétée aussi longtemps que le
bouton ou l’interrupteur est maintenu enfoncé.
Le curseur “Fréquence de répétition de touche”, défini dans les préférences Clavier &
souris de Mac OS X, détermine la rapidité avec laquelle Logic répète l’assignation. La
durée pendant laquelle le bouton/contrôleur doit être maintenu avant répétition de
l’assignation est définie via le curseur “Fréquence de répétition de touche” avant
répétition des préférences Clavier & souris.
Exemple : le raccourci clavier de Logic Express 7.2 destiné aux boutons de Zoom du
module Logic Control prend en charge la fonction de répétition de touches. Il vous
suffit de maintenir le bouton de zoom avant enfoncé pour que Logic effectue un zoom
avant continu, jusqu’à ce que le bouton soit relâché. Ce comportement est similaire
au comportement des raccourcis clavier de zoom. Dans les versions antérieures,
vous deviez appuyer de manière répétée sur les boutons Zoom (Logic Control)
pour effectuer un zoom avant ou arrière de plus d’un niveau.
Arrêt intermédiaire à la valeur par défaut
Le fait d’appuyer sur le bouton Option de la surface de contrôle pendant la modification
d’un paramètre assigné à un encodeur rotatif permet d’accéder au mode “Contrôleur
relatif”. Dans ce mode, un tour vers la droite permet de régler l’encodeur sur sa valeur
maximale. Un tour vers la gauche permet de régler l’encodeur sur sa valeur minimale.
Logic Express 7.2 améliore ce mode: il s’arrête désormais également à la valeur par
défaut de l’encodeur.
Exemple : lorsque le bouton Pan se trouve à gauche du centre, le fait de faire tourner
l’encodeur vers la droite (avec le bouton Option appuyé) initialise le paramètre à sa
position centrale (valeur par défaut), et un autre mouvement vers la droite définit la
position la plus à droite (valeur maximale).44 Chapitre 6 Prise en charge des surfaces de contrôle
Affichage des boîtes de dialogue modales
Toutes les zones de dialogue modales (à l’exception des zones de sélection de fichiers)
sont désormais affichées sur des surfaces de contrôle comportant des affichages de
texte LCD.
Tous les champs de texte sont affichés dans la ligne supérieure de l’affichage (si le
périphérique est concerné). Si le texte de la boîte de dialogue ne tient pas dans la ligne
supérieure de l’écran LCD, il commence à défiler après trois secondes. Vous pouvez faire
défiler le texte manuellement avec le contrôle approprié (reportez-vous aux tables
d’affectation dans la documentation de prise en charge des surfaces de contrôle).
Le défilement de texte manuel désactive le défilement automatique.
 S’il y a un bouton Entrée ou OK sur la surface de contrôle, il déclenche le bouton
par défaut de la boîte de dialogue, le cas échéant.
 S’il y a un bouton Annuler ou Quitter sur la surface de contrôle, il déclenche le
bouton libellé Annuler ou Interrompre, le cas échéant.
 Tous les boutons (boutons poussoirs, notamment Entrée/par défaut et Annuler,
ainsi que les cases à cocher et boutons radio, mais pas les boutons instantanés)
sont affichés dans la ligne inférieure de l’affichage (si le périphérique est concerné).
Appuyer sur un bouton de surface de contrôle sous l’affichage déclenche le bouton/
la fonction approprié(e) dans la zone de dialogue, le cas échéant.
Après l’utilisation du bouton Entrer/Annuler dans la surface de contrôle (ou via la
souris), la boîte de dialogue disparaît et tous les contrôles et tous les affichages
reviennent à leur état/mode précédent.
Prise en charge du mode Mackie Control
Les unités Logic Control, Logic Control XT, Mackie Control Universal et Mackie Control
Extender (tous avec la version 1.02 ou ultérieure du programme interne) ne nécessitent
plus de passer en mode Logic Control pour être reconnus par Logic.
Si vous utilisez des logiciels qui nécessitent le mode Mackie Control :
1 Revenez au mode Mackie Control. Les détails se trouvent dans la documentation
de la surface de contrôle.
2 Supprimez la surface de contrôle Logic Control dans la fenêtre Réglage des surfaces
de contrôle.
3 Mettez la surface de contrôle sous tension. Elle est automatiquement installée en
tant que Mackie Control. La fonctionnalité des deux modes (Mackie/Logic Control)
est identique.
Remarque : si vous n’utilisez pas de logiciel nécessitant le mode Mackie Control, il
n’est pas nécessaire de changer quoi que ce soit.Chapitre 6 Prise en charge des surfaces de contrôle 45
Améliorations de l’éditeur d’assignations de contrôleur
La vue simple (Easy View) de la fenêtre Controller Assignments (affectations du contrô-
leur) a été simplifiée. La zone Control Name (nom de contrôle) a été supprimée, car la
vue simple est généralement employée pour les surfaces de contrôles non gérées
(comme les contrôleurs de votre clavier principal ou certains faders MIDI).
Le paramètre Piste vous permet de choisir entre sélectionné (valeur par défaut en cas
de création d’assignations sur la piste sélectionnée) et un numéro de piste précis (si
vous souhaitez configurer vos contrôles comme surface de mixage).
Le bouton Learn Message a été renommé Learn Mode (car vous pouvez créer plusieurs affectations quand il est activé).
Les affectations créées pour un module spécifique ne sont actives si celui-ci réside
sur la piste indiquée. Ceci vous permet d’utiliser les mêmes messages de contrôleur
pour des modules différents (par exemple, contrôle de la fréquence de coupure
de ES1, ES2 ou EXS24 par le même bouton) selon l’instrument logiciel inséré sur
la piste sélectionnée.
Vos affectations sont enregistrées comme préférences, ce qui les rend disponibles dans
tous les morceaux.7
47
7 Utilisation de boucles Apple
Loops
La prise en charge des boucles Apple Loops dans Logic
Express apporte à votre palette d’outils de création musicale
tout un éventail d’options flexibles.
Ce chapitre traite de leur utilisation dans Logic Express et contient des informations sur
la création des boucles Apple Loops ainsi que d’autres éléments qui vous aideront à
tirer le meilleur parti des options disponibles.
Logic Express est livré avec un certain nombre de boucles Apple Loops, tout comme
GarageBand. Les boucles Apple Loops sont des fichiers audio au format AIFF contenant des données audio PCM. Elles peuvent être utilisées dans n’importe quelle application audio prenant en charge les fichiers AIFF. En comparaison avec les boucles audio
“standard”, les boucles Apple Loops présentent un avantage significatif : elles peuvent
contenir des informations complémentaires que Logic Express utilise pour différents
besoins, notamment le décalage automatique du temps et de la tonalité, l’indexation
ou encore la recherche.
Les balises de métadonnées et les marqueurs transitoires sont deux types de données
importants pouvant être inclus dans les boucles Apple Loops. Logic Express utilise des
balises de métadonnées pour localiser les fichiers lors de l’utilisation des fonctionnalités de recherche du navigateur de boucles. Les marqueurs transitoires indiquent où se
produisent les temps dans le fichier. Logic Express utilise ces informations, conjointement avec les balises de métadonnées, pour faire correspondre le tempo et la tonalité
du fichier à ceux du morceau, ce qui permet de garantir la meilleure qualité de lecture
possible.48 Chapitre 7 Utilisation de boucles Apple Loops
Boucles Apple Loops vertes et bleues
Il existe deux types de boucles Apple Loops : ceux présentant une icône d’onde sonore
bleue et d’autres avec une icône de note verte (ces icônes s’affichent dans le navigateur de boucles).
Les deux contiennent des données audio PCM non compressées et les deux peuvent
contenir des informations complémentaires pour l’étirement du temps, la transposition, l’indexation et la recherche.
Les boucles Apple Loops vertes et bleues peuvent être ajoutées aux pistes audio. Elles
se présentent comme des régions audio normales, mais peuvent facilement être identifiées par le symbole Apple Loop dans le coin supérieur droit. Elles suivent la tonalité et
le tempo des morceaux.
Les boucles Apple Loops qui présentent l’icône verte peuvent également être placées
sur les pistes Instrument Audio et MIDI. Sur ces pistes, ces fichiers peuvent être modifiés
de la même façon que les autres régions MIDI, avec modification individuelle des notes.
Autre aspect intéressant des boucles Apple Loops vertes, si vous les faites glisser vers
une piste Instrument audio “vide” (avec une bande de canal vide), l’instrument, les
effets et les réglages d’entrée correspondants sont insérés automatiquement. Ces instruments peuvent être lus de la même façon que les instruments audio Logic Express.
Les boucles Apple Loops vertes contiennent toutes les informations des boucles Apple
Loops bleues, mais également une région MIDI ainsi que les réglages des instruments
logiciels et des modules. Les boucles Apple Loops vertes sont appelées SIAL (boucles
Apple Loops au format instrument logiciel).
Boucles Apple Loops
vertes et bleues dans le
navigateur de boucles
Symbole Apple Loop Symbole Apple Loop mono
stéréo
Boucle Apple Loop verte placée
sur une piste Instrument audioChapitre 7 Utilisation de boucles Apple Loops 49
Astuce : lorsque vous placez des SIAL sur des pistes audio, elles sont importées en tant
que régions audio. Cela permet de réduire le traitement audio requis pour la lecture.
Ajout de boucles Apple Loops
Il existe plusieurs moyens d’ajouter des fichiers Apple Loop à un morceau Logic. Logic
Express offre un navigateur de boucles spécial qui vous permet de rechercher les boucles Apple Loops en utilisant des mots-clés pour l’instrument, le genre, l’atmosphère et
autres. Vous pouvez également importer des boucles Apple Loops de la même façon
que les fichiers audio.
Pour ajouter une boucle Apple Loop à un arrangement, effectuez l’une des
opérations suivantes :
m Ouvrez le navigateur de boucles en choisissant Audio > Navigateur de boucles (ou
utilisez le raccourci clavier du navigateur de boucles). Sélectionnez le fichier Apple
Loop souhaité, puis faites-le glisser vers la fenêtre Arrangement, à la position souhaitée.
Vous trouverez davantage d’informations sur le navigateur de boucles dans la section
“Utilisation du navigateur de boucles” à la page 50.
m Faites glisser le fichier Apple Loop directement du Finder vers la fenêtre Arrangement.
m Sélectionnez l’outil Crayon, puis cliquez sur la piste souhaitée dans la fenêtre Arrangement tout en maintenant la touche Maj enfoncée (ou choisissez Audio > “Importer
fichier audio” dans la barres de menus ; vous pouvez également utiliser le raccourci
clavier d’importation de fichier audio). Un navigateur de fichiers standard est lancé.
Accédez au dossier dans lequel résident vos boucles Apple Loops (voir “Chemins des
fichiers Apple Loop” à la page 72 et les informations sur le menu déroulant Gestion
Jam Pack dans la section Navigateur de boucles).
Lorsque vous ajoutez une boucle Apple Loop à une piste audio, elle est automatiquement mise en correspondance avec le tempo et la tonalité du morceau. Cette fonctionnalité vous permet de lire simultanément plusieurs boucles Apple Loops avec un
résultat satisfaisant, même si elles présentent des tempos et des tonalités différents.
Lorsque vous ajoutez une SIAL (boucle Apple Loop au format instrument logiciel) à une
piste Instrument audio, elle s’affiche en tant que région MIDI. Si la bande de canal de la
piste est vide, l’instrument logiciel, les effets et les paramètres correspondants sont
également chargés. 50 Chapitre 7 Utilisation de boucles Apple Loops
Utilisation du navigateur de boucles
Le navigateur de boucles est conçu pour rendre intuitive et rapide la recherche des
boucles Apple Loops. Vous pouvez rechercher des boucles en utilisant des mots-clés,
effectuer des recherches de texte, afficher un aperçu des boucles, afficher des informations sur les boucles, ou encore limiter l’affichage aux boucles d’un Jam Pack ou d’une
bibliothèque de boucles spécifique.
Pour ouvrir le navigateur de boucles, effectuez l’une des opérations suivantes :
m Choisissez Audio > Navigateur de boucles.
m Utilisez le raccourci clavier du navigateur de boucles.
L’interface du navigateur de boucles
La vue par défaut du navigateur de boucles affiche une matrice de 54 boutons, avec
chacune un nom de catégorie. Cliquez simplement sur les boutons souhaités dans la
matrice afin de restreindre la recherche des boucles Apple Loops appropriées. Les
boutons activés sont mis en surbrillance. Plusieurs catégories peuvent être sélectionnées, conjointement ou non avec les options des menus déroulants Gestion Jam Pack,
Gamme et Signature.
Boutons d’affichage Menu Gestion Jam Pack
Champ Recherche
Menu Signature
Boutons Catégorie
Liste des fichiers Apple
Loops
Affiche toutes les
boucles Apple Loops
correspondant aux
critères de recherche
définis
Curseur de volume
Menu Gamme
Menu “Lecture dans”Chapitre 7 Utilisation de boucles Apple Loops 51
Les boutons Vue en haut à gauche basculent entre trois types de vue. Le premier bouton à partir de la gauche, avec les trois rectangles, bascule vers un menu de fichier de
colonne Mac OS X standard, séparé hiérarchiquement en critères de recherche Tous,
Par genre, Par instrument, Par atmosphère et Favoris. Le deuxième bouton à partir de
la gauche (avec l’icône de note) bascule en mode Matrice “normal”, affichant les catégories musicales. Le troisième bouton à partir de la gauche (avec l’icône de cloche)
bascule en mode Effets sonores, offrant des boutons de catégorie d’effets tels
que Explosions, Foley ou Personnes.
Vous pouvez remplacer une catégorie affichée via le menu contextuel qui s’ouvre
lorsque vous cliquez avec la touche Contrôle enfoncée (ou lorsque vous cliquez
avec le bouton droit) sur un bouton de catégorie. Vous pouvez choisir parmi :
 Genre : ce sous-menu offre des catégories musicales, par exemple Rock/Blues
et Électronique.
 Instruments : les options Basse, FX, Voix et les options Textures et Jingles sont notamment disponibles.
 Descripteurs : les options de ce sous-menu couvrent les “atmosphères” des
boucles Apple Loops et incluent Triste, Détendu, Groove, etc.
Le navigateur de boucles affiche toutes les boucles indexées du système. Lorsqu’un
grand nombre de boucles Apple Loops est installé sur votre système, l’administration
peut devenir difficile. Pour simplifier les choses, le navigateur de boucles offre des outils
avancés de gestion des boucles. Le menu déroulant Gestion Jam Pack vous permet de
limiter l’affichage des boucles à un Jam Pack spécifique ou à tout autre dossier. Les Jam
Packs sont des ensembles professionnels de boucles Apple Loop propres à un genre ou
à un instrument, proposés par Apple.
Sélectionnez simplement l’option souhaitée dans le menu Gestion de Jam Pack.
Vous pouvez choisir parmi les options suivantes :
 Tout afficher : choisissez cette option par défaut pour afficher toutes les boucles
Apple Loops de votre système. Elle est très pratique si vous ne parvenez pas à localiser une boucle dont vous savez qu’elle est installée et indexée sur votre système,
mais dont vous ne savez pas à quel Jam Pack elle appartient.
 Mes Loops : choisissez cette option pour afficher toutes les boucles Apple Loops dans
les dossiers ~/Bibliothèque/Audio/Apple Loops et ~/Bibliothèque/Application Support/GarageBand (~ indique le nom d’utilisateur).
 GarageBand : choisissez cette option pour afficher toutes les boucles Apple Loops
installées avec GarageBand.52 Chapitre 7 Utilisation de boucles Apple Loops
 Jam Pack x : choisissez cette option pour afficher toutes les boucles Apple Loops
d’un Jam Pack spécifique.
 Fournisseur x : choisissez cette option pour afficher toutes les boucles Apple Loops
d’un fournisseur indépendant en particulier.
Le menu déroulant Gamme offre les options Quelconque, Mineure, Majeure, Aucun et
Valable pour les deux. L’utilisation de ces options limite la recherche des boucles Apple
Loops au type de gamme sélectionné, dans la catégorie choisie. Par exemple, si les
catégories Country, Acoustique et Détendu sont sélectionnées, vous voyez une vingtaine de fichiers correspondant à vos choix. La sélection de l’option Gamme mineure
réduit cette liste à dix boucles Apple Loops, ce qui accélère l’écoute et la sélection.
Le menu déroulant Signature effectue une tâche similaire au menu Gamme, mais il
limite les recherches aux boucles Apple Loops correspondant à la signature temporelle
sélectionnée.
Le champ Recherche est utilisé pour rechercher les boucles Apple Loops par nom ou par
nom partiel :
 Tapez le terme de recherche souhaité, puis appuyez sur la touche Retour. Tous les
fichiers qui satisfont à votre terme de recherche s’affichent dans le navigateur de
fichiers en bas de la fenêtre.
 Le bouton Annuler à droite (qui apparaît dès que du texte est saisi) efface le texte
entré. Il efface également l’historique de recherche.
Le menu local Lecture dans détermine la tonalité de lecture de la boucle Apple Loop
sélectionnée. Les choix sont les suivants : Tonalité de morceau, Note d’origine et
“Entre do et si”.
Le curseur Volume ajuste le niveau de lecture du fichier sélectionné dans la fenêtre
Navigateur de boucles.
La liste en bas de la fenêtre affiche toutes les boucles Apple Loops qui correspondent
aux critères définis avec les paramètres décrits ci-dessus.
 Le fait de cliquer sur des titres de colonne entraîne le tri de la liste de résultats par
Nom, Correspondance, Tempo, Tonalité, etc.
 Le fait de cliquer sur la flèche de n’importe quel titre de colonne sélectionné trie la
liste par ordre alphabétique croissant ou décroissant, par pourcentage de correspondance, par tempo, par tonalité, par temps ou dans un ordre favori.
 Les colonnes peuvent être redimensionnées en faisant glisser les lignes verticales
entre les titres de colonnes.
Bouton AnnulerChapitre 7 Utilisation de boucles Apple Loops 53
 La sélection de n’importe quelle entrée de la liste de fichiers commence automatiquement la lecture. Vous pouvez arrêter la lecture en cliquant sur l’icône représentant un haut-parleur dans la colonne de gauche.
 La colonne Fav (Favoris) affiche une case à cocher pour chaque boucle affichée.
Cochez simplement cette case pour ajouter la boucle à la catégorie Favoris (pour
plus d’informations, reportez-vous à la section “Utilisation des favoris” à la page 54).
Ajout de boucles Apple Loops au navigateur de boucles
Logic Express doit indexer les boucles Apple Loops avant de les afficher dans le navigateur de boucles. Les boucles peuvent résider dans n’importe quel répertoire, mais vous
devez indiquer à Logic Express à quel endroit les trouver.
Pour ajouter des boucles Apple Loops au navigateur de boucles :
1 Ouvrez une fenêtre Finder à côté de Logic Express.
2 Accédez au dossier contenant les boucles Apple Loops.
3 Sélectionnez les boucles Apple Loops dans le dossier et faites-les glisser dans le
navigateur de boucles.
Les boucles sont ajoutées à la bibliothèque Apple Loops et sont indexées. Lorsque
ce processus est terminé, les boucles sont disponibles directement dans le navigateur
de boucles.
Si vous faites glisser une boucle unique vers le navigateur de boucles, la boucle est
copiée vers ~/Bibliothèque/Audio/Apple Loops/User Loops/SingleFiles.
Si vous faites glisser un dossier de boucles situé sur le même lecteur et dans la même
partition que le navigateur de boucles, les boucles sont conservées à leur emplacement actuel et un alias du dossier est créé dans ~/Bibliothèque/Audio/Apple Loops/
User Loops.
Si les boucles se trouvent sur un autre lecteur ou une autre partition, vous êtes invité
à préciser si vous souhaitez les copier dans la bibliothèque de boucles ou les indexer
à leur emplacement actuel (les boucles ajoutées à partir de supports optiques sont
toujours copiées).
 Si vous choisissez de les copier, le dossier contenant les boucles est copié vers
~/Bibliothèque/Audio/Apple Loops/User Loops/.
 Si vous choisissez de les indexer à leur emplacement actuel, un alias vers le dossier
est créé dans ~/Bibliothèque/Audio/Apple Loops/User Loops/. 54 Chapitre 7 Utilisation de boucles Apple Loops
Boucles Acid Loops dans le navigateur de boucles
Le navigateur de boucles affiche également les boucles Acid Loops. À la différence des
boucles Apple Loops, les boucles Acid Loops ne contiennent pas de balises. Dans les
boucles Acid Loops, ces informations sont dérivées de la structure des dossiers environnants (en particulier, des noms de dossiers) qui doit obéir à certaines normes. Cela
signifie qu’il n’est pas possible de faire glisser un fichier Acid Loop vers le navigateur.
De fait, vous devez faire glisser tout le CD (ou tout le dossier) contenant les boucles
Acid vers le navigateur de boucles.
Utilisation des favoris
La colonne Fav (Favoris) de la liste en bas du navigateur de boucles offre une case à
cocher pour chaque boucle affichée. Cochez simplement cette case afin d’ajouter la
boucle à la catégorie Favoris.
Cet utilitaire est idéal pour compiler un ensemble de boucles Apple Loops que vous
utilisez régulièrement. En tant que producteur de musique pour danser, vous créez
souvent des morceaux commençant par des boucles de batterie. Vous pouvez par
exemple avoir un modèle “quatre sur la piste”, des huitièmes et des seizièmes, des
motifs à deux ou quatre temps, etc., et utiliser ces boucles favorites comme kit de
construction groove, au moins pour l’arrangement shell.
Ces boucles peuvent facilement être remplacées ou ajoutées à votre projet, mais l’utilisation de favoris peut constituer un bon point de départ pour nombre de vos morceaux.
Création de boucles Apple Loops
Vous pouvez créer une boucle Apple Loop à partir d’un enregistrement audio existant,
car les boucles Apple Loops permettent l’étirement et la transposition automatiques du
temps sur les autres formats de fichier audio.Chapitre 7 Utilisation de boucles Apple Loops 55
Vous pouvez enregistrer les régions Audio et Instrument audio en tant que boucles
Apple Loops dans Logic. Les éléments transitoires définis sont basés sur les informations de tempo du morceau. Pour plus d’informations sur cette méthode, reportez-vous
à la section suivante.
Vous pouvez également utiliser l’Utilitaire de boucles Apple Loops pour créer des boucles Apple Loops à partir de régions audio. L’Utilitaire de boucles Apple Loops est un
complément de Logic Express qui vous permet de gérer les balises de métadonnées et
les éléments transitoires dans les fichiers audio. L’Utilitaire de boucles Apple Loops offre
des fonctions sophistiquées d’édition de balises pour les fichiers audio. Vous pouvez
par exemple définir les éléments transitoires manuellement, indépendamment du
tempo du morceau. Pour plus d’informations, reportez-vous à la section “Création de
boucles Apple Loops dans l’Utilitaire de boucles Apple Loops” à la page 58.
Remarque : l’Utilitaire de boucles Apple Loops ne vous autorise pas à créer
des boucles de type SIAL.
Quel outil utiliser, et quand l’utiliser ?
Comme indiqué précédemment, Logic Express offre des fonctionnalités de création
de boucles Apple Loops ; l’Utilitaire de boucles Apple Loops séparé vous permet
également de créer vos propres boucles Apple Loops.
La décision est relativement simple :
 Pour créer une boucle Apple Loop à partir d’un fichier audio correspondant au
tempo du morceau, utilisez les utilitaires de création Apple Loop disponibles
dans Logic Express.
 Pour créer une boucle Apple Loop au format instrument logiciel (ou SIAL), employez
les utilitaires de création de boucles Apple Loop disponibles dans Logic Express.
 Pour créer une boucle Apple Loop dite “sans boucle” à partir d’un fichier audio ne
correspondant pas au tempo du morceau, employez les utilitaires de création de
boucle Apple Loop disponibles dans Logic Express. Les boucles Apple Loops dites
“sans boucle” (ou boucles one-shot) ne suivent pas le tempo et la tonalité du morceau. Cela s’avère utile si vous souhaitez ajouter à la bibliothèque de boucles des
sons discrets, non musicaux (tels que des effets sonores), qui ne doivent pas être
modifiés par le tempo et les propriétés de clé.
 Si vous souhaitez créer une boucle Apple Loop avec boucle à partir d’un fichier audio ne
correspondant pas au tempo du morceau, employez l’Utilitaire de boucles Apple Loops.
Lisez la section suivante si vous souhaitez créer des boucles Apple Loops dans Logic.
La section “Création de boucles Apple Loops dans l’Utilitaire de boucles Apple Loops”
se trouve la page 58.56 Chapitre 7 Utilisation de boucles Apple Loops
Création de boucles Apple Loops dans Logic
Lorsque vous enregistrez une région en tant que boucle Apple Loop dans
Logic Express, la région est ajoutée à la bibliothèque de boucles et apparaît dans
le navigateur de boucles, ce qui permet son utilisation dans d’autres morceaux.
Les informations de tempo du morceau sont utilisées pour baliser les éléments
transitoires des boucles Apple Loops créées par l’utilisateur. Le fonctionnement de
cette fonction est optimal si vos fichiers audio correspondent avec précision au
tempo du morceau.
Remarque : les boucles Apple Loops créées par l’utilisateur se comportent exactement
de la même façon que les boucles Apple Loops fournies avec Logic, GarageBand et Jam
Packs : elles suivent le tempo du morceau et correspondent à la clé du morceau (telle
que définie par la signature de clé originale).
Pour créer une boucle Apple Loop dans Logic :
1 Sélectionnez la région Audio ou Instrument audio dans la fenêtre Arrangement.
2 Choisissez Région > Ajouter à la bibliothèque de boucles Apple Loops dans le menu
local Arrangement.
3 Dans la zone de dialogue Ajouter séquence à la bibliothèque Apple Loops :
 Tapez un nom pour la boucle, choisissez la gamme, le genre, la catégorie d’instrument, le nom de l’instrument et les descriptions d’atmosphère appropriées (afin de
simplifier les recherches).
 Définissez le type de fichier, qui peut être One-shot ou En boucle. Si la longueur du
fichier audio n’est pas ajustée précisément afin de contenir un nombre de barres
entières, l’option One-shot est sélectionnée automatiquement et les boutons de
type de fichier sont grisés. Chapitre 7 Utilisation de boucles Apple Loops 57
Remarque : les one-shots ne suivent pas le tempo et la clé du morceau. Cela s’avère
utile si vous souhaitez ajouter à la bibliothèque de boucles des sons discrets, non musicaux (tels que des effets sonores), qui ne doivent pas être modifiés par le tempo et les
propriétés de clé. Ces types de boucles contiennent toujours des balises de métadonnées, ce qui simplifie la recherche et la classification dans le navigateur de boucles.
4 Cliquez sur Créer.
La boucle est ajoutée au Navigateur de boucles. Elle est stockée dans le ~/Bibliothè-
que/Audio/Apple Loops/User Loops/SingleFiles. Vous pouvez la retrouver en utilisant
les boutons de mot-clé, les menus ou en tapant le nom dans le champ Rechercher. Si
vous faites glisser la boucle dans la fenêtre Arrangement, le symbole de boucle Apple
Loops s’affiche en regard du nom du fichier. Étant donné que les one-shots sont traités
comme des fichiers audio normaux, le symbole de séquence stéréo ou mono standard
s’affiche en regard du nom du fichier (plutôt que le symbole de boucle Apple Loops).
Si vous souhaitez créer une boucle Apple Loop avec boucle à partir d’un fichier audio
ne correspondant pas au tempo du morceau, employez l’Utilitaire de boucles Apple
Loops. L’Utilitaire de boucles Apple Loops vous permet de définir la longueur souhaitée de la boucle, quel que soit le tempo du morceau, en définissant manuellement la
balise Nombre de temps et Signature. Notez que l’utilitaire fonctionne uniquement
avec Régions audio, et non avec les régions MIDI sur les pistes Instrument audio. Pour
plus d’informations sur l’Utilitaire de boucles Apple Loops, consultez la section
“Création de boucles Apple Loops dans l’Utilitaire de boucles Apple Loops” à la
page 58.
Vous pouvez également ajuster le tempo du morceau à la longueur du fichier. Logic
Express offre une fonction automatique qui fait correspondre la longueur d’une région
Audio à la longueur musicale prévue. La longueur de la région reste constante, mais
le tempo du séquenceur varie automatiquement, avec la lecture de la région à la
longueur souhaitée.
Pour ajuster le tempo du morceau à un fichier audio :
1 Créez une région audio qui s’étend sur le fichier audio complet.
2 Construisez un cycle dans la règle de mesure de la barre Arrangement. Définissez la
longueur afin qu’elle corresponde à la longueur musicale souhaitée de la région. Exemple : si la région audio a une longueur d’une mesure, définissez un cycle d’une mesure.
3 Effectuez l’une des opérations suivantes :58 Chapitre 7 Utilisation de boucles Apple Loops
 Choisissez Options > Tempo > “Ajuster Tempo par taille de région et locators” dans
la barre des menus principale.
 Utilisez le raccourci clavier de “Ajuster Tempo par taille de région et locators”
(affectation par défaut : Commande + T).
Le tempo est recalculé, la région (et le fichier audio référencé) correspond au
tempo du morceau.
Envoi d’effets dans les boucles Apple Loops au format instrument
logiciel (SIAL)
Si vous créez une boucle SIAL à partir d’une région sur une piste d’instrument audio
qui utilise des effets d’envoi vers bus, puis que vous faites glisser la boucle enregistrée
vers une autre piste Instrument audio (vide), la nouvelle boucle est différente de la
région source originale. Cela tient au fait que les envois d’effets dans la piste d’origine
ne sont pas enregistrés avec la boucle.
Logic Express n’affecte pas automatiquement d’effets aux bus, car cela risquerait
d’interférer avec les configurations de bus que vous avez déjà définies dans votre
morceau. Les effets qui sont insérés directement sur le canal Instrument audio seront
en revanche rappelés automatiquement si vous faites glisser la boucle vers la fenêtre
Arrangement à partir du navigateur de boucles.
Vous pouvez utiliser l’une des options suivantes afin de vous assurer que les boucles
créées à partir des régions Instrument audio seront semblables aux régions d’origine :
 Faites glisser la boucle SIAL (dont l’original a été affecté aux envois de bus) vers une
piste audio plutôt que vers une piste Instrument audio. Lorsque vous créez une
boucle Instrument audio, le fichier audio lu inclut le traitement du bus. Celui-ci est
semblable à l’original.
 Lors de la création d’une boucle à partir d’une région Instrument audio, insérez
tous les effets nécessaires pour reproduire le son désiré directement dans la bande
de canal de l’instrument. Cela permet une recréation fidèle de tous les éléments
sonores lorsque vous ajoutez par la suite la boucle à une piste Instrument audio.
 Lors de l’utilisation de boucles SIAL, configurez manuellement les envois et les effets
de bus requis pour reproduire le son de la région d’origine.
Création de boucles Apple Loops dans l’Utilitaire de boucles
Apple Loops
L’Utilitaire de boucles Apple Loops fournit des fonctions sophistiquées pour la création
de boucles Apple Loops à partir de régions audio. Il vous permet de détecter les
éléments transitoires présents dans un fichier audio et d’ajouter des marqueurs
pour des éléments transitoires supplémentaires. Vous pouvez également déplacer
ces marqueurs vers de nouveaux emplacements.Chapitre 7 Utilisation de boucles Apple Loops 59
Vous pouvez ajouter et modifier des balises de métadonnées ; vous pouvez également
baliser plusieurs fichiers, un processus connu sous le nom de balisage par lot. L’Utilitaire de boucles Apple Loops peut lire les fichiers AIFF et WAV. Si vous enregistrez les
modifications, le fichier est automatiquement enregistré en tant que fichier AIFF.
Pour créer une boucle Apple Loop dans l’Utilitaire de boucles Apple Loops :
1 Sélectionnez une région audio dans la fenêtre Arrangement.
2 Effectuez l’une des opérations suivantes :
 Choisissez Audio > “Ouvrir dans l’utilitaire de boucle Apple” dans le menu Audio
de la fenêtre locale.
 Utilisez le raccourci clavier de l’option “Ouvrir dans l’utilitaire de boucle Apple”.
Si la longueur du fichier audio ne correspond pas aux temps, la zone de dialogue
suivante s’affiche :
La longueur erronée a deux causes possibles :
 L’enregistrement audio a été effectué sur le tempo du morceau mais n’a pas été
coupé correctement. Dans ce cas, vous pouvez réduire la longueur de l’enregistrement, via la zone de dialogue.
 La boucle utilise un tempo différent. Dans ce cas, vous pouvez régler la longueur de la
boucle audio dans le champ Longueur de boucle et cliquez sur Utiliser longueur définie.60 Chapitre 7 Utilisation de boucles Apple Loops
L’interface de l’Utilitaire de boucles Apple Loops
La fenêtre Utilitaire de boucles Apple Loops comporte les sous-fenêtres Balises et
Éléments transitoires. Le bas de la fenêtre inclut un ensemble de contrôles de lecture
et de boutons de gestion des fichiers. L’Utilitaire de boucles Apple Loops comprend
également un volet Ressources, situé à droite de la fenêtre principale, dans lequel
vous pouvez gérer les fichiers ouverts.
Contrôles de lecture
Volet RessourcesChapitre 7 Utilisation de boucles Apple Loops 61
Sous-fenêtre Balises
La sous-fenêtre Balises est divisée en quatre zones. Dans trois des sections, modifiez diffé-
rents types de balises. Dans la quatrième zone, vous affichez des informations (qui ne
peuvent pas être modifiées dans l’Utilitaire de boucles Apple Loops), telles que la longueur et l’emplacement du fichier. Plus vous incluez d’informations de métadonnées
(balises) dans vos fichiers, plus les recherches sont précises dans le navigateur de boucles.
Balises de propriétés
Logic Express utilise les réglages des balises de propriétés Nombre de temps, Tonalité
et Signature, conjointement avec les marqueurs transitoires, pour optimiser la lecture
de la boucle Apple Loop. Leur modification affecte le rendu de la boucle lors de la lecture. Les autres balises de propriétés peuvent être utilisées pour inclure des informations complémentaires, mais n’affectent pas la lecture.
Le champ Nombre de temps vous permet d’indiquer le nombre correct de temps dans
un fichier. Ce nombre contrôle la façon dont Logic Express fait correspondre le tempo
d’une boucle à celui du morceau. Lorsque vous ouvrez une région audio dans l’Utilitaire de boucles Apple Loops pour la première fois, Logic Express envoie les informations suivantes vers cet Utilitaire :
 Le tempo du morceau.
 La longueur du fichier audio en temps.62 Chapitre 7 Utilisation de boucles Apple Loops
Si le tempo du fichier audio correspond à celui du morceau et que sa longueur correspond à un nombre entier de temps (ou que vous avez saisi la longueur correcte dans la
zone de dialogue “Ouvrir le fichier audio dans Apple Loops Utility”), l’Utilitaire de boucles Apple Loops définit la valeur par défaut correcte pour le champ Nombre de temps.
Remarque : si vous ouvrez un fichier audio directement dans l’Utilitaire de boucles
Apple Loops, cette information n’est pas disponible. Dans ce cas, l’Utilitaire de boucles
Apple Loops utilise différentes hypothèses pour définir la valeur Nombre de temps.
Consultez le manuel concernant l’Utilitaire de boucles Apple Loops pour plus
d’informations.
La balise Type de fichier vous permet de définir le type de fichier, qui peut être Sans
boucle ou Avec boucle. Les fichiers avec boucle sont mis en correspondance avec le
tempo du morceau et, si la balise Tonalité est définie à une valeur autre que Aucune,
avec la tonalité du morceau. Les fichiers sans boucle (ou boucles one-shot) ne suivent
pas le tempo et la tonalité du morceau. Si vous les importez dans Logic, ils se comportent comme des fichiers audio “normaux”. Cela s’avère utile si vous souhaitez ajouter à
la bibliothèque de boucles des sons discrets, non musicaux (tels que des effets sonores), qui ne doivent pas être modifiés par le tempo et les propriétés de clé. Les fichiers
audio sans boucle contiennent toujours des balises de métadonnées, ce qui simplifie
la recherche et la classification dans le navigateur de boucles.
En général, vous balisez les fichiers avec des motifs rythmiques ou des passages musicaux destinés à la composition musicale et avec un arrangement de type “boucle”, ce
qui permet à Logic Express de les faire correspondre au tempo du morceau et (pour
les boucles musicales) à la tonalité du morceau. Les fichiers contenant des éléments
non rythmiques, tels que les effets sonores et les doublages, destinés à une utilisation
occasionnelle sur les pistes audio, doivent généralement être balisés comme étant
sans boucle.
Les commandes de balise de tonalité permettent de contrôler la manière dont
Logic Express fait correspondre la tonalité d’une boucle au morceau. Lorsque vous
importez la boucle dans Logic Express, ce dernier fait correspondre la tonalité de la
boucle au le morceau en transposant la boucle dans le nombre requis de demi-tons.
La boucle est transposée vers le haut ou vers le bas, dans la direction qui nécessite le
moins de demi-tons.
Exemple : si la tonalité du morceau est en do et que la balise Tonalité de la boucle est
en ré, Logic Express transpose la boucle de deux demi-tons vers le haut (plutôt que de
dix demi-tons vers le bas). Dans les deux cas, la boucle est mise en correspondance
avec la tonalité du morceau.
La tonalité de lecture globale des boucles Apple Loops est déterminée par la première
signature de tonalité de la piste Signature (par défaut : do majeur).Chapitre 7 Utilisation de boucles Apple Loops 63
Aucune distinction n’est faite entre les tonalités majeures et mineures pour ces fonctions de transposition globale ; en fait, seule la note d’origine de la signature de tonalité initiale est importante pour la lecture des boucles Apple Loops et des régions MIDI.
Par défaut, l’Utilitaire de boucles Apple Loops définit la balise Tonalité à partir des
informations que fournit Logic Express dans la piste Signature.
La balise Type de gamme identifie le type de gamme du fichier. Elle ne sert que de
balise de recherche et n’a aucune incidence sur le son de la boucle. Le fait de modifier
le type de gamme d’une boucle n’affecte pas la gamme de la boucle. Là encore, les
informations fournies par Logic Express sont utilisées par défaut, via la piste Signature.
La musique utilise différents types de gamme. Les principaux types sont les gammes
majeures et mineures. Les boucles musicales de même tonalité (ayant la même note
d’origine) mais de types de gamme différents ne donneront peut-être pas un bon résultat si elles sont jouées ensemble. Exemple : une boucle avec une progression d’accord
de piano dans une tonalité en ré et une boucle avec une ligne de synthétiseur également dans une tonalité en ré peuvent ne pas donner un résultat optimal si le piano
utilise la gamme ré majeur et que la ligne de synthétiseur utilise la gamme ré mineur.
Le menu Type de gamme offre les options Majeur, Mineur, Valable pour les deux et
Aucun. La dernière option convient aux morceaux avec percussions, sans hauteur
tonale. Pour les boucles pouvant utiliser n’importe quelle gamme, il est préférable
d’utiliser Valable pour les deux.
La balise Signature fournit les informations suivantes sur une boucle : le nombre de
temps de chaque mesure et la longueur des notes de la valeur de temps. Logic Express
utilise le nombre de temps d’une mesure pour afficher les positions de mesure et de
temps dans la règle de mesure. Cette valeur n’affecte pas la lecture. Si la valeur des
temps n’est pas définie de manière correcte, la lecture est affectée. L’Utilitaire de boucles Apple Loops définit la balise Signature selon la valeur fournie par la piste Signature dans Logic. Si vous utilisez des boucles ayant une valeur de temps différente, ces
boucles sont lues avec un tempo incorrect. Corrigez la balise Signature de sorte qu’elle
indique correctement la valeur de temps.
Les balises Auteur et Copyright permettent d’indiquer le nom de l’auteur d’une boucle
et les informations sur les droits d’auteur. Le champ Commentaire affiche les éventuels
commentaires sur le fichier. Ce champ est souvent utilisé pour indiquer un nom de
fichier interne ou un code utilisé lors de la création d’une bibliothèque de boucles.
Ces trois balises ne sont pas affichées dans le navigateur de boucles de Logic. Elles
ne peuvent pas être utilisées pour rechercher des fichiers et permettent uniquement
d’inclure des informations textuelles. Elles n’affectent pas le son des boucles. 64 Chapitre 7 Utilisation de boucles Apple Loops
Balises de recherche
Ces balises sont utilisées par la fonction Rechercher du navigateur de boucles et vous
permettent de rechercher des fichiers correspondant à des critères spécifiques.
 Menu local Genre : définit le type ou le style de musique pour lequel la boucle est
appropriée. La liste des genres musicaux ne peut pas être modifiée.
 Liste d’instruments : affiche les choix pour l’instrument de musique ou la catégorie
d’instrument du fichier. Le fait de sélectionner une catégorie dans la colonne de
gauche affiche une liste d’instruments/de sous-catégories dans la colonne de droite.
Info du fichier
Cette zone de la sous-fenêtre Balises inclut des lignes avec les informations Type, Longueur, Date de modification, Fréquence d’échantillonnage, Canaux, Tempo et Emplacement des fichiers. Ces informations sur les fichiers peuvent uniquement être affichées,
mais pas modifiées dans l’Utilitaire de boucles Apple Loops.
Descripteurs
Le navigateur de boucles de Logic Express vous permet de rechercher des fichiers à
l’aide de descripteurs. Les descripteurs sont des paires de mots-clés complémentaires
qui décrivent l’atmosphère musicale ou le caractère du fichier. Chaque paire de
mots-clés offre une ligne de boutons radio, vous permettant de choisir un mot-clé
de la paire ou aucun.
Balisage des fichiers
Pour baliser un fichier, sélectionnez-le dans le volet Ressources, puis modifiez les balises du fichier dans l’onglet Balises. Vous pouvez modifier simultanément les balises
de plusieurs fichiers. Pour cela, sélectionnez simplement les fichiers souhaités dans le
volet Ressources, activez les cases des balises appropriées, apportez vos modifications,
puis enregistrez.
Remarque : si vous n’affectez pas de balises à une boucle, elle sera difficile à trouver
dans le navigateur de boucles. Le navigateur de boucles affiche uniquement les boucles de sa liste de fichiers si une catégorie est choisie, ou si un nom est tapé dans le
champ Rechercher. Par conséquent, si une boucle n’appartient à aucune catégorie,
vous ne pouvez la rechercher qu’en tapant son nom dans le champ Rechercher.Chapitre 7 Utilisation de boucles Apple Loops 65
Sous-fenêtre Éléments transitoires
Logic Express utilise des marqueurs transitoires, avec les balises Nombre de temps,
Tonalité et Signature, pour traiter une boucle pendant la lecture. Vous pouvez ajouter
et modifier des marqueurs transitoires dans la sous-fenêtre Éléments transitoires de
l’Utilitaire de boucles Apple Loops.
La sous-fenêtre Éléments transitoires contient un large affichage de forme d’onde,
une règle de temps et une barre de défilement horizontale. Les marqueurs indiquent
la position des éléments transitoires dans le fichier. En général, les éléments transitoires correspondent aux parties les plus larges (verticalement) d’une forme d’onde
(autrement dit, les pics). Le menu local “Division d’éléments transitoires” et le curseur
Sensibilité déterminent la position des marqueurs transitoires d’une boucle.
Le menu “Division d’éléments transitoires” définit la valeur de temps utilisée par
l’Utilitaire de boucles Apple Loops pour la détection d’éléments transitoires. Le curseur
Sensibilité définit le degré de sensibilité pour la détection d’éléments transitoires. Lorsque vous augmentez la sensibilité de la détection d’éléments transitoires, l’Utilitaire de
boucles Apple Loops considère les points de plus forte amplitude de la forme d’onde
en tant qu’éléments transitoires, qu’ils se produisent ou non sur une valeur de temps.66 Chapitre 7 Utilisation de boucles Apple Loops
Lorsque vous ouvrez un fichier dans l’Utilitaire de boucles Apple Loops, il recherche
par défaut les éléments transitoires à chaque 16ème de note, en fonction des balises
Tempo et Nombre de temps du fichier. Vous pouvez changer la valeur de temps utilisée pour la détection d’éléments transitoires via le menu local “Division d’éléments
transitoires”. La plage va des notes complètes aux 1/64èmes de notes.
L’affichage de forme d’onde dans la sous-fenêtre Éléments transitoires affiche les élé-
ments transitoires détectés par l’Utilitaire de boucles Apple Loops et ceux insérés par
l’utilisateur. Vous pouvez ajouter des éléments transitoires et déplacer les existants
dans la sous-fenêtre Éléments transitoires.
Pour afficher un fichier dans la sous-fenêtre Éléments transitoires :
m Sélectionnez le fichier dans le volet Ressources, puis cliquez sur l’onglet Éléments
transitoires.
Remarque : la fenêtre Éléments transitoires ne peut afficher qu’un seul fichier à la fois.
Si plusieurs fichiers sont sélectionnés, aucune forme d’onde ne s’affiche dans la fenêtre.
Pour ajouter un nouvel élément transitoire :
m Cliquez dans la zone plus sombre au-dessus de la règle de temps dans l’affichage
de forme d’onde.
Pour déplacer un marqueur transitoire :
m Faites glisser le marqueur à l’aide de sa poignée dans la zone située au-dessus de
la règle de temps.
Pour supprimer un élément transitoire, effectuez l’une des opérations suivantes :
m Cliquez sur la poignée de l’élément transitoire dans la zone située au-dessus de la règle
de temps, puis appuyez sur la touche Suppr.
m Faites glisser l’élément transitoire en dehors de la zone située au-dessus de la règle
de temps.
Dans la plupart des cas, vous pouvez trouver la position optimale des marqueurs transitoires en ajustant le menu “Division d’éléments transitoires” et le curseur Sensibilité.
Vous ne devez modifier que quelques marqueurs individuellement. La position par
défaut peut ne pas être précise dans certaines boucles, telles que les boucles avec du
contenu musical présentant une forte distorsion ou des rythmes peu clairs. Ces boucles nécessitent généralement des modifications manuelles des marqueurs transitoires.
Pour déterminer où placer les marqueurs, écoutez la boucle à son tempo et sa hauteur
tonale d’origine. Ensuite, écoutez à un tempo et une hauteur tonale différents, afin de
voir comment les changements de tempo affectent la lecture. Répétez cette procédure
afin de voir comment les modifications des marqueurs affectent la lecture.Chapitre 7 Utilisation de boucles Apple Loops 67
Vous devez également garder à l’esprit les règles suivantes :
 Chaque marqueur transitoire du fichier audio doit être libellé par un marqueur transitoire dans l’Utilitaire de boucles Apple Loops. Vous devez également ajouter un marqueur transitoire à tous les points présentant une importance musicale, notamment
le début et la fin des notes, les changements de hauteur tonale ou les glissandos.
 Au cours de la lecture, Logic Express accélère ou ralentit le tempo des boucles sans
marqueurs transitoires. Si une boucle contient des notes soutenues ou des accords,
vous devez également libeller ces périodes avec des marqueurs transitoires, en vous
assurant qu’aucune période n’est supérieure à un quart sans marqueur.
 Vous devez toujours tenter de respecter les règles ci-dessus en utilisant le moins de
marqueurs possibles : des défauts peuvent se présenter aux points de transition
entre les marqueurs (où le tempo est inchangé) et la zone entre les marqueurs
(où le tempo est modifié).
Volet Ressources
Le volet Ressources répertorie les fichiers ouverts dans l’Utilitaire de boucles Apple Loops.
Le volet contient une colonne Nom qui répertorie chaque fichier ouvert, ainsi qu’une
colonne Modifications, qui indique les fichiers que vous avez modifiés. Le fait de cliquer
sur un fichier dans le volet Ressources l’affiche dans la sous-fenêtre Balises ou Éléments
transitoires.
Le bouton Tout enregistrer enregistre tous les fichiers qui ont été modifiés.68 Chapitre 7 Utilisation de boucles Apple Loops
Contrôles de lecture et de gestion des fichiers
Le bas de la fenêtre Utilitaire de boucles Apple Loops contient un ensemble de contrô-
les de lecture, qui vous permettent d’écouter le fichier sélectionné. Ces contrôles
n’affectent pas les balises du fichier.
 Bouton Aller au début : démarre la lecture à partir du début du fichier sélectionné.
 Bouton Lecture : lit le fichier sélectionné.
 Bouton Arrêter : arrête la lecture du fichier sélectionné.
 Menu local Tonalité : transpose le fichier sélectionné dans une nouvelle tonalité pour
la lecture.
 Curseur Tempo : définit le tempo de lecture du fichier sélectionné.
 Curseur Volume : définit le volume de lecture du fichier sélectionné.
Remarque : lorsque plusieurs fichiers sont sélectionnés dans le volet Ressources, les
contrôles de lecture ne sont pas disponibles. Vous ne pouvez pas lire plus d’un fichier
à la fois dans cette fenêtre.
Il y a deux autres boutons en bas de la fenêtre : le bouton Ressources et le bouton
Enregistrer.
 Bouton Ressources : affiche et masque le volet Ressources.
 Bouton Enregistrer : enregistre vos modifications dans le(s) fichier(s) actuellement
sélectionné(s) dans le volet Ressources.
Conversion de fichiers ReCycle en boucles Apple Loops
Logic Express vous permet de convertir des fichiers ReCycle en boucles Apple Loops.
Pour importer des fichiers ReCycle uniques en tant que boucles Apple Loops :
1 Démarrez une importation ReCycle en utilisant les mêmes options que pour les fichiers
audio :
 Choisissez Audio > Importer fichier audio (ou utilisez le raccourci clavier d’importation de fichier audio). Vous pouvez également cliquer sur une piste audio avec le
Crayon en maintenant la touche Maj enfoncée (ou cliquer avec l’outil Pointeur en
maintenant les touches Commande + Maj enfoncées).
Sélectionnez la boucle ReCycle souhaitée dans la zone de sélection de fichier.
 Faites glisser la boucle ReCycle du Finder sur une piste audio.
Bouton Aller au début Bouton Lecture
Bouton Arrêter
Curseur de volume
Menu Tonalité Curseur TempoChapitre 7 Utilisation de boucles Apple Loops 69
2 Choisissez simplement l’option “Rendre en tant que boucle Apple Loop” dans le menu
Fixe de la boîte de dialogue Import fichier ReCycle.
La boucle ReCycle est convertie en boucle Apple Loop (les points de tranche sont
convertis en positions transitoires) et copiée dans le dossier ~/Bibliothèque/Audio/
Apple Loops/User Loops/Single Files. La boucle Apple Loop est ajoutée à votre
morceau Logic.
Pistes globales et boucles Apple Loops
Vous pouvez utiliser les pistes globales pour modifier des événements globaux tels
que le tempo, la signature et la tonalité pendant un morceau. La section qui suit décrit
la façon dont ces modifications dans les pistes globales affectent la lecture des boucles
Apple Loops. Pour des informations détaillées sur les pistes globales, lisez le chapitre
“Pistes globales” dans le Guide de référence de Logic Express 7.
Piste Tempo
Les boucles Apple Loops s’adaptent automatiquement au tempo de cette piste.
Piste Signature
Les boucles Apple Loops peuvent contenir des informations sur la tonalité originale
et peuvent être transposées automatiquement. Elles sont lues à la tonalité par défaut
du morceau, qui est définie par le premier événement de signature de tonalité. Aucune
distinction n’est faite entre les tonalités majeures et mineures pour ces fonctions de
transposition globale ; en fait, seule la racine de la signature de tonalité initiale est
importante pour la lecture des boucles Apple Loops et des régions MIDI.
La tonalité de lecture globale des boucles Apple Loops est déterminée par la première
signature de tonalité de la piste Signature (par défaut : do majeur). 70 Chapitre 7 Utilisation de boucles Apple Loops
Conversion de boucles Apple Loops en fichiers audio
Lorsque vous convertissez une boucle Apple Loop en fichier audio, il se peut que le
fichier résultant ne soit pas lu au tempo et aux réglages de tonalité actuels du morceau. Le nouveau fichier audio est alors lu avec le tempo et la tonalité d’origine de
la bouche Apple Loop.
Cela se produit lorsque vous sélectionnez une boucle Apple Loop et que vous choisissez Audio > “Convertir Régions en Fichiers Audio Individuels” dans le menu Arrangement, et que vous remplacez le paramètre Format de fichier “Type de fichier original”
dans la fenêtre suivante par “Onde” ou “SDII”. Cela crée une copie du fichier Apple Loop
original, mais sans les balises d’élément transitoire et de catégorie. L’absence de ces
balises limite la lecture des fichiers au tempo et à la tonalité de la boucle Apple Loop
d’origine, et non au tempo et à la tonalité du morceau.
Si vous souhaitez convertir une région Apple Loop en fichier audio qui utilise les réglages de tempo et de tonalité du morceau, sélectionnez la ou les boucles, puis choisissez
Fichier > Exporter > Région comme fichier audio. Prenez soin de cocher la case “Ajouter les fichiers résultants à la fenêtre Audio” afin d’utiliser le nouveau fichier dans le
morceau actuel.
La boucle Apple Loop est ainsi exportée en tant que nouveau fichier audio avec tout
le traitement d’effet de module de la piste/du canal sur lequel réside la boucle Apple
Loop. Pour exporter la boucle Apple Loop sans ces effets, contournez-les avant d’exporter la région. Pour contourner un module, cliquez sur Insérer Slot tout en appuyant sur
la touche Option.
Notez que, bien que ce fichier soit lu au tempo et à la tonalité actuels du morceau, il ne
peut pas suivre les changements de tempo ou de tonalité suivants comme les autres
boucles Apple Loops ; ces fichiers sont fixes avec le tempo et la tonalité du morceau
lors de l’exportation du fichier.
Astuce : si vous activez l’option Suivre Tempo pour le fichier audio, il suit le tempo du
morceau et la première signature de tonalité définie dans les pistes globales. Pour plus
d’informations, reportez-vous à la section “Utilisation de la fonction Suivre Tempo” à la
page 26.Chapitre 7 Utilisation de boucles Apple Loops 71
Boucles Apple Loops et fréquences d’échantillonnage
La méthode utilisée pour convertir la fréquence d’échantillonnage des fichiers audio
s’applique également aux boucles Apple Loops. Cette méthode de conversion des
échantillons inclut également la correction des positions transitoires.
Pour convertir la fréquence d’échantillonnage d’une boucle Apple Loop :
1 Sélectionnez la boucle Apple Loop souhaitée dans la fenêtre Audio.
2 Choisissez Fichier audio > Copier/Convertir Fichier(s) dans le menu de la fenêtre Audio.
3 Choisissez la fréquence d’échantillonnage souhaitée (et tous les autres réglages de conversion de fichier) dans la zone de dialogue suivante, sélectionnez l’emplacement du
dossier, puis cliquez sur Enregistrer.
Si l’option “Ajouter les fichiers résultants à la fenêtre Audio” est activée, la boucle Apple
Loop avec fréquence d’échantillonnage convertie est automatiquement ajoutée au
morceau. Elle suit les changements de tempo et de tonalité du morceau (sous réserve
que la balise Tonalité ait été définie dans la boucle d’origine).
Remarque : si une nouvelle boucle Apple Loop est créée, elle devra être indexée afin
d’être visible dans le navigateur de boucles. Les boucles peuvent résider dans
n’importe quel répertoire, mais vous devez indiquer à Logic Express à quel endroit
les trouver.
Vous n’aurez probablement pas besoin de convertir les boucles Apple Loops aussi souvent que les fichiers audio standard lors de l’utilisation de Logic, car les boucles Apple
Loops offrent un avantage majeur : si vous changez la fréquence d’échantillonnage
d’un morceau en choisissant Audio > Fréquence d’échantillonnage > … dans la barre
des menus principale, toutes les boucles Apple Loops actuellement utilisées par votre
morceau sont automatiquement converties vers la nouvelle fréquence d’échantillonnage sélectionnée.
Fondu de boucles Apple Loops
Les boucles Apple Loops ne prennent pas en charge les fondus, ce qui signifie que
vous ne pouvez pas leur affecter directement un fondu. Dans la mesure où vous ne
pouvez pas appliquer de fondus à une boucle Apple Loop, aucun paramètre de
fondu ne s’affiche dans la zone Paramètre de région lorsqu’une boucle Apple Loop
est sélectionnée.
Si vous souhaitez parvenir à un effet de fondu, vous devez exporter la boucle Apple
Loop (choisissez Fichier > Exporter > “Région comme fichier audio” dans la fenêtre
Arrangement). Importez ce fichier dans la fenêtre Arrangement et appliquez-y le fondu.72 Chapitre 7 Utilisation de boucles Apple Loops
Chemins des fichiers Apple Loop
Les chemins utilisés pour l’installation des boucles Apple Loop dans Logic Express 7.2
sont les suivants :
/Bibliothèque/Audio/Apple Loops
Utilisé pour les bibliothèques Apple Loops fournies avec Logic Express 7.2. Ce dossier
est également utilisé pour les versions GarageBand ultérieures à 2.0 et les bibliothè-
ques Jam Pack supplémentaires (ultérieures au volume 4).
~/Bibliothèque/Audio/Apple Loops/User Loops
Utilisé pour les boucles Apple Loops créées par l’utilisateur.
/Bibliothèque/Application Support/GarageBand
Utilisé pour toutes les bibliothèques de boucles Apple Loops publiées avant Logic
Express 7.1 (y compris les bibliothèques fournies avec Logic Express 7 et GarageBand 1,
ainsi que les volumes des bibliothèques Jam Pack 1 à 3).
~/Bibliothèque/Application Support/GarageBand
Utilisé pour toutes les boucles Apple Loops créées avec Logic Express 7,
Logic Express 7.0.1 ou n’importe quelle version de GarageBand 1.
Remarque : combinées à l’option “Copier dans la bibliothèque”, les boucles Apple Loops
glissées du Finder vers la fenêtre du navigateur de boucles copient les boucles Apple
Loops à cet endroit. Vous pouvez bien sûr conserver des copies des boucles Apple
Loops dans leur emplacement d’origine dans le Finder.8
73
8 Chemins d’accès aux fichiers
mis à jour
L’emplacement de tous les fichiers (préférences, réglages de
modules, etc.) associés à Logic Express a changé.
À la différence des versions précédentes, Logic Express 7 ne stocke pas les fichiers associés dans le dossier du programme. Logic Express 7 est conforme aux normes Mac OS X :
Fichiers préinstallés
Tous les fichiers préinstallés résident dans le domaine local : NomDisqueDur
commençant généralement par : / (comme préfixe de chemin d’accès).
Fichiers créés par l’utilisateur/modifiables
Tous les fichiers pouvant être écrits directement par l’utilisateur résident dans le
domaine de l’utilisateur : NomDisqueDur/Users/VotreNomUtilisateur.
Cette chaîne commence généralement par : ~/
Préférences
Tous les fichiers de préférences sont installés dans : ~/Bibliothèque/Preferences/Logic
Le fichier de préférences principal s’appelle : com.apple.logic.express
D’autres fichiers provenant des Préférences de Logic Express se trouvent également
dans ce dossier.
Modèles de morceaux
Logic Express recherche le dossier “Song Templates” dans le dossier suivant :
~/Bibliothèque/Application Support/Logic.
Logic Express recherche ensuite le morceau “Autoload” ou “Autoload.lso” dans
le dossier suivant : /Bibliothèque/Application Support/Logic.74 Chapitre 8 Chemins d’accès aux fichiers mis à jour
Réglages de modules
Logic Express recherche un dossier dont le nom correspond au module (c’est-à-dire,
le dossier “NomDuModule/”) dans les dossiers suivants, selon l’ordre indiqué :
 ~/Bibliothèque/Application Support/Logic/Plug-In Settings
Ce chemin d’accès comporte toujours des réglages utilisateur ou modifiés. Ces réglages apparaissent toujours au début du menu local Settings (réglages) dans les fenê-
tres de module. La commande Enregistrer réglage sous utilise ce niveau par défaut.
L’option Save Setting (enregistrer le réglage) ne fonctionne que pour les réglages
situés à ce niveau supérieur (autrement, l’option Save Setting as est sélectionnée).
 /Bibliothèque/Application Support/Logic/Plug-In Settings
Les réglages d’origine sont installés ici. Si Logic Express 7.2 trouve également des
réglages dans l’un des autres emplacements, ceux-ci apparaissent aussi dans le
sous-dossier Factory du menu Settings (Réglages).
 /Applications/Logic 6 Series/Plug-In Settings
Les fichiers de réglages de Logic 6 Series résident toujours à cet endroit. Si Logic
Express trouve également des réglages dans l’un des autres emplacements, ces
réglages apparaissent aussi dans le sous-dossier “Logic 6 Series” du menu Réglages.
Nous vous recommandons de déplacer les anciens réglages utilisateur de cet emplacement vers le nouveau (~/Bibliothèque/Application Support/Logic/Plug-In Settings).
Pour cela, choisissez la technique de glisser-déposer dans le Finder ou, dans Logic,
chargez les réglages et enregistrez-les au nouvel emplacement (correspondant à
l’emplacement proposé par défaut dans les zones de dialogue Save (enregistrer)
et Save as (enregistrer sous).
Réglages par défaut
De même que les versions précédentes, Logic Express vous permet d’utiliser le fichier
de réglages par défaut chargé automatiquement à l’ouverture d’un module. Ce fichier
doit s’appeler #default.pst et se trouve dans : ~/Bibliothèque/Application Support/
Logic/Plug-In Settings/NomDuModule.
Il s’agit de l’emplacement où vous pouvez enregistrer votre réglage par défaut. Il suffit
d’enregistrer un paramètre sous le nom #default.pst.
Si la recherche est infructueuse, Logic Express la poursuit dans /Bibliothèque/Application Support/Logic/Plug-In Settings/NomDuModule/, puis dans /Applications/Logic 6
Series/Plug-In Settings/NomDuModule.Chapitre 8 Chemins d’accès aux fichiers mis à jour 75
Instruments GarageBand
Logic Express recherche les instruments GarageBand dans le dossier :
“Plug-In Settings/NomDuModule” des répertoires suivants, selon l’ordre indiqué :
 ~/Bibliothèque/Application Support/Logic/Plug-In Settings/NomDuModule
Les réglages définis ou modifiés par l’utilisateur sont enregistrés ici.
 /Bibliothèque/Application Support/GarageBand/Plug-In Settings/NomDuModule
Ce chemin d’accès mène aux réglages d’origine.
Réglages de bande de canal
Logic Express recherche le dossier “Channel Strip Settings” dans les dossiers suivants,
selon l’ordre indiqué :
 ~/Bibliothèque/Application Support/Logic
Ce chemin d’accès mène aux réglages de bande de canal définis ou modifiés
par l’utilisateur.
 /Bibliothèque/Application Support/Logic
Les réglages d’origine sont stockés ici.
Logic Express recherche également des objets audio d’instruments et de pistes dans le
dossier suivant : /Bibliothèque/Application Support/GarageBand/Instrument Library/
Track Settings.
Instruments EXSP
Logic Express recherche le dossier “Sampler Instruments” dans les dossiers suivants,
selon l’ordre indiqué :
 ~/Bibliothèque/Application Support/Logic
Les instruments définis ou modifiés par l’utilisateur sont enregistrés ici.
 /Bibliothèque/Application Support/Logic
Les fichiers d’origine des instruments EXS sont installés ici.
 /Applications/Logic 6 Series
Les fichiers des instruments EXS de la série Logic 6 sont toujours enregistrés à cet
endroit.
 …/NomMorceauOuProjet
Comme dans les versions précédentes, Logic Express recherche également des
instruments EXS dans le dossier de projet ou de morceau.
Logic Express recherche également dans le dossier :
/Bibliothèque/Application Support/GarageBand/Instrument Library/Sampler. 76 Chapitre 8 Chemins d’accès aux fichiers mis à jour
Conversion d’échantillon EXSP
Voici les emplacements par défaut des échantillons convertis de formats différents :
 ~/Bibliothèque/Application Support/Logic/AKAI Samples
Pour les échantillons convertis à partir du format AKAI.
 ~/Bibliothèque/Application Support/Logic/DLS-Giga Samples
Pour les échantillons convertis à partir du format GigaSampler/GigaStudio.
 ~/Bibliothèque/Application Support/Logic/SoundFont Samples
Pour les échantillons convertis à partir du format SoundFont.
Icônes utilisateur
Logic Express recherche les icônes de pistes définissables par l’utilisateur dans
le dossier suivant : ~/Bibliothèque/Application Support/Logic/Images/Icons.
Les icônes utilisateur restent au format .png. Le nom de fichier doit commencer
par xxx (xxx étant un numéro de 1 à 3 positions). Les icônes par défaut numérotées
sont remplacées par vos icônes personnelles.
Plug-ins de surface de contrôle
Les modules de surface de contrôle sont installés (et recherchés) dans le lot
d’applications.
Vous pouvez installer des modules de surface de contrôle dans :
~/Bibliothèque/Application Support/MIDI Device Plug-ins.
Tuning Tables
Logic Express recherche le dossier “Tuning Tables” dans le dossier suivant :
/Bibliothèque/Application Support/Logic.
Répertoires par défaut
Logic Express utilise les répertoires par défaut suivants :
 ~/Music/Logic : pour les morceaux Logic Express (Ouvrir/Enregistrer/
Enregistrer sous).
 ~/Movies : pour les fichiers de film (Ouvrir).
 ~/Pictures : pour l’outil Caméra dans l’éditeur de partitions (Enregistrer fichier
bitmap sous).9
77
9 Améliorations des modules
Le chapitre suivant décrit les améliorations de modules
effectuées depuis la version Logic Express 7. Ces informations
remplacent celles du “Guide de référence des modules de
Logic Express 7”.
Il comprend les sections suivantes :
 Utilisation du gestionnaire AU
 Utilisation de la compensation de retard de module
 Améliorations des instruments
 Améliorations des effets
Utilisation du gestionnaire AU
Logic Express utilise l’outil de validation AU d’Apple pour garantir que seuls les modules Audio Units totalement compatibles avec la spécification Audio Units sont utilisés
dans Logic. Cela permet de limiter les problèmes provoqués par les modules Audio
Units tiers lors de l’exécution de Logic.
Le processus de validation a lieu automatiquement lorsque vous lancez Logic Express.
Vous pouvez voir les résultats de l’analyse pour tous les modules Audio Units du
Gestionnaire AU de Logic.
Pour ouvrir le Gestionnaire AU, effectuez l’une des opérations suivantes :
m Choisissez Préférences > “Lancement de Logic AU Manager” dans la barre des menus
principale.
m Utilisez le raccourci clavier de l’option “Lancement de Logic AU Manager”.78 Chapitre 9 Améliorations des modules
Remarque : Logic Express se ferme automatiquement avant le lancement de Logic AU
Manager. Il redémarre automatiquement une fois que vous avez quitté AU Manager.
Les résultats du test s’affichent dans la colonne Compatibilité. Les plug-ins Audio Units
qui ont échoué peuvent être activés, mais sachez qu’ils peuvent poser problème. L’utilisation de modules non validés risque de fausser les résultats des tests d’autres modules analysés ou de provoquer des arrêts inopinés de Logic, voire des
pertes de données (fichiers de morceau détruits).
Nous vous conseillons donc vivement de vous rendre sur le site Web du fabricant pour
y télécharger les mises à jour des modules Audio Units qui n’ont pas pu être validés.
Logic AU Manager permet également de désactiver les modules Audio Units que vous
ne souhaitez pas utiliser dans Logic, même s’ils réussissent le test. Pour désactiver un
plug-in, il suffit de désélectionner la case à cocher correspondante dans la colonne Utilisé. Pour enregistrer votre sélection de plug-ins Audio Units, cliquez sur OK.
Cliquez sur le bouton “Initialiser et tout re-scanner” pour effectuer un autre test de validation après avoir installé les modules/mises à jour ou déplacé les composants dans
Finder, Logic ou AU Manager étant ouvert. Vous pouvez aussi réanalyser chaque plug-in
dont vous avez installé une mise à jour. Des versions mises à jour de plug-ins sont
testées automatiquement au lancement suivant de Logic. Elles sont aussi activées
automatiquement lorsqu’elles sont validées par le processus d’analyse.
Remarque : si vous appuyez sur les touches Maj + Contrôle lors du lancement de Logic,
le mode AU Safe Mode (mode sans échec) est alors utilisé. Seuls les modules admis par
le test de validation seront disponibles ; les plug-ins activés manuellement dont le test
de validation a échoué ne seront pas disponibles.Chapitre 9 Améliorations des modules 79
Utilisation de la compensation de retard de module
Logic Express inclut la compensation de retard de module pour les instruments, les
pistes, les bus, les auxiliaires, les sorties et les objets ReWire. Un menu local se trouvant
dans la sous-fenêtre Logic > Préférences > Audio > Général vous permet d’activer la
compensation de retard de module pour :
 Les pistes audio et les instruments
 Tout (piste audio, instrument, bus, auxiliaire, ReWire et objets Sortie)
À propos de la compensation de retard de module
Certains modules d’effets introduisent un retard : cela signifie que l’effet nécessite un
peu de temps pour traiter l’audio qu’il reçoit, et par conséquent, la sortie du module
subit un léger retard. Cela se produit avec tous les effets dynamiques comportant des
paramètres lookahead, par exemple. Logic offre la compensation de retard de module
pour tous les canaux : si cette fonction est activée, Logic compense le retard introduit
par les modules, ce qui permet de garantir que l’audio acheminée via ces modules est
synchronisée avec le reste de l’audio.
Logic permet cela en calculant la quantité de retard provoquée par les modules et
en retardant les flux audio de la quantité appropriée (ou en décalant les pistes d’instruments et audio vers l’avant dans le temps). La méthode de compensation dépend du
type de canal dans lequel est inséré le module induisant le retard.
 Si des modules induisant un retard sont insérés dans des canaux de bus, auxiliaire,
ReWire et sortie, Logic retarde tous les autres flux audio de la quantité appropriée.
 Si des modules induisant un retard sont insérés dans des canaux audio et instruments audio, Logic décale automatiquement ces pistes vers l’avant dans le temps.
L’avantage de cette méthode est que les autres canaux (ne contenant pas de
modules induisant un retard) n’ont pas besoin d’être retardés. 80 Chapitre 9 Améliorations des modules
Exemple : imaginons un morceau simple avec quelques pistes de basse, de guitare, de
voix et de batterie. La piste basse est lue via un objet audio contenant un module introduisant un retard de 100 ms. Toutes les pistes de guitare sont acheminées vers un objet
bus contenant plusieurs modules insérés. La latence combinée introduite par ces modules est de 300 millisecondes (ms). La voix est acheminée via un autre objet bus comportant un ensemble de modules introduisant une latence de 150 ms. Les pistes de batterie
sont acheminées vers les sorties principales, sans être routées via des modules. Si les
retards n’étaient pas compensés, les pistes de batterie seraient lues 300 ms après les pistes de guitare. La piste de basse serait lue 200 ms avant la piste de guitare, mais 100 ms
après la batterie. La voix serait lue 150 ms avant la piste de guitare, mais 150 ms après la
batterie et 50 ms après la basse. Inutile de préciser que ce ne serait pas idéal.
Avec la compensation de retard de module définie sur Tout, Logic décale la piste de
basse de 100 ms vers l’avant, afin de synchroniser les pistes basse et batterie. Logic
retarde ensuite de 300 ms les deux flux de l’objet Sortie, afin de les aligner avec les
pistes de guitare. L’objet bus vers lequel est envoyée la voix est également retardé
de 150 ms, afin de l’aligner avec les flux batterie et guitare. Les calculs précis requis
pour chaque flux sont gérés automatiquement.
Limitations de la compensation de retard de module
La compensation de retard de module fonctionne de manière transparente au cours de
la lecture et du mixage. Le retard créé pour compenser les modules induisant un retard
dans les canaux bus, sortie et auxiliaire peut être appliqué aux flux non retardés avant
leur lecture. Les pistes instrument et audio (contenant des modules induisant un retard)
peuvent également être décalés vers l’avant avant le début de la lecture.
Il existe cependant certaines limitations si vous utilisez la compensation de retard de
module avec des pistes en live. Le décalage des pistes audio et instrument préenregistrées vers l’avant est possible lors de la lecture de l’audio en live. Ainsi, l’enregistrement
alors que la compensation de retard de module est définie sur instruments et pistes
fonctionne correctement, tant que vous ne tentez pas d’enregistrer via des modules
induisant un retard : une piste en live ne peut pas être décalée vers l’avant.
Retarder un flux en live afin de le synchroniser avec d’autres canaux audio retardés n’est
pas possible. Cela pourrait entraîner des problèmes si vous décidiez de procéder à
d’autres enregistrements après avoir défini la compensation de retard de module sur
Tout et après avoir inséré des modules induisant un retard dans les auxiliaires, les bus
et les sorties. Si Logic doit retarder les flux afin de compenser les retards de module,
vous allez écouter les flux audio retardés pendant l’enregistrement. Par conséquent,
votre enregistrement sera retardé du nombre d’échantillons dont les flux audio ont
été retardés. Chapitre 9 Améliorations des modules 81
Pour ces mêmes raisons, vous pouvez être confronté à un retard supérieur lors de la
lecture de pistes d’instruments audio en live lorsque la compensation de retard de
module est définie sur Tout.
Résolution des problèmes de retard
Pour éviter ces problèmes potentiels, essayez d’effectuer l’enregistrement audio et instrument audio avant d’insérer les modules induisant un retard. Si vous avez besoin
d’enregistrer une piste audio ou instrument audio après la configuration d’un routage
de signal induisant un retard, la procédure suivante vous aidera à éviter les problèmes.
Pour enregistrer après la configuration d’un routage de signal induisant un retard :
1 Basculez le réglage de compensation de retard de module Tout vers “Pistes audio et
instruments” dans la sous-fenêtre Logic > Préférences > Général > Audio.
Remarque : vous pouvez utiliser le raccourci clavier de l’option “Activer/désactiver la
compensation de retard de module : tout/pistes et instruments” afin de basculer le
réglage de compensation de retard entre “Tout” et “Pistes audio et instruments”.
La méthode de compensation de retard de module “Pistes audio et instruments” décale
vers l’avant les pistes contenant des modules induisant un retard, de sorte que les pistes audio et instruments audio contenant des modules induisant un retard soient synchronisées avec les pistes non retardées. Il n’existe qu’une seule exception : les pistes
en live ne peuvent pas être décalées vers l’avant.
L’étape suivante consiste à éliminer le retard induit par les modules dans la piste
d’enregistrement.
2 Contournez les éventuels modules induisant un retard sur la piste d’enregistrement en
cliquant sur les logements d’insertion correspondants tout en appuyant sur la touche
Option.
En mode de compensation de retard de module “Pistes audio et instruments”, le
contournement des modules élimine le retard créé. Le retard induit par les modules
dans les pistes audio et instrument audio est compensé.
La dernière chose à faire est de contourner le retard introduit par les modules sur les
bus, les auxiliaires et les sorties.
3 Contournez les modules induisant un retard sur les bus, les auxiliaires et les sorties
afin d’éliminer la latence.
À ce stade, tous les flux audio sont synchronisés, ce qui vous permet de poursuivre
avec l’enregistrement.
Lorsque vous avez terminé l’enregistrement, réactivez tous les modules induisant
un retard et basculez le réglage de compensation de retard sur Tout.82 Chapitre 9 Améliorations des modules
Remarque : en mode Tout, le contournement des modules sur les bus, les auxiliaires et
les sorties n’élimine pas le retard créé. Vous devez supprimer totalement ces modules
des logements Insertion afin d’éliminer la latence.
Si vous enregistrez de l’audio, une autre stratégie consiste à désactiver la case Contrôle
logiciel dans la sous-fenêtre Logic > Préférences > Audio > Gestionnaires. Cela nécessite le contrôle de votre enregistrement via un mixeur externe. Lorsque Logic n’offre
pas le contrôle logiciel de l’audio entrant, il peut positionner correctement les enregistrements audio, même lorsque la compensation de retard complet est active. Bien
entendu, vous ne pouvez pas utiliser le contrôle externe lors de l’enregistrement
d’instruments audio.
Remarque : dans la mesure où Logic n’a aucun contrôle direct sur les sorties audio des
périphériques externes, la compensation de retard de module ne peut pas fonctionner
pour les pistes MIDI qui déclenchent des modules audio externes. Si vous activez
la compensation de retard de module complète et que vous insérez des modules
induisant un retard, les signaux MIDI externes sont désynchronisés avec les flux audio
retardés.
Ajustement des paramètres des modules avec la molette de
la souris
Vous pouvez utiliser la molette de la souris pour ajuster les paramètres de module
Logic dans Logic Express.
Pour ajuster les paramètres des modules avec la molette de la souris :
1 Positionnez le curseur de la souris sur le paramètre de module Logic souhaité.
2 Cliquez et faites tourner la molette de la souris.
Prise en charge des modules Générateur Audio Units
Logic Express prend en charge le type de module Générateur Audio Units. Comme son
nom l’indique, ce type de module Audio Units génère des signaux audio. Contrairement aux instruments Audio Units, ils ne nécessitent cependant pas de signaux MIDI.
Tous les modules Générateur Audio Units installés sur votre système se trouvent dans
le menu Mono/Stéréo/Multicanal > Générateurs de l’instrument AU.
Cela signifie que vous pouvez choisir parmi trois types différents de modules Audio
Units (sous réserve que vous disposiez de modules appropriés installés sur votre
système) dans le menu Instrument :
 Générateurs AUChapitre 9 Améliorations des modules 83
 Effets contrôlés par MIDI AU : étant donné que ces effets peuvent être contrôlés via
MIDI, ils sont insérés dans le logement Instrument des objets instrument audio. Le
signal audio que vous souhaitez traiter est ensuite sélectionné via le menu Side
Chain du module.
 Instruments AU
EXSP24 mkII
Les informations qui suivent complètent la section EXSP24 mkll du Guide de référence
des modules de Logic Express 7.
Vel Offset parameter (Paramètre de décalage de vélocité)
Le paramètre Vel Offset (décalage de vélocité), que vous retrouverez vers la partie supé-
rieure gauche de l’interface d’EXSP24mkII, permet de décaler la valeur de la vélocité
des notes MIDI de ±127. Cela permet de limiter ou d’étendre la réponse dynamique
d’EXSP24 mkII s’appliquant aux événements de notes entrantes.
Paramètres de courbe temporelle
Les curseurs Courbe temporelle s’appliquent aux enveloppes filtre et volume ; le
curseur de gauche peut être utilisé pour dimensionner (raccourcir ou allonger) les
intervalles des deux enveloppes.
Notez que la position C3 est le point central ; la longueur des intervalles de toutes les
zones affectées aux touches au-dessus de C3 peut être réduite avec ce curseur. Tous les
intervalles des zones affectées aux touches sous C3 peuvent être allongés. Le curseur
Courbe (attaque) détermine la forme de l’attaque de l’enveloppe.84 Chapitre 9 Améliorations des modules
Instruments GarageBand
Deux instruments GarageBand 2 supplémentaires sont inclus dans Logic Express. Ces
instruments s’appuient sur un échantillon Hybride de base pour le premier, et sur des
synthétiseurs Métamorphose hybride pour le deuxième.
Ces deux synthétiseurs sont limités a quelques paramètres puissants qui restent pourtant simples d’usage, en plus des options courantes d’ADSR, de cutoff et de résonance.
Testez ces contrôles afin de découvrir la simplicité avec laquelle vous pouvez créer des
sons spectaculaires.
D’un point de vue des notes, vous retrouverez les menus locaux Onde vous permettant
de choisir l’ensemble d’échantillons servant à générer le son de base du synthétiseur.
Chaque “onde” dans le synthétiseur Métamorphose hybride s’appuie sur deux couches
d’échantillon. La commande Métamorphose effectue un fondu enchaîné entre ces
deux couches. L’enveloppe Métamorphose vous permet de contrôler la forme du son
dans sa durée. Par exemple, si vous définissez le paramètre Métamorphose sur B et son
enveloppe Métamorphose sur “De A en B”, la forme de l’onde du son se modifie de la
valeur A à la valeur B selon les réglages d’enveloppe ADSR.
Remarque : si vous réglez le paramètre Métamorphose sur A et l’enveloppe Métamorphose sur “De A en B”, certains réglages ADSR n’entraîneront aucun son. Chapitre 9 Améliorations des modules 85
Dans un tel cas, vous pourriez obtenir des résultats des plus intéressants en utilisant le
contrôle de modulation afin de faire décaler la valeur du paramètre Métamorphose lors
de représentations en direct.
Dans le synthétiseur Hybride de base, utilisez les curseurs concernant la Molette pour
vibrato et la Molette pour Cutoff afin de déterminer les paramètres propres au contrôle
de modulation.
Amplificateur de basse
Le module Amplificateur de basse simule le son de divers amplificateurs de basse couramment utilisés. Vous pouvez traiter les signaux de guitare basse directement dans
Logic et reproduire le son des systèmes d’amplification de guitare basse haute qualité.
Vous pouvez également utiliser Amplificateur de basse pour la création de sons expérimentaux. Vous pouvez utiliser librement le module sur d’autres instruments, en fonction de vos besoins, en appliquant le caractère sonore d’un amplificateur de basse à
une partie vocale ou percussion, par exemple.
Neuf modèles d’amplificateur sont accessibles via le menu local Modèle, en haut de
l’interface de l’Amplificateur de basse :
 American Basic : modèle américain d’amplificateur de basse des années 70, équipé
de huit haut-parleurs 10’’. Bien adapté aux enregistrements blues et rock.
 American Deep : basé sur le modèle d’amplificateur American Basic, avec une forte
accentuation des fréquences intermédiaires basses (à partir de 500 Hz). Bien adapté
aux enregistrements reggae et pop.
 American Bright : basé sur le réglage American Basic, ce réglage accentue fortement
les fréquences intermédiaires hautes (à partir de 4,5 kHz).86 Chapitre 9 Améliorations des modules
 American Scoop : basé sur le modèle d’amplificateur American Basic, le réglage American Scoop combine les caractéristiques de fréquence d’American Deep et American Bright, avec accentuation des fréquences intermédiaires basses (à partir de 500
Hz) et des fréquences intermédiaires hautes (à partir de 4,5 kHz). Bien adapté aux
enregistrements funk et fusion.
 New American Basic : modèle d’amplificateur de basse américain des années 80,
bien adapté aux enregistrements blues et rock.
 New American Bright : basé sur le modèle New American Basic, ce réglage accentue
fortement la plage de fréquence au-delà de 2 kHz. Bien adapté aux enregistrements
rock et heavy métal.
 Top Class DI Warm : Simulation DI réputée, bien adaptée aux enregistrements reggae
et pop. Les fréquences intermédiaires, dans la plage de fréquences large entre 500 et
5000 Hz, sont réduites.
 Top Class DI Deep : basé sur le modèle Top Class DI Warm, ce réglage est bien adapté
aux enregistrements funk et fusion : sa plage de fréquences intermédiaire est la plus
forte autour de 700 Hz.
 Top Class DI Mid : basé sur le modèle Top Class DI Warm, ce réglage n’accentue
aucune fréquence, mais comporte une plage de fréquences plus ou moins linéaire.
Il est adapté aux enregistrements blues, rock et jazz.
En haut de la section des curseurs, vous trouverez le contrôle de prégain, utilisé pour
définir le niveau de préamplification du signal d’entrée.
Directement sous ce curseur, vous trouverez les contrôles Faible, Moyen et Élevé.
Utilisez ces curseurs pour ajuster les niveaux de basse, de fréquences intermédiaires
et d’aigus en fonction de vos besoins. Le contrôle Fréquence intermédiaire supplémentaire vous permet d’ajuster la fréquence centrale de la bande intermédiaire
entre 200 Hz et 3000 Hz.
Le curseur Niveau de sortie sert de contrôle de niveau final pour la sortie Amplificateur
de basse.Chapitre 9 Améliorations des modules 87
Nouveau module Ducker
La mise à jour Logic Express 7.2 comprend le nouveau module Ducker (dans le
sous-menu Logic > Dynamique).
Important : pour des raisons techniques, le module Ducker peut uniquement être
inséré dans les objets Sortie et Bus.
Le ducking est une technique courante utilisée dans la diffusion radio et télévision : lorsque
le présentateur parle pendant la musique, le niveau de la musique est automatiquement
réduit. Une fois l’annonce terminée, la musique reprend automatiquement son niveau de
volume original.
Le module Ducker offre un moyen simple d’effectuer ce processus. Il permet même de
réduire le niveau musical avant que le présentateur ne parle (même s’il en résulte un
léger retard).
Pour utiliser le module Ducker :
1 Insérez le module Ducker dans un objet Sortie audio ou Bus.
2 Affectez à un bus toutes les sorties de piste concernées par la réduction dynamique du
volume de mixage.
3 Sélectionnez le bus qui transporte le signal de ducking (vocal) via le menu Side Chain
du module Ducker.
Remarque : contrairement à tous les autres modules de Side Chain, le Side Chain du
module Ducker est mixé avec le signal de sortie après passage par le module. Cela permet de garantir que le signal Side Chain de ducking (doublage) est entendu en sortie.
4 Ajustez les paramètres du module Ducker.
Le module Ducker offre les paramètres suivants :
 Intensité : définit la quantité de réduction du volume (de la piste musicale, qui
constitue en effet le signal de sortie). 88 Chapitre 9 Améliorations des modules
 Seuil : détermine le niveau le plus faible qu’un signal Side Chain doit atteindre avant
de commencer à réduire le niveau de sortie (mixage musical) de la quantité définie
avec le curseur Intensité. Si le niveau du signal Side Chain n’atteint pas le seuil, le
volume de la piste (mixage musical) n’est pas affecté.
 Attaque : contrôle la rapidité à laquelle le volume est réduit. Si vous souhaitez un
fondu du signal (mixage musical), définissez ce curseur à une valeur élevée. Cette
valeur contrôle également si le volume est réduit ou non avant que le seuil ne soit
atteint (plus cela se produit tôt, plus le retard introduit est important). Il convient de
noter que cela ne fonctionne que si le signal de ducking n’est pas “live” (autrement
dit, le signal de ducking doit être un enregistrement existant) : Logic doit analyser
le signal avant sa lecture, afin d’anticiper l’instant où le ducking commence.
 Maintien : détermine la durée pendant laquelle le volume de la piste (mixage musical) est réduit. Ce contrôle évite l’effet de cliquetis pouvant être provoqué par un
niveau de Side Chain évoluant rapidement. Si le niveau de Side Chain dépasse très
légèrement le seuil, plutôt que de le dépasser clairement ou de rester en deçà, configurez le paramètre Maintien sur une valeur élevée afin de compenser les réductions
rapides du volume.
 Libération : contrôle la vitesse à laquelle le volume revient au niveau d’origine.
Utilisez une valeur élevée si vous souhaitez que le mixage musical augmente
lentement après l’annonce.
Nouveau module Speech Enhancer
Logic Express 7.2 comprend le nouveau module Speech Enhancer. Ce module est conçu
pour améliorer les enregistrements vocaux effectués avec le microphone interne de
votre ordinateur (le cas échéant). Il combine la réduction du bruit, la remodélisation
avancée de la fréquence du microphone et la compression multibande. Chapitre 9 Améliorations des modules 89
Le module offre les contrôles suivants :
 Réduction du bruit : la valeur de ce curseur vous permet d’évaluer le seuil de bruit de
votre enregistrement et donc la quantité de bruit à éliminer. Les réglages vers 100 dB
permettent de conserver davantage de bruit. Les réglages vers 0 dB suppriment
davantage de bruit de fond, mais en augmentant les défauts.
 Bouton Correction du micro et menu Modèle de micro : activez ce bouton afin d’amé-
liorer la réponse en fréquence des enregistrements audio effectués avec votre microphone intégré, en créant l’impression qu’un microphone haute qualité a été utilisé.
Choisissez le modèle approprié dans le menu Modèle de micro. Vous pouvez utiliser
le module Mic Enhancer avec d’autres microphones, mais les modèles de correction
ne sont fournis que pour les micros Macintosh intégrés. Si un microphone non
Macintosh est utilisé, le résultat sera meilleur si l’option Correction du micro est
désactivée.
 Bouton et menu Amélioration de la voix : l’activation de ce bouton active la compression multibande du modeleur de micro. Vous pouvez choisir parmi trois réglages de
compression, afin de rendre la voix enregistrée plus audible et intelligible. Utilisez le
réglage offrant les meilleurs résultats dans votre situation.
Effet Améliorer le contrôle du temps
Le module Améliorer le contrôle du temps améliore de façon non destructrice le contrôle du temps des enregistrements audio. Il offre deux paramètres : le contrôle Intensité détermine la quantité d’amélioration de contrôle du temps. Les éléments
transitoires audio qui ne tombent pas sur les divisions de grille (déterminées par la
valeur choisie dans le menu Grille) sont corrigées.
Le menu local Grille vous permet de choisir entre différentes divisions de grille. Comme
décrit ci-dessous, les divisions de grille servent de points de référence pour le processus de correction de contrôle du temps.
Le module Améliorer le contrôle du temps est conçu pour “resserrer” la lecture (de
l’audio enregistrée) dans une production. Il peut être utilisé sur différents documents
et fonctionne en temps réel.
À l’évidence, ce type de quantification en temps réel présente certaines limitations. Il
ne fonctionne pas bien sur les enregistrements qui ont été lus avec trop de décalage
par rapport aux temps. Il en va de même pour les pistes de percussion très complexes,
à plusieurs couches. Il offre des améliorations sensibles de contrôle du temps sur les
séquences mélodiques et de percussion relativement étroites, jouées en huitième ou
en quart de note. Si une grande quantité de correction temporelle est requise et que
les éléments transitoires sont trop décalées, vous pouvez constater un certain nombre
de défauts audio ; tachez donc de trouver le juste équilibre entre qualité sonore et
amélioration du contrôle du temps.90 Chapitre 9 Améliorations des modules
Important : pour des raisons techniques, le module Améliorer le contrôle du temps
fonctionne uniquement sur les pistes audio et doit être inséré dans le logement
d’insertion supérieur.
Astuce pour les triolets, essayez le réglage de note 1/12 pour les triolets de notes
d’un huitième.
Effet Vocal Transformer
Le module Vocal Transformer (Transformateur vocal) vous permet de manipuler des
pistes vocales de différentes façons. Si vous souhaitez transposer la tonalité d’une ligne
vocale, ou convertir une piste vocale en voix “Mickey Mouse”, vous opterez pour le
module Vocal Transformer.
Le menu des réglages de la fenêtre de ce module vous permet de choisir entre deux
préréglages.
Avec les deux curseurs sous le menu, vous pouvez modifier les préréglages et créer
vos propres réglages.
Le curseur Tonalité transpose les tonalités jusqu’à deux octaves vers le haut ou vers le
bas. Les ajustements sont effectués par demi-tons.
Le paramètre Formant décale les formants, tout en préservant la tonalité ou en la modifiant de manière indépendante. Si vous affectez à ce paramètre des valeurs positives, la
voix ressemble à celle de Mickey Mouse. Si vous modifiez le paramètre vers le bas, vous
pouvez obtenir des effets semblables à ceux de Darth Vader dans Star Wars.Chapitre 9 Améliorations des modules 91
Effet Enhance Pitch
Logic Express inclut le nouvel effet Enhance Pitch, qui corrige de manière non
destructrice l’accord des enregistrements audio.
Le curseur de réponse détermine la vitesse à laquelle l’enregistrement audio atteint la
hauteur tonale corrigée visée. Si la réponse est trop lente, la hauteur tonale du signal
de sortie ne sera pas modifiée assez rapidement. La réponse des modifications de
hauteur tonale est indiquée en millisecondes. Le réglage optimal de ce paramètre
dépend du tempo, du vibrato et de la qualité de la prestation originale.
Les boutons Gamme vous permettent de définir la grille de quantification de la
hauteur tonale. Les notes de l’enregistrement audio sont rapprochées de la hauteur
tonale définie dans la grille.
Le réglage de Gamme par défaut est Chromatique. Si ce réglage est activé, le module
Enhance Pitch rapproche les notes de la hauteur tonale la plus proche sur la gamme
chromatique (12 notes). Si vous choisissez la gamme Majeure ou Mineure, le menu
Origine vous permet de définir la note d’origine de la gamme.
Important : le module Enhance Pitch peut uniquement produire des résultats précis
sur les enregistrements audio monophoniques (note unique).
Curseur de mixage de Platinum Verb et Tape Delay
L’interface utilisateur de “Platinum Verb” et “Tape Delay” a été améliorée : les curseurs
Sec et Mouillé ont été déplacés de la vue 001/011 vers la vue Éditeur, remplaçant ainsi
le curseur Mixage (qui est toujours disponible en mode 001/011). 92 Chapitre 9 Améliorations des modules
Prise en charge des instruments Audio Units multicanaux
Logic Express 7.2 prend en charge jusqu’à 32 sorties mono provenant d’instruments
Audio Units à plusieurs sorties (les versions antérieures de Logic prenaient en
charge 16 canaux mono).
Pour accéder aux sorties individuelles d’un instrument audio :
m Cliquez sur le logement Instrument de l’objet Instrument audio et choisissez l’instrument Audio Units souhaité dans le sous-menu Multicanal du menu Module.
Les deux premières sorties de l’instrument multisortie sont lues en tant que paire sté-
réo par le canal d’instrument dans lequel le module est inséré. Les sorties supplémentaires font l’objet d’un accès via Objets Aux.
Conversion des modules Audio Units EVP73, EXSP24 et ET1
Le chargement de morceaux existants contenant une instance de module EVP73 (AU)
est converti pour utiliser le piano électrique GarageBand (si le module Audio Units est
indisponible).
Le chargement de morceaux existants contenant une instance de module EXSP24 (AU)
est converti pour utiliser le lecteur EXS24 interne (si le module Audio Units est
indisponible).
Le chargement de morceaux existants contenant une instance de module ETI (AU)
est converti pour utiliser le module Tuner interne (si le module Audio Units est
indisponible). 93
Corrections apportées à la
documentation Logic Express 7
La section suivante évoque un certain nombre de corrections apportées au manuel
concernant des fonctionnalités modifiées après rédaction de la documentation ou
des corrections d’informations auparavant incorrectes.
Gel des pistes utilisant des effets via un carte DSP
Le Guide de référence de Logic Express 7 indique de manière erronée que vous ne
pouvez pas geler les pistes qui utilisent des effets basés sur une carte DSP. Cette
fonctionnalité est en fait prévue.
Ouverture de fenêtre fixe de module
Le Guide de référence de Logic Express 7 indique que le fait de double-cliquer sur un
emplacement d’insertion tout en maintenant la touche Maj enfoncée permet d’ouvrir
une fenêtre de module non flottante. Cette information s’avère inexacte. Le raccourci
pour accéder à cette fenêtre est un double-clic tout en maintenant les touches
Contrôle + Option enfoncées.
Exportation de morceaux Logic 4.8
Le Guide de référence de Logic Express 7 mentionne la possibilité d’exporter des morceaux au format Logic 4.8. Ceci n’est pas possible directement de Logic Express 7 mais
vous pouvez cependant utiliser Logic 6.4.3 pour ouvrir un morceau au format Logic
Express 7, puis utiliser la fonction d’exportation au format Logic 4.8 disponible dans
ladite version 6.4.3 de Logic.
Avertissement : il est important de noter que des données (telles que l’automatisation)
sont perdues lors de l’exportation d’un morceau au format Logic 4.8.
Objets d’entrée dans Logic Express
Les objets d’entrée audio décrits dans le Guide de référence de Logic Express 7 n’existent
pas dans l’application.
Vélocité de note par Hyper Draw dans Logic Express
La fonctionnalité Hyper Draw pour la vélocité de note, décrite dans le Guide de
référence Logic Express 7 aux pages 236 et 348, n’existe pas dans l’application.
Boutons Préparer pour l’enregistrement dans Logic Express
Les boutons Préparer pour l’enregistrement pour un instrument audio et pour les
pistes MIDI décris dans le guide Logic Express 7 Guide de référence n’existent pas
dans l’application.
Mac OS X Server
Administration du
Serveur EnchaÓnement 5.0
QuickTime
Pour la version 10.3 de Mac OS X Server
ou ultÈrieureApple Computer Inc.
© 2003 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’une copie
valide du logiciel Serveur Enchaînement QuickTime peut
reproduire cette publication à des fins d’apprentissage
de l’utilisation de ce logiciel. Aucune partie de cette
publication ne peut être reproduite ou transmise à des
fins commerciales, telles que la vente de copies ou la
fourniture de services d’assistance payants.
Tous les efforts ont été déployés pour garantir la
précision des informations contenues dans ce manuel.
Apple Computer, Inc. n’est pas responsable des erreurs
d’impression ou de frappe.
Le logo Apple est une marque d’Apple Computer Inc.
déposée aux États-Unis et dans d’autres pays.
L’utilisation de ce logo à des fins commerciales via
le clavier (Option-1) pourra constituer un acte de
contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, AirPort, AppleScript, FireWire, iMac,
iMovie, iTunes, Mac, le logo Mac, Macintosh, Mac OS,
PowerBook, Power Mac, QuickTime et Xserve sont des
marques d’Apple Computer, Inc., déposées aux
États-Unis et dans d’autres pays. Finder est une
marque d’Apple Computer, Inc.
Adobe et PostScript sont des marques
d’Adobe Systems Incorporated.
PowerPC est une marque d’International Business
Machines Corporation, utilisée sous licence.
Remarque : Apple améliore continuellement les
performances et le design de ses produits. Il se peut que
certaines illustrations de ce manuel soient légèrement
différentes de votre version du logiciel.
F022-1324 3
1 Table des matières
Préface 7 Bienvenue dans le serveur Enchaînement QuickTime
8 Nouveautés du serveur Enchaînement QuickTime (QTSS) pour Mac OS X Server version
10.3
10 La suite de produits QuickTime
11 Informations supplémentaires
Chapitre 1 13 Vue d’ensemble de l’enchaînement QuickTime
13 Qu’est-ce que l’enchaînement ?
14 Comparaison entre diffusion en direct et diffusion à la demande
14 Comparaison entre le téléchargement progressif (HTTP) et le téléchargement par
enchaînement (RTP/RTSP)
14 Enchaînement Lecture instantanée
15 Configuration simplifiée pour la vidéo en direct
16 Comment recevoir des flux de données multimédias
16 Comparaison entre multidiffusion et monodiffusion
18 Relais
Chapitre 2 19 Configuration de votre serveur Enchaînement QuickTime
19 Configurations matérielle et logicielle requises pour l’enchaînement QuickTime
19 Configuration requise pour l’ordinateur de visualisation
20 Configuration requise pour la diffusion en direct
20 Considérations relatives à la bande passante
21 Configuration de votre serveur d’enchaînement
21 Test de votre configuration
22 Accès aux données multimédias diffusées par votre serveur
Chapitre 3 23 Gestion de votre serveur Enchaînement QuickTime
24 Utilisation de l’application basée sur le Web pour gérer l’enchaînement QuickTime
25 Utilisation d’Admin Serveur pour gérer l’enchaînement QuickTime
25 Démarrage ou arrêt du service d’enchaînement
25 Modification du nombre maximum de connexions d’enchaînement
25 Modification du débit d’enchaînement maximum
26 Changement du répertoire réservé aux flux de données multimédias4 Table des matières
26 Association de l’ordinateur d’administration du serveur d’enchaînement à une
adresse IP
27 Hébergement de flux provenant de plusieurs répertoires multimédias d’utilisateur
27 Configuration de flux de relais
28 Modification des réglages d’historique d’Enchaînement QuickTime
28 Sécurité et accès
29 Diffusion de flux à travers des coupe-feu via le port 80
29 Enchaînement à travers des coupe-feu ou des réseaux avec traduction d’adresses
30 Changement du mot de passe requis pour envoyer un flux de diffusion MP3
30 Utilisation de la monodiffusion automatique (annonce) à l’aide de QTSS sur un
ordinateur distinct
Chapitre 4 31 Gestion de vos données multimédias
31 Vue d’ensemble de QTSS Publisher
32 À propos des listes de lecture et des indications
33 Connexion à Mac OS X Server
33 Téléchargement de données multimédias de QTSS Publisher vers un serveur
Enchaînement QuickTime
33 Préparation du contenu pour sa distribution sur le Web
33 Préparation des données multimédias préenregistrées pour la diffusion
34 Amélioration des performances des films à indications exportés à partir de
QuickTime Player
34 Création et gestion de listes de lecture
35 Création et modification des annotations de films
36 Changement de l’image fixe d’un film intégré à une page Web
36 Transmission de votre contenu
36 Mise en ligne du contenu pour l’enchaînement ou le téléchargement
36 Démarrage et arrêt de listes de lecture
37 Conversion du contenu en page Web
Chapitre 5 39 Dépannage
39 Utilisation de fichiers d’historique pour surveiller la diffusion de listes de lecture
39 Les fichiers multimédias ne sont pas diffusés correctement
40 Les utilisateurs ne peuvent pas se connecter à votre diffusion
40 Les utilisateurs reçoivent des messages d’erreur lors de la diffusion de donnéesTable des matières 5
Chapitre 6 43 Exemple de configuration
43 Enchaînement de présentations, en direct et à la demande
45 Configuration
53 Création d’une page Web pour simplifier l’accès
53 Prise de vue de la présentation en direct
54 Archivage de la présentation en direct
Glossaire 57
Index 65 7
Préface
Bienvenue dans le serveur
Enchaînement QuickTime
Découvrez les nouveautés de cette version du serveur
Enchaînement QuickTime, ainsi que la suite de produits
QuickTime.
La suite de services de Mac OS X Server version 10.3 (“Panther”) comprend Serveur
Enchaînement QuickTime (QTSS) version 5.0. QTSS est préinstallé sur le matériel
serveur Apple.
En termes de conception et de configuration, QTSS est semblable à Apache, le logiciel
serveur Web populaire également inclus avec Mac OS X Server. Si vous êtes expérimenté
dans l’utilisation d’Apache, QTSS vous semblera familier.
Si vous avez précédemment administré un serveur Enchaînement QuickTime à l’aide de
l’application basée sur le Web, à savoir Admin Web, vous pouvez continuer ainsi. Admin
Web est utile pour administrer un serveur d’enchaînement à distance ou à partir
d’ordinateurs non Mac. Pour plus d’informations, consultez la section “Utilisation de
l’application basée sur le Web pour gérer l’enchaînement QuickTime” à la page 24.
Admin Serveur pour Mac OS X Server version 10.3 comporte une interface conviviale
permettant d’effectuer les opérations que vous réalisiez avec Admin Web.8 Préface Bienvenue dans le serveur Enchaînement QuickTime
Nouveautés du serveur Enchaînement QuickTime (QTSS)
pour Mac OS X Server version 10.3
Intégré à Mac OS X Server version 10.3, QTSS version 5 constitue la nouvelle génération
du puissant serveur d’enchaînement Apple, conforme aux normes standard. Mettant
l’accent sur la simplicité d’utilisation et l’intégration à Mac OS X Server, cette version de
QTSS apporte un certain nombre d’améliorations :
• Nouvelle administration serveur L’administration QTSS a été remaniée et est
désormais intégrée à Admin Serveur Mac OS X. Vous pouvez personnaliser les réglages
du serveur d’enchaînement, notamment la liaison de QTSS à une adresse IP spécifique,
la surveillance de l’activité du serveur, la configuration de relais et l’affichage des
fichiers d’historique, avec la même interface que les autres services Mac OS X Server.
L’application basée sur le Web est toujours disponible pour l’administration de QTSS.
Vous pouvez exécuter Admin Serveur sur Mac OS X Server version 10.3 ou ultérieure,
ou sur n’importe quel ordinateur Mac qui exécute Mac OS X version 10.3 ou ultérieure.
Pour plus d’informations sur l’installation de logiciels d’administration sur un poste de
travail, consultez le guide de premiers contacts Mac OS X Server pour la version 10.3
ou ultérieure. Vous pouvez utiliser Mac OS X Server version 10.3 pour la surveillance
d’ordinateurs qui exécutent Mac OS X version 10.2 ou ultérieure.
• Enchaînement depuis le répertoire de départ QTSS gère désormais l’enchaînement
de films à partir du répertoire de départ des utilisateurs. Les utilisateurs peuvent
diffuser leurs propres films en plaçant des fichiers à indications dans le dossier Sites/
Enchaînement de leur répertoire de départ ; le public peut accéder aux films via une
URL de la forme rtsp://monserveur/~utilisateur/film.mov. Les administrateurs
système n’ont plus besoin de placer les fichiers d’utilisateur dans le répertoire de
données principal ; les films sont prêts pour l’enchaînement dès qu’ils sont copiés.
Avec la prise en charge du répertoire de départ, vous pouvez également
implémenter l’enchaînement basé sur les comptes, afin de spécifier l’espace disque
utilisé pour les dossiers d’enchaînement locaux (via le Gestionnaire de groupe
de travail).
• QuickTime Streaming Server Publisher Utilisez cette nouvelle application simple
à utiliser pour gérer toutes vos données multimédias QuickTime, à la fois pour
l’enchaînement et le téléchargement progressif, sur Mac OS X Server version 10.3.
La possibilité d’exécuter l’application soit localement sur le serveur, soit à distance
à partir de n’importe quel ordinateur Mac exécutant Mac OS X version 10.2 ou
ultérieure, permet à QTSS Publisher de répondre aux besoins des webmasters et
des créateurs de contenu. QTSS Publisher vous permet de :
• Télécharger des données multimédias vers Mac OS X Server “Panther”.
• Préparer du contenu en vue de sa diffusion par enchaînement. QTSS Publisher
applique automatiquement des pistes d’indication aux films qui en sont
dépourvus, afin de garantir la fiabilité de vos flux.
• Intégrer des données multimédias à une page Web. QTSS Publisher génère du
code HTML que vous pouvez copier et coller dans une page Web existante.Préface Bienvenue dans le serveur Enchaînement QuickTime 9
• Annoter des films. Ajouter le titre approprié, le générique et les informations de
copyright à vos données.
• Générer des pages Web. QTSS fournit des modèles que vous pouvez utiliser pour
convertir votre contenu en pages Web.
• Créer des listes de lecture. Créez des listes de lecture MP3, MP4 et de film côté
serveur par simple glisser-déposer. L’interface, semblable à celle d’iTunes, vous
permet de transformer facilement votre serveur d’enchaînement en station de
radio sur Internet ou d’offrir au public une présentation en direct simulé à partir
de films QuickTime préenregistrés.
• Mettre à jour des listes de lecture en direct. Ajoutez des données multimédias ou
réorganisez les éléments d’une liste de lecture sans interrompre la diffusion vers
votre public.
Les autres fonctionnalités de QTSS sont les suivantes :
• Enchaînement MPEG-4 natif Diffusez des fichiers MPEG-4 à indications, compatibles
aux normes ISO, vers n’importe quel lecteur MPEG-4 ISO, sans conversion préalable
en fichiers .mov.
• Enchaînement audio MP3 Créez votre propre station de radio sur Internet. Vous
pouvez distribuer des fichiers MP3 standard à l’aide de protocoles compatibles
Icecast via http. Créez une liste de lecture de fichiers MP3 et distribuez-les vers des
clients MP3 tels qu’iTunes, SoundJam et WinAmp pour une expérience de direct
simulé.
• Protection contre les coupures La technologie Apple de protection contre les
coupures, ensemble de fonctionnalités de qualité de service, tire parti de l’excès de
bande passante disponible pour mettre les données en mémoire cache localement
sur le client.
• Lecture instantanée Les utilisateurs équipés d’une connexion haut débit, qui
visualisent un flux de données vidéo à l’aide de QuickTime 6 ou ultérieur, bénéficient
de la fonction de lecture instantanée. Cette fonction améliore la mise des données en
mémoire tampon et réduit considérablement la durée de cette opération. La lecture
instantanée permet également aux utilisateurs équipés d’une connexion haut débit
d’utiliser le curseur de durée pour faire défiler un flux de données à la demande en
avant ou en arrière, la lecture étant mise à jour instantanément.
• Authentification Deux types d’authentification, à savoir Digest et Basic, vous
permettent de contrôler l’accès aux données multimédias protégées.
• Listes de lecture côté serveur Vous pouvez diffuser un ensemble de fichiers
multimédias comme s’il s’agissait d’une diffusion en direct. Cela peut s’avérer idéal
pour la création et la gestion d’une station de radio ou de télévision virtuelle.
• Gestion des relais Vous pouvez facilement configurer plusieurs couches de serveurs
afin de diffuser des flux de données vers un nombre quasi illimité de clients.10 Préface Bienvenue dans le serveur Enchaînement QuickTime
La suite de produits QuickTime
La suite de produits QuickTime est unique en ce sens qu’elle inclut tous les logiciels
dont vous avez besoin pour produire, transmettre et recevoir des flux de données.
Chaque produit est entièrement conçu pour une compatibilité maximale avec tous
les autres composants de la suite.
La suite QuickTime est constituée des produits suivants :
• QuickTime Player L’application gratuite QuickTime Player est une application simple
à utiliser destinée à lire, manipuler ou visualiser des fichiers vidéo, audio, de réalité
virtuelle (VR) ou graphiques compatibles avec QuickTime.
• QuickTime Pro La puissante version “pro” de QuickTime Player offre de nombreuses
fonctions de création multimédia. Vous pouvez créer des diaporamas, coder des
séquences vidéo et audio complexes, éditer des pistes de films, créer des pistes
d’indication, créer des présentations et assembler des centaines de types de données
multimédias différents en un seul fichier de film.
• Serveur Enchaînement QuickTime Inclus avec Mac OS X Server, le logiciel Serveur
Enchaînement QuickTime (QTSS) vous permet de diffuser des données multimédias
en temps réel ou à la demande via Internet, sans avoir à payer de licence par flux.
Les utilisateurs voient les données dès qu’elles parviennent à l’ordinateur ; ils n’ont
pas à attendre le téléchargement des fichiers.
• Darwin Streaming Server Cette version open-source gratuite de Serveur
Enchaînement QuickTime gère des plates-formes d’entreprise populaires telles que
Linux, Solaris, Windows NT/2000 et Windows Server 2003. Elle peut être téléchargée
au format source ou binaire et peut être utilisée avec d’autres plates-formes en
modifiant quelques fichiers source propres aux plates-formes.
• QuickTime Broadcaster QuickTime Broadcaster vous permet de produire une
émission en direct, à laquelle toute personne équipée d’une connexion à Internet
pourra assister. Associant la puissance de QuickTime et la simplicité d’utilisation
légendaire d’Apple, QuickTime Broadcaster est inclus avec Mac OS X Server (et peut
également être téléchargé gratuitement à partir du site Web d’Apple). QuickTime
Broadcaster gère la plupart des codecs gérés par QuickTime.Préface Bienvenue dans le serveur Enchaînement QuickTime 11
Informations supplémentaires
Il existe d’autres ressources sur l’enchaînement QuickTime, notamment des cours, des
listes de diffusion et des foires aux questions (FAQ). Pour plus d’informations, consultez
le site Web QTSS, à l’adresse http://www.apple.com/quicktime/qtss
• La page des produit QTSS contient les informations les plus récentes sur les principales
fonctionnalités, les téléchargements récents et la configuration minimale requise, ainsi
que des liens vers d’autres pages de support :
http://www.apple.com/quicktime/products/qtss/
• La page de support AppleCare de Mac OS X Server propose des liens vers de
nombreux articles utiles de la base de connaissances Knowledge Base, concernant tous
les services fournis avec Mac OS X Server, y compris QTSS et Apache. Elle contient
également des liens vers les fichiers PDF du guide de premiers contacts Mac OS X
Server pour la version 10.3 ou ultérieure et du guide de l’administrateur de Mac OS X
Server : http://www.info.apple.com/usen/macosxserver
• Le cours d’enchaînement QuickTime examine en détail Serveur Enchaînement
QuickTime en expliquant aux administrateurs système et aux auteurs QuickTime les
détails de la diffusion en temps réel. Pour plus d’informations, consultez la section
Ressources de la page Serveur Enchaînement QuickTime :
http://www.apple.com/quicktime/products/qtss/
• Le best-seller “QuickTime for the Web” constitue un excellent guide pratique. Cet
ouvrage de la série Apple QuickTime Developer Series explique comment intégrer
à un site Web de la vidéo, du son enregistré, des animations Flash, des séquences de
réalité virtuelle, des séquences MIDI, du texte, des images fixes, des flux en direct, des
jeux et de l’interactivité utilisateur. Le CD-ROM d’accompagnement inclut QuickTime
Pro et un ensemble complet d’outils de développement pour Windows et Macintosh.
Publié par Morgan Kaufmann, ce best-seller est proposé avec d’autres ouvrages très
utiles sur le site Web de formation QuickTime (en anglais) :
http://www.apple.com/quicktime/tools_tips/books.html
• La zone des forums de discussion Apple du site Web de support AppleCare permet
la discussion sur les problèmes relatifs à Serveur Enchaînement QuickTime. Accédez à
la section Mac OS X Server, puis à Serveur Enchaînement QuickTime. Vous pouvez
publier des messages et consulter les messages des autres utilisateurs inscrits :
http://discussions.info.apple.com/ (en anglais)
• Apple héberge de nombreuses listes de diffusion, notamment à l’intention des
utilisateurs et développeurs du serveur d’enchaînement. Très fréquentées par les
ingénieurs Apple, ces listes constituent d’excellentes sources d’informations pour
les utilisateurs débutants et confirmés. Pour vous abonner, cliquez sur “Lists hosted
on this site”, puis sur “streaming-server users” ou “streaming-server developers” et
inscrivez-vous. Vous pouvez également effectuer une recherche dans les archives
de ces deux listes : http://lists.apple.com (en anglais)
• Le site Web des services QuickTime répertorie les fournisseurs de services
d’enchaînement : http://www.apple.com/quicktime/tools_tips/services/12 Préface Bienvenue dans le serveur Enchaînement QuickTime
• Si vous êtes un utilisateur expérimenté, vous pouvez consulter les documents RFC
(Request for Comments) concernant les normes RTP et RTSP en consultant le site
Web IETF (Internet Engineering Task Force) :
http://www.ietf.org/rfc/rfc1889.txt (RTP)
http://www.ietf.org/rfc/rfc2326.txt (RTSP)
• Le site Web de source publique permet l’accès au code source de DSS (Darwin
Streaming Server) et aux informations destinées aux développeurs. Prenez soin
de lire les FAQ proposées sur cette page :
http://developer.apple.com/darwin/projects/streaming/ (en anglais)1
13
1 Vue d’ensemble de
l’enchaînement QuickTime
Pour pouvoir configurer votre serveur Enchaînement
QuickTime, il est important de comprendre ce qu’est
l’enchaînement.
Qu’est-ce que l’enchaînement ?
L’enchaînement est la distribution de contenu multimédia, tel que les films et les
présentations vidéo, sur un réseau en direct. Un ordinateur (serveur d’enchaînement)
envoie les données multimédias à un autre ordinateur (client), lequel lit les données au
fur et à mesure de leur réception. Avec l’enchaînement, aucun fichier n’est téléchargé sur
le disque dur de l’ordinateur destinataire. Vous pouvez enchaîner l’envoi des données
selon différents débits, d’une simple connexion par modem à une connexion à haut débit.
De la même façon que vous avez besoin d’un serveur Web pour héberger un site
Web, l’envoi de flux de données via Internet ou un réseau local nécessite un serveur
d’enchaînement qui transmet les flux audio et vidéo à la demande. Lorsque les
destinataires sont peu nombreux, le même ordinateur peut exécuter le logiciel de
serveur Web, le logiciel de serveur de courrier et le logiciel de serveur d’enchaînement.
En revanche, si les destinataires sont plus nombreux, un ou plusieurs ordinateurs sont
généralement dédiés aux serveurs d’enchaînement.
Lorsqu’un utilisateur demande un flux (à l’aide d’un logiciel client tel que QuickTime
Player), la demande est gérée à l’aide du protocole RTSP (Real-Time Streaming
Protocol). Les flux sont envoyés à l’aide du protocole RTP (Real-Time Transport
Protocol). Un serveur d’enchaînement peut soit créer des flux à partir de séquences
QuickTime stockées sur disque dur, soit transmettre des flux en direct auxquels
il a accès.
Le logiciel QTSS (QuickTime Streaming Server) vous permet de diffuser :
• des émissions en direct,
• de la vidéo à la demande,
• des listes de lecture de contenu préenregistré.14 Chapitre 1 Vue d’ensemble de l’enchaînement QuickTime
Comparaison entre diffusion en direct et diffusion à la demande
Les flux en temps réel sont transmis de deux façons : en direct et à la demande.
Le serveur Enchaînement QuickTime utilise les deux modes.
Les événements en direct tels que les concerts, les discours et les présentations sont
généralement diffusés via Internet au moment même où ils se déroulent, à l’aide de
logiciels de diffusion tels que QuickTime Broadcaster. Ces logiciels de diffusion codent
une source en direct, telle que la vidéo provenant d’une caméra, en temps réel et
envoient le flux résultant vers le serveur. Le serveur envoie (ou “sert”) alors le flux en
direct aux clients. Quel que soit l’instant où un utilisateur se connecte au flux, tout le
monde voit la même portion de flux au même moment. Vous pouvez simuler une
expérience en direct à l’aide de contenus enregistrés, en diffusant à partir d’une source
archivée (telle qu’un magnétophone) ou en créant des listes de lecture sur le serveur.
Avec la distribution à la demande, d’un film ou d’un discours archivé par exemple,
chaque client lit le flux depuis le début, de sorte que personne “n’arrive en retard”.
Aucun logiciel de diffusion n’est requis pour la distribution à la demande.
Comparaison entre le téléchargement progressif (HTTP) et le
téléchargement par enchaînement (RTP/RTSP)
Le téléchargement progressif (parfois appelé “Démarrage rapide”) est une méthode qui
consiste à distribuer un film via Internet de sorte que sa lecture puisse commencer avant
que le fichier ne soit complètement téléchargé. Avec le téléchargement progressif, toutes
les données requises pour lire un film se trouvent en début de fichier, de sorte que
QuickTime peut commencer la lecture du film dès que la première partie du fichier a
été transférée. Contrairement à l’enchaînement, qui permet de visualiser des films sans
télécharger aucun fichier, les films à démarrage rapide sont réellement téléchargés sur
l’ordinateur destinataire.
Un tel film peut être autonome, auquel cas toutes les données sont stockées dans le
film proprement dit, ou inclure des pointeurs faisant référence à des données situées
sur Internet. Vous pouvez visualiser les films à téléchargement progressif dans un
navigateur Web, à l’aide du plug-in QuickTime, ou dans QuickTime Player.
Vous pouvez créer des films à téléchargement progressif pour des spectateurs ayant
des vitesses de connexion variables (appelées “films de référence”) et un film par
enchaînement pour les spectateurs utilisant les connexions les plus rapides.
Enchaînement Lecture instantanée
Les utilisateurs qui regardent un flux vidéo à l’aide de QuickTime 6 ou ultérieur peuvent
bénéficier de la fonctionnalité Lecture instantanée. Cette dernière constitue un progrès
dans la technologie Apple de protection contre les coupures, qui permet de réduire
considérablement les temps de mise en mémoire tampon, procurant ainsi une expérience
de visualisation instantanée. Les utilisateurs peuvent faire défiler la vidéo en cliquant,
comme si elle se trouvait sur leur disque dur.Chapitre 1 Vue d’ensemble de l’enchaînement QuickTime 15
Les utilisateurs doivent disposer d’une connexion à large bande pour bénéficier
de l’enchaînement Lecture instantanée. La réactivité de l’enchaînement Lecture
instantanée dépend du débit du contenu. Elle peut également être affectée par
le codec utilisé.
Configuration simplifiée pour la vidéo en direct
La figure ci-dessous illustre une configuration d’enchaînement vidéo et audio en direct.
(La plupart des caméras vidéo disposent d’un microphone intégré.) Vous pouvez
diffuser les séquences audio en utilisant uniquement un microphone, une table de
mixage et tout autre équipement audio approprié.
Un ordinateur PowerBook G4 équipé du logiciel QuickTime Broadcaster capture et code
des données vidéo et audio. Le signal codé est envoyé via un réseau IP (Internet Protocol)
vers un serveur qui exécute le logiciel QTSS (QuickTime Streaming Server). QTSS sur
l’ordinateur serveur envoie le signal, via Internet ou un réseau local, aux ordinateurs
client qui demandent le flux à l’aide de QuickTime Player.
Il est possible également d’exécuter QuickTime Broadcaster et QTSS sur le même
ordinateur. En revanche, si vous diffusez auprès d’un public important (plus de 100
personnes), Apple recommande d’exécuter QuickTime Broadcaster et QTSS sur des
ordinateurs distincts.
Diffuseur
Serveur d'enchaînement16 Chapitre 1 Vue d’ensemble de l’enchaînement QuickTime
Comment recevoir des flux de données multimédias
Lorsque vous regardez et écoutez des transmissions aériennes ou par câble, à la
télévision ou à la radio, les longueurs d’onde utilisées sont dédiées à cette transmission.
Ces transmissions sont le plus souvent non compressées et consomment de grandes
quantités de bande passante. Ce n’est pas un problème, car elles ne doivent pas
partager la bande de fréquence utilisée.
Lorsque vous envoyez ces mêmes données via Internet, la bande passante utilisée n’est
plus dédiée uniquement à ce flux de transmission. Les données doivent alors partager
une bande passante extrêmement limitée avec des milliers, voire des millions d’autres
transmissions transitant via Internet. Par conséquent, les données multimédias sont
codées et compressées avant d’être transmises via Internet. Les fichiers qui en résultent
sont enregistrés dans un emplacement spécifique et le logiciel serveur d’enchaînement,
tel que QTSS, envoie les données multimédias via Internet aux ordinateurs client.
Les utilisateurs Macintosh et Windows peuvent visualiser les flux de données
multimédias à l’aide de QuickTime Player (disponible gratuitement sur le site Web
Apple) ou de toute autre application gérant les fichiers QuickTime ou MPEG-4. Vous
pouvez également configurer des flux que les utilisateurs peuvent visualiser à partir
d’un navigateur Web (le plug-in QuickTime doit être installé). Lorsqu’un utilisateur
commence la lecture de flux de données multimédias dans une page Web, le plug-in
QuickTime envoie une demande au serveur d’enchaînement et ce dernier répond en
envoyant le contenu multimédia à l’ordinateur client. Vous devez spécifier dans la page
Web le contenu à envoyer au client : un film QuickTime situé dans un répertoire
spécifié, une diffusion en direct ou une liste de lecture stockée sur le serveur
d’enchaînement.
Comparaison entre multidiffusion et monodiffusion
Le serveur Enchaînement QuickTime gère le transport réseau multidiffusion et
monodiffusion pour la distribution des flux de données multimédias.Chapitre 1 Vue d’ensemble de l’enchaînement QuickTime 17
Lors d’une multidiffusion, un seul flux est partagé par les clients (voir illustration cidessous). Chaque client “se branche” sur le flux comme une radio se branche sur une
émission FM. Cette technique réduit l’encombrement sur le réseau, mais nécessite un
réseau qui soit a accès à la dorsale de multidiffusion (“Mbone”) pour le contenu distribué
via Internet, soit permet la multidiffusion de contenu distribué en réseau privé restreint.
En monodiffusion, chaque client lance son propre flux, entraînant la génération de
nombreuses connexions un à un entre le client et le serveur (voir illustration ci-dessous).
Une multitude de clients connectés en monodiffusion à un flux au sein d’un réseau local
peuvent entraîner un trafic réseau important. Cette technique est cependant la plus
fiable pour la distribution via Internet, car aucune gestion de mode de transport
particulier n’est nécessaire.
Multidiffusion
Diffusion
individuelle18 Chapitre 1 Vue d’ensemble de l’enchaînement QuickTime
Relais
Un relais reçoit un flux entrant puis le transfère à un ou plusieurs serveurs d’enchaînement.
Les relais permettent de réduire la consommation de bande passante Internet et sont
utiles diffuser vers de nombreux spectateurs situés dans des emplacements différents.
Une entreprise peut par exemple diffuser la présentation d’un PDG en la relayant du
siège social vers les succursales.
La présentation du PDG est capturée en direct avec une caméra vidéo. Les données
audio et vidéo de la caméra sont codées à l’aide de QuickTime Broadcaster sur un
ordinateur Mac OS X. Un ordinateur Mac OS X Server équipé du logiciel QTSS relaye
la diffusion via Internet vers les ordinateurs destinataires qui servent les succursales
de l’entreprise. Les employés utilisent des ordinateurs client pour se brancher sur les
ordinateurs destinataires afin de regarder la présentation du PDG. Avec QTSS, il n’est
pas nécessaire de configurer les ordinateurs destinataires ; ces derniers reçoivent
automatiquement la diffusion transférée par l’ordinateur relais.
Pour des informations détaillées sur la configuration des relais, consultez la section
“Configuration de flux de relais” à la page 27.
Destination
Source Destination Clients
Clients
Relais
Siège de l'entreprise Succursales
Internet2
19
2 Configuration de votre serveur
Enchaînement QuickTime
L’objectif de ce chapitre est de vous permettre de
configurer et d’utiliser rapidement votre serveur
Enchaînement QuickTime.
Les instructions de ce chapitre supposent que vous avez déjà installé Mac OS X Server
“Panther” et procédé à sa configuration élémentaire initiale. Pour savoir comment
configurer Mac OS X Server, consultez le document intitulé “Premiers contacts Mac OS X
Server pour la version 10.3 ou ultérieure” (inclus sur le CD-ROM d’installation de
Mac OS X Server et téléchargeable à l’adresse www.apple.com/server/documentation).
Configurations matérielle et logicielle requises pour
l’enchaînement QuickTime
La configuration requise pour le serveur Enchaînement QuickTime est indiquée dans
le guide de premiers contacts Mac OS X Server pour la version 10.3 ou ultérieure.
Configuration requise pour l’ordinateur de visualisation
Tout ordinateur sur lequel est installé QuickTime 4 ou ultérieur peut afficher les
données multimédias envoyées par le serveur d’enchaînement. Pour un résultat
optimal, Apple recommande QuickTime 6 ou ultérieur.
QuickTime 6 et une connexion Internet haut débit sont nécessaires pour bénéficier
de la fonctionnalité Lecture instantanée avec QTSS 4.1 ou ultérieur.
Tout lecteur MPEG-4 compatible ISO permet de visualiser des fichiers MPEG-4. Il est
possible d’écouter des flux de listes de lecture MP3 à l’aide d’iTunes ou de tout autre
lecteur compatible de flux MP3, tel que WinAmp.
Vous pouvez télécharger le logiciel QuickTime Player à partir du site Web QuickTime
à l’adresse http://www.apple.com/quicktime20 Chapitre 2 Configuration de votre serveur Enchaînement QuickTime
Configuration requise pour la diffusion en direct
Pour diffuser du contenu en direct, vous pouvez utiliser QuickTime Broadcaster,
inclus et installé avec Mac OS X Server. Pour plus d’informations, notamment sur
la configuration, consultez la page Web Apple QuickTime Broadcaster
(http://www.apple.com/quicktime/products/broadcaster/) et l’aide en ligne
de QuickTime Broadcaster.
Vous avez besoin du matériel suivant pour diffuser des données audio ou vidéo en direct :
• Matériel source pour les données audio, vidéo ou les deux, par exemple un
magnétoscope, un caméscope et un microphone.
• Un ordinateur équipé de QuickTime Broadcaster ou de tout autre logiciel de diffusion
(PowerPC G4 recommandé pour la diffusion MPEG-4), ainsi qu’une carte de capture
vidéo ou audio.
Remarque : QuickTime Broadcaster gère la capture vidéo à partir de la plupart
des sources à technologie FireWire (notamment les caméscopes numériques (DV),
certaines webcams et les boîtiers de conversion DV) pour un processus de diffusion
simple et rapide avec des résultats de qualité professionnelle.
• 128 Mo de RAM (256 Mo recommandé pour une diffusion professionnelle)
• QuickTime 6 ou ultérieur
Considérations relatives à la bande passante
Il n’est généralement pas souhaitable de connecter un serveur d’enchaînement à
Internet ou à un réseau local via un modem DSL (Digital Subscriber Line) ou câble.
Le serveur serait en effet très limité par la bande passante relativement faible de
ces modems pour le téléchargement de données vers le serveur. Dans certains cas,
l’utilisation d’un serveur sur une connexion DSL peut entraîner la rupture d’un contrat
de service. Consultez votre fournisseur de services DSL ou câble avant de configurer
le serveur.
Lors de la création de flux RTSP (Real-Time Transport Protocol), vous obtiendrez les
meilleures performances si les flux ne dépassent pas 75% de la bande passante client
prévue. Par exemple, n’utilisez pas un débit supérieur à 21 kilobits par seconde (Kbps)
pour une connexion par modem à 28 Kbps. Pour une connexion classique par modem
56 K, ne dépassez pas 40 Kbps. Pour une connexion client T1 (1500 Kbps), n’utilisez pas
un débit supérieur à 1125 Kbps.Chapitre 2 Configuration de votre serveur Enchaînement QuickTime 21
Configuration de votre serveur d’enchaînement
Cette section explique comment configurer le serveur d’enchaînement, tester votre
configuration et accéder aux données multimédias diffusées par votre serveur.
Pour configurer votre serveur d’enchaînement :
1 Ouvrez Admin Serveur.
2 Dans la liste Ordinateurs et services, sélectionnez l’ordinateur que vous souhaitez
configurer comme serveur Enchaînement QuickTime et assurez-vous que vous pouvez
voir tous ses services (cliquez sur le triangle en regard de l’ordinateur si tel n’est pas
le cas).
3 Dans la liste Ordinateurs et services, cliquez sur Enchaînement QuickTime.
4 Cliquez sur Démarrer le service.
Test de votre configuration
Des échantillons de films QuickTime sont fournis avec QTSS dans le dossier par défaut
des films, ce qui vous permet de tester la configuration du serveur. Ces échantillons
peuvent être visualisés à partir d’un ordinateur client, à l’aide de QuickTime Player.
Remarque : l’échantillon de fichier .mp3 inclus est uniquement destiné à la diffusion
d’une liste de lecture MP3. Il ne s’agit pas d’un film QuickTime à indications et il ne peut
pas être diffusé à la demande via RTSP. Pour plus d’informations sur la préparation de
données pré-enregistrées (MP3 ou autres) à diffuser en direct simulé, consultez la
section “Préparation des données multimédias préenregistrées pour la diffusion” à la
page 33.
Pour tester la configuration de votre serveur en visualisant un échantillon
de film :
1 Sur un autre ordinateur, ouvrez QuickTime Player.
2 Cliquez sur Fichier > Ouvrir l’URL dans le nouveau lecteur.
3 Tapez l’URL suivante :
rtsp://nom_hôte/sample_300kbit.mov
où nom_hôte est le nom d’hôte ou l’adresse IP du serveur Enchaînement QuickTime.
Sélectionnez le film avec le débit approprié en fonction de votre bande passante.
4 Cliquez sur OK.
QuickTime Player se connecte au serveur et lit le film dans une nouvelle fenêtre.
Si vous voyez le message “Fichier introuvable” :
Assurez-vous d’abord que l’URL a été saisie correctement, en tenant compte des
restrictions en termes de majuscules et de minuscules.22 Chapitre 2 Configuration de votre serveur Enchaînement QuickTime
Si votre serveur d’enchaînement est un serveur multi-adressage (s’il héberge
également un serveur Web par exemple), il se peut que vous deviez spécifier une autre
adresse IP pour l’enchaînement. Un serveur Web utilise automatiquement le port 80 ;
avec certaines configurations de client QuickTime, QTSS utilise également le port 80.
Vous pouvez choisir ou ajouter une adresse IP pour le serveur d’enchaînement dans le
volet Enchaînement QuickTime d’Admin Serveur. Cliquez sur Réglages, sur Associations
IP, puis cochez la case Association correspondant à l’adresse IP souhaitée.
La configuration initiale de votre logiciel serveur d’enchaînement est terminée. Les
réglages complémentaires dépendent de votre matériel et de vos logiciels, de vos
connexions réseau, du nombre prévu de spectateurs, ainsi que du type de données
que vous souhaitez diffuser. Pour plus d’informations sur la détermination de ces
réglages et sur l’utilisation du serveur d’enchaînement, consultez le chapitre 3, “Gestion
de votre serveur Enchaînement QuickTime”, le chapitre 6, “Exemple de configuration”
et les ressources présentées la page 11.
Accès aux données multimédias diffusées par votre serveur
Pour lire les flux de données multimédias, les utilisateurs doivent être équipés de
QuickTime 4 ou ultérieur (ou d’un lecteur MP4). Voici les instructions à fournir aux
utilisateurs qui souhaitent visualiser les flux multimédias diffusés par votre serveur.
Pour visualiser des flux de données multimédias :
1 Ouvrez QuickTime Player.
2 Cliquez sur Fichier > Ouvrir l’URL.
3 Tapez l’URL du fichier multimédia. Par exemple :
rtsp://monserveur.com/monfichier
où monserveur.com est le nom DNS de l’ordinateur QTSS et monfichier est le nom
du film ou du fichier multimédia.
Cette URL suppose que le film ou le fichier multimédia se trouve au niveau supérieur
du répertoire multimédia. Pour les films qui se trouvent dans des sous-dossiers du
répertoire, ajoutez le dossier concerné au nom de chemin. Par exemple :
rtsp://monserveur.com/mondossier/monfichier.mov
Si vous souhaitez que les utilisateurs visualisent les flux de données multimédias à
l’aide d’un navigateur Web, vous devez configurer une page Web pour afficher les
données multimédias (voir “Conversion du contenu en page Web” à la page 37) et
fournir aux utilisateurs l’URL de cette page. Il n’est pas recommandé de taper une URL
RTSP directement dans le champ d’adresse du navigateur Web, car certains navigateurs
ne comprennent pas le terme “rtsp”).3
23
3 Gestion de votre serveur
Enchaînement QuickTime
Ce chapitre contient des informations sur la diffusion de
flux de données à travers des coupe-feu, la configuration
de relais et l’administration à distance d’un serveur
Enchaînement QuickTime.
Pour configurer et gérer Serveur Enchaînement QuickTime (QTSS), vous devez utiliser
l’application Admin Serveur, installée avec Mac OS X Server version 10.3 ou ultérieure.
Cette application offre une interface utilisateur graphique standard pour toutes les
plates-formes compatibles et vous permet d’administrer le serveur d’enchaînement
localement ou à distance. Admin Serveur vous permet de modifier les réglages
généraux, de surveiller les utilisateurs connectés, de visualiser les fichiers d’historique,
de gérer l’utilisation de la bande passante et de relayer des flux d’un serveur à un autre.24 Chapitre 3 Gestion de votre serveur Enchaînement QuickTime
Voici une brève description des cinq volets d’Enchaînement QuickTime :
• Vue d’ensemble : fournit un aperçu de l’activité actuelle du serveur.
• Historiques : affiche les historiques d’erreurs pour permettre le dépannage, ainsi
que les historiques d’accès qui contiennent des informations telles que le nombre
et les heures d’accès à un fichier multimédia.
• Connexions : fournit des informations sur les utilisateurs connectés
et les relais actifs.
• Graphiques : affiche un graphique du nombre moyen d’utilisateurs connectés
ou du débit en fonction du temps (heures ou jours).
• Réglages : permet de spécifier les réglages du serveur, de lier QTSS à des adresses
IP spécifiques (si l’ordinateur serveur est de type multi-adressage), d’activer des relais
et de modifier les réglages d’historiques.
L’application QuickTime Streaming Server Publisher est également fournie avec QTSS
et permet d’automatiser le processus de préparation et de diffusion des flux de films.
Son interface conviviale facilite la publication sur le Web de flux de contenu exempts
d’erreurs. Vous pouvez utiliser QTSS Publisher pour créer des listes de lecture, insérer
automatiquement des indications dans des séquences ou intégrer facilement des films
dans un site Web. Pour plus d’informations sur QTSS Publisher, consultez le chapitre 4,
“Gestion de vos données multimédias”, à la page 31.
Utilisation de l’application basée sur le Web pour gérer
l’enchaînement QuickTime
Si vous avez précédemment administré un serveur Enchaînement QuickTime à l’aide de
l’application basée sur le Web, à savoir Admin Web, vous pouvez poursuivre de cette
manière. Admin Web est utile pour administrer un serveur d’enchaînement à distance
ou à partir d’ordinateurs non Mac.
Pour utiliser Admin Web :
1 Dans Admin Serveur, sélectionnez Enchaînement QuickTime sous le serveur dans la
liste Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur Accès.
4 Sélectionnez “Activer l’administration basée sur le Web”.
5 Cliquez sur Enregistrer.
Pour plus d’informations sur l’utilisation d’Admin Web, consultez le guide de
l’administration QTSS/Darwin Streaming Server, disponible à l’adresse
http://developer.apple.com/fr/darwinChapitre 3 Gestion de votre serveur Enchaînement QuickTime 25
Remarque : si vous avez utilisé l’application basée sur le Web, à savoir Admin Web, pour
administrer un serveur Enchaînement QuickTime, vous trouverez les fonctionnalités
d’administration dans l’application Admin Serveur de Mac OS X. Utilisez QTSS Publisher
pour créer des listes de lecture et préparer et organiser les fichiers multimédias.
Utilisation d’Admin Serveur pour gérer l’enchaînement
QuickTime
Cette section contient des instructions pour les tâches telles que le démarrage et l’arrêt
de l’enchaînement, la configuration d’un serveur multi-adressage et la modification de
réglages tels que le nombre maximum de connexions et le débit maximum autorisé.
Démarrage ou arrêt du service d’enchaînement
Vous pouvez démarrer ou arrêter le service d’enchaînement à partir du volet
Enchaînement QuickTime d’Admin Serveur.
Pour démarrer ou arrêter le service d’enchaînement :
1 Ouvrez Admin Serveur.
2 Dans la liste Ordinateurs et services, cliquez sur Enchaînement QuickTime pour le
serveur.
3 En haut de la fenêtre, cliquez sur Démarrer le service ou sur Arrêter le service.
Modification du nombre maximum de connexions
d’enchaînement
Lorsque le nombre maximum de connexions spécifié est atteint, un message indiquant
que le serveur est occupé ou que la bande passante est insuffisante (erreur 453) est
affiché pour les utilisateurs qui tentent de se connecter.
Pour modifier le nombre maximum de connexions :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.
2 Cliquez sur Réglages.
3 Tapez un nombre dans le champ Nombre de connexions max.
4 Cliquez sur Enregistrer.
Modification du débit d’enchaînement maximum
Si le débit maximal est atteint, personne d’autre ne peut se connecter. Les utilisateurs
qui tentent de se connecter reçoivent un message indiquant que le serveur est occupé
(erreur 453).
Pour modifier le débit maximal :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.26 Chapitre 3 Gestion de votre serveur Enchaînement QuickTime
2 Cliquez sur Réglages.
3 Tapez un nombre dans le champ Débit maximal.
4 Cliquez sur Enregistrer.
Vous pouvez spécifier des valeurs en mégabits par seconde (Mbps) ou kilobits par
seconde (Kbps) dans le menu local.
Changement du répertoire réservé aux flux de données
multimédias
Serveur Enchaînement QuickTime comporte un répertoire multimédia principal
(/Bibliothèque/QuickTimeStreaming/Movies). Vous pouvez spécifier un autre répertoire
pour vos flux de données multimédias (pour transférer le répertoire vers un autre
disque dur par exemple).
Pour spécifier un autre répertoire multimédia :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.
2 Cliquez sur Réglages.
3 Tapez un nom de chemin dans le champ Répertoire Média ou cliquez sur le bouton
en regard du champ afin de choisir un dossier.
4 Cliquez sur Enregistrer.
Association de l’ordinateur d’administration du serveur
d’enchaînement à une adresse IP
Si votre ordinateur d’administration du serveur d’enchaînement est multi-adressage
(si vous hébergez également un serveur Web par exemple), vous pouvez indiquer
l’adresse IP à associer à QTSS.
Pour spécifier une adresse IP :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime.
2 Cliquez sur Réglages, puis sur Associations IP.
3 Cochez la case Association pour l’adresse IP souhaitée.
4 Cliquez sur Enregistrer.
Vous pouvez choisir d’associer QTSS à toutes les adresses IP répertoriées ou
uniquement aux adresses sélectionnées.Chapitre 3 Gestion de votre serveur Enchaînement QuickTime 27
Hébergement de flux provenant de plusieurs répertoires
multimédias d’utilisateur
Serveur Enchaînement QuickTime ne peut comporter qu’un seul répertoire multimédia
principal. Cependant, en activant la prise en charge des répertoires de départ, les
utilisateurs peuvent diffuser des fichiers ou des listes de lecture à la demande, à partir
de leur répertoire de départ.
Pour configurer QTSS afin qu’il diffuse des films provenant des répertoires de
départ des utilisateurs :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime.
2 Cliquez sur Réglages, puis sur Accès.
3 Sélectionnez “Activer la diffusion depuis le répertoire de départ”.
4 Cliquez sur Enregistrer.
5 Demandez aux utilisateurs de placer leurs films QuickTime dans le dossier créé dans
leur répertoire de départ (//Sites/Streaming).
Pour visualiser un film dans un répertoire privé, tapez l’URL suivante :
rtsp://nom_hôte.com/~utilisateur1/exemple.mov
Remarque : pour diffuser un flux en direct à partir d’un répertoire autre que le
répertoire multimédia, vous devez créer un fichier qtaccess. Pour plus d’informations,
consultez le guide d’administration du serveur d’enchaînement QuickTime, disponible
à l’adresse http://developer.apple.com/fr/darwin
Configuration de flux de relais
Vous devez utiliser des relais pour accepter un flux provenant d’un serveur
d’enchaînement et le transférer, ou le “relayer”, vers un autre serveur d’enchaînement.
Chaque relais est constitué d’une source et d’une ou plusieurs destinations.
Pour configurer un relais :
1 Dans le volet Réglages du service Enchaînement QuickTime, cliquez sur Relais.
2 Cliquez sur le bouton Ajouter (+) en regard de la liste Relais.
3 Tapez un nom pour le relais dans le champ Nom du relais.
4 Choisissez une option dans le menu local Type de relais.
L’option Demander une diffusion entrante ordonne au serveur d’enchaînement
d’envoyer à l’ordinateur source une demande pour le flux entrant avant qu’il ne soit
relayé. Vous pouvez utiliser cette fonctionnalité pour relayer une diffusion en direct
(à partir d’un autre serveur) ou pour demander un fichier stocké et le convertir en un
flux sortant en direct.
L’option UDP non annoncé ordonne au serveur d’envoyer le flux immédiatement.28 Chapitre 3 Gestion de votre serveur Enchaînement QuickTime
L’option UDP annoncé ordonne au serveur d’attendre le flux entrant, puis de le relayer.
Les relais configurés pour attendre des flux annoncés ne peuvent accepter que les flux
multimédias utilisant le protocole d’annonce RTSP.
5 Dans le champ IP source, tapez le nom d’hôte DNS ou l’adresse IP de l’ordinateur source.
6 Dans le champ Chemin, tapez le nom du chemin d’accès au flux.
7 Si l’ordinateur source requiert l’authentification des diffusions automatiques, tapez un
nom d’utilisateur et un mot de passe.
8 Assurez-vous que l’option Activer le relais est sélectionnée et cliquez sur le bouton
Précédent.
9 Cliquez sur le bouton Ajouter (+) en regard de la liste Destinations.
10 Tapez les informations demandées et cliquez sur le bouton Précédent.
11 Répétez les étapes 9 et 10 pour chaque destination, puis cliquez sur Enregistrer.
Pour activer ou désactiver un relais, cochez ou décochez la case Activer en regard du
relais dans la liste. Pour supprimer un relais, sélectionnez-le, puis cliquez sur le bouton
Supprimer (–).
Modification des réglages d’historique d’Enchaînement
QuickTime
Vous pouvez spécifier que chaque historique soit réinitialisé après un certain nombre
de jours.
Pour modifier les réglages d’historique :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur Consignation.
L’historique des accès est mis à jour uniquement lorsque les connexions client sont
interrompues. Un client connecté au moment d’une panne de courant ou d’une
défaillance du serveur n’est pas consigné et n’apparaît pas dans l’historique des accès
lorsque le serveur est relancé.
Les fichiers d’historique sont stockés dans le répertoire
/Bibliothèque/QuickTimeStreaming/Logs/.
Sécurité et accès
Il existe un certain niveau de sécurité inhérent à l’enchaînement en temps réel, dans
la mesure où le contenu n’est transmis que si le client en a besoin et où aucun fichier
n’est conservé, mais d’autres problèmes de sécurité peuvent néanmoins se présenter.Chapitre 3 Gestion de votre serveur Enchaînement QuickTime 29
Pour plus d’informations sur la création de comptes d’utilisateur QTSS,
consultez le guide de l’administrateur QTSS/Darwin Streaming Server (à l’adresse
http://developer.apple.com/fr/darwin/) ou le guide d’administration des lignes de
commande de Mac OS X Server version 10.3 (à l’adresse www.apple.com/server/
documentation).
Diffusion de flux à travers des coupe-feu via le port 80
Si vous configurez un serveur d’enchaînement sur Internet et que vous supposez que
certains de vos clients sont protégés par des coupe-feu autorisant uniquement le trafic
Web, activez l’enchaînement sur le port 80. Avec cette option, le serveur d’enchaînement
accepte les connexions sur le port 80 (port par défaut du trafic Web) et les clients
QuickTime peuvent se connecter à votre serveur d’enchaînement même s’ils se trouvent
derrière un coupe-feu n’autorisant que le trafic Web. Si vous activez l’enchaînement sur le
port 80, veillez à désactiver tout serveur Web possédant la même adresse IP, afin d’éviter
les conflits avec votre serveur d’enchaînement.
Pour diffuser des flux QuickTime via le port HTTP 80 :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.
2 Cliquez sur Réglages.
3 Cliquez sur Associations IP.
4 Sélectionnez l’option “Activer la diffusion sur le port 80”.
Important : si vous activez la diffusion sur le port 80, assurez-vous que votre serveur
n’exécute pas également un serveur Web tel qu’Apache. L’exécution de QTSS et d’un
serveur Web avec enchaînement sur le port 80 peut provoquer un conflit de port
entraînant le comportement anormal de l’un ou des deux serveurs.
Enchaînement à travers des coupe-feu ou des réseaux avec
traduction d’adresses
Le serveur d’enchaînement envoie les données à l’aide de paquets UDP (User
Datagram Protocol). Les coupe-feu conçus pour protéger les informations d’un réseau
bloquent souvent les paquets UDP. Les ordinateurs client situés derrière un coupe-feu
qui bloque les paquets UDP ne peuvent recevoir les flux de données multimédias.
Cependant, le serveur d’enchaînement autorise également la diffusion via des
connexions HTTP, ce qui permet la visualisation des données multimédias, même
à travers des coupe-feu configurés de manière très restrictive.
Certains ordinateurs client situés sur des réseaux qui utilisent la traduction d’adresses
peuvent également s’avérer incapables de recevoir des paquets UDP, mais ils peuvent
recevoir les données multimédias qui ne sont pas diffusées via des connexions HTTP. 30 Chapitre 3 Gestion de votre serveur Enchaînement QuickTime
Si les utilisateurs rencontrent des problèmes pour visualiser les données multimédias
à travers un coupe-feu ou sur un réseau qui utilise la traduction d’adresses, ils doivent
procéder à la mise à niveau de leur logiciel client avec QuickTime 5 ou une version
ultérieure. Si les problèmes persistent, leur administrateur réseau doit leur fournir les
réglages appropriés pour le serveur proxy d’enchaînement et le transport de diffusion
sur leur ordinateur.
Les administrateurs réseau peuvent également configurer leur logiciel coupe-feu
afin d’autoriser les diffusions RTP et RTSP.
Changement du mot de passe requis pour envoyer un flux de
diffusion MP3
La diffusion de données MP3 vers un autre serveur nécessite une authentification.
Pour changer le mot de passe de diffusion MP3 :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Accès.
3 Tapez un nouveau mot de passe dans la zone Mot de passe de diffusion MP3.
4 Cliquez sur Enregistrer.
Utilisation de la monodiffusion automatique (annonce) à l’aide de
QTSS sur un ordinateur distinct
Vous pouvez diffuser des données multimédias à partir de QuickTime Broadcaster vers
QTSS (QuickTime Streaming Server), exécuté sur un ordinateur distinct, à l’aide de la
méthode de transmission Monodiffusion automatique (Annonce). Pour cela, vous
devez créer un nom d’utilisateur et un mot de passe de diffusion sur le serveur
d’enchaînement.
Pour créer un nom d’utilisateur et un mot de passe de diffusion sur le serveur
d’enchaînement :
1 Dans Admin Serveur, cliquez sur Enchaînement QuickTime sous le serveur dans la liste
Ordinateurs et services.
2 Cliquez sur Réglages, puis sur Accès.
3 Cochez la case “Accepter les diffusions entrantes”.
4 Cliquez sur Définir le mot de passe et tapez le nom et le mot de passe.
5 Cliquez sur Enregistrer.4
31
4 Gestion de vos données
multimédias
Ce chapitre contient des informations sur l’utilisation de la
nouvelle application QuickTime Streaming Server Publisher
pour préparer, organiser et télécharger vers le serveur des
données multimédias en vue de leur diffusion.
L’application QuickTime Streaming Server Publisher, fournie avec Mac OS X Server
version 10.3 (ou ultérieure), facilite la préparation et la diffusion de films sur Internet.
Les utilisateurs qui ne sont pas administrateur du serveur peuvent soit installer QTSS
Publisher à partir du CD des outils d’administration fourni avec Mac OS X Server, soit
copier simplement l’application à partir d’un serveur. QTSS Publisher se trouve dans
le répertoire /Applications/Server.
Important : vous pouvez utiliser QTSS Publisher soit localement sur un ordinateur qui
exécute Mac OS X Server version 10.3 ou ultérieure, soit à distance sur un ordinateur
qui exécute Mac OS X version 10.2 ou ultérieure. Lorsque vous ouvrez QTSS Publisher,
vous devez taper un nom d’utilisateur et un mot de passe pour un compte d’utilisateur
Mac OS X Server (version 10.3 ou ultérieure).
Vue d’ensemble de QTSS Publisher
QTSS Publisher, nouvelle application à utiliser avec Serveur Enchaînement QuickTime,
vous permet de gérer toutes vos données multimédias QuickTime sur Mac OS X Server,
du téléchargement vers le serveur à la diffusion. Si vous utilisiez précédemment
l’application basée sur le Web, à savoir Admin Web, pour créer des listes de lecture MP3
et de films, vous pouvez désormais utiliser l’interface de QTSS Publisher, plus semblable
à une interface Mac, pour créer notamment des listes de lecture. QTSS Publisher
permet de :
• Télécharger des données multimédias vers le serveur.
• Préparer les données multimédias pour l’enchaînement ou le téléchargement
progressif.
• Créer des listes de lecture MP3, MP4 et de films.
• Créer des pages Web contenant des données multimédias QuickTime.32 Chapitre 4 Gestion de vos données multimédias
À propos des listes de lecture et des indications
QTSS Publisher contient une bibliothèque de données multimédias et une bibliothèque
MP3. Vous pouvez ajouter des fichiers à ces bibliothèques, afin de les préparer pour
l’enchaînement ou de les utiliser pour créer des listes de lecture.
Une liste de lecture est un ensemble de fichiers multimédias (films QuickTime, fichiers
MPEG-4 ou pistes audio MP3) que vous sélectionnez et organisez. Vous pouvez créer
une “station de radio” virtuelle ou une diffusion vidéo en direct simulé, en créant une
liste de lecture (ou une série de listes de lecture) à partir de données multimédias
QuickTime, de fichiers MPEG-4 ou de fichiers MP3 préenregistrés. Les listes de lecture
diffusent les données multimédias vers le serveur d’enchaînement, lequel envoie ces
données aux spectateurs qui les demandent, dans l’ordre que vous avez défini (aléatoire
ou séquentiel). Bien que les données soient préenregistrées, elles apparaissent aux
spectateurs comme une émission en direct ; ils voient tous les mêmes données lorsqu’ils
se se branchent sur l’émission.
Pour qu’un film puisse être diffusé (fichier .mov ou .MP4), il doit contenir des indications.
Les pistes d’indications contiennent les informations dont le serveur d’enchaînement
a besoin pour diffuser correctement les données multimédias ; elles permettent au
serveur de diffuser des films QuickTime sans devoir comprendre les types ou les codecs
de données multimédias QuickTime. QTSS Publisher ajoute automatiquement des pistes
d’indications aux éléments d’une liste de lecture, en fonction des besoins. Les listes de
lecture MP3 ne nécessitent pas d’indications.
La commande
Présentation bascule
entre le mode Liste
et le mode
Exploration.
Cliquez sur Données afin
d’afficher le contenu
disponible.
Glissez les fichiers
multimédias dans la
bibliothèque afin de
les télécharger vers
le serveur.
Cliquez sur Réglages pour mettre le contenu à la
disposition des utilisateurs et spécifier des options.
Les bibliothèques
contiennent tous les
fichiers du serveur.
Cliquez sur Liens afin
de placer votre
contenu dans des
pages Web.Chapitre 4 Gestion de vos données multimédias 33
Remarque : lorsque vous utilisez QuickTime Player pour exporter un film comme film à
indications, QuickTime ajoute automatiquement toutes les pistes d’indications nécessaires.
Connexion à Mac OS X Server
Lorsque vous ouvrez QTSS Publisher, vous devez fournir un nom d’utilisateur et un mot
de passe pour un compte d’utilisateur Mac OS X Server (version 10.3 ou ultérieure). Les
utilisateurs locaux peuvent se connecter si la diffusion depuis les répertoires de départ
a été activée pour eux (voir “Hébergement de flux provenant de plusieurs répertoires
multimédias d’utilisateur” à la page 27).
Si la tentative de connexion échoue, assurez-vous que le serveur auquel vous tentez
de vous connecter est en service. Assurez-vous également que le port 311 n’est pas
désactivé par votre coupe-feu.
Téléchargement de données multimédias de QTSS Publisher vers
un serveur Enchaînement QuickTime
Les fichiers que vous glissez dans la bibliothèque de données de QTSS Publisher sont
automatiquement téléchargés vers le serveur auquel vous êtes connecté. Les données
multimédias ne sont pas accessibles au public tant que vous ne les avez pas rendues
disponibles (voir “Mise en ligne du contenu pour l’enchaînement ou le téléchargement”
à la page 36). Vous pouvez utiliser QTSS Publisher comme zone de stockage temporaire
pour préparer le contenu en vue de sa distribution sur le Web.
Préparation du contenu pour sa distribution sur le Web
Après avoir téléchargé le contenu vers le serveur (en le glissant dans la bibliothèque
de données de QTSS Publisher) et avant de le mettre à la disposition du public, il peut
s’avérer nécessaire de préparer vos fichiers en vue de leur distribution via Internet.
Cette section décrit ce processus.
Préparation des données multimédias préenregistrées pour la
diffusion
Lorsqu’elles sont préparées correctement, les données multimédias préenregistrées
peuvent être lues sous forme de flux en direct simulé dans une liste de lecture. Vous
pouvez lire les fichiers audio MP3 via une liste de lecture MP3 et les écouter à l’aide
d’iTunes ou de tout autre lecteur MP3 compatible.
Pour préparer les données multimédias préenregistrées en vue de leur
diffusion dans une liste de lecture :
1 Assurez-vous que chaque film de la liste de lecture présente le même nombre et les
mêmes types de pistes et que tous les fichiers multimédias contiennent des types de
données compatibles.34 Chapitre 4 Gestion de vos données multimédias
Toutes les pistes audio, par exemple, doivent utiliser le même codage, la même
fréquence d’échantillonnage, le même taux de compression et le même débit. Toutes les
pistes vidéo doivent également utiliser le même codage, le même taux de compression,
le même débit et la même taille de trame. Les fichiers MP3 doivent utiliser la même
fréquence d’échantillonnage.
2 Formatez les données multimédias de chaque fichier de la même manière. Pour une liste
de lecture de films, assurez-vous que chaque fichier multimédia est un film QuickTime
ou MPEG-4 à indications. (Si vous placez vos fichiers dans la bibliothèque de données
de QTSS Publisher, les indications sont insérées automatiquement.) N’affectez pas
d’indications aux fichiers MP3 lors de la préparation d’une liste de lecture MP3.
3 Ouvrez QTSS Publisher (dans le répertoire /Applications/Server), cliquez sur Données
(si cette option n’est pas déjà sélectionnée), puis glissez les fichiers multimédias dans
la bibliothèque de données QTSS.
Important : la gestion des flux MP3 par QTSS est destinée aux flux en direct compatibles
Shoutcast/Icecast (tels que ceux créés par une liste de lecture de diffusion) ou aux flux
en direct d’autres diffuseurs MP3 en direct compatibles. Pour diffuser un fichier MP3
individuel à la demande (plutôt qu’en direct), sélectionnez l’option “Données disponibles
pour le téléchargement” dans le volet Réglages URL de QTSS Publisher.
Amélioration des performances des films à indications exportés à
partir de QuickTime Player
Lorsque vous exportez un film à indications à partir de QuickTime Player, vous pouvez
compresser la vidéo et le son soit à l’aide du codeur de données utiles RTP natif, soit à
l’aide du codeur de données utiles QuickTime générique. Pour sélectionner QuickTime,
cliquez sur Options dans la zone de dialogue d’exportation de QuickTime Player, puis
cliquez sur Réglages d’indic. de piste.
En général, le codage natif des données utiles est préférable. Consultez le fabricant
de votre codec pour des instructions de codage spécifiques.
Réfléchissez bien avant de choisir entre les codeurs natif et QuickTime.
Création et gestion de listes de lecture
QTSS Publisher vous permet de créer et de gérer facilement des listes de lecture pour
les diffusions vidéo ou audio.
Création d’une liste de lecture de données multimédias pour l’enchaînement
Vous pouvez créer une liste de lecture de films QuickTime, de fichiers MPEG-4 ou
de pistes audio MP3.
Pour créer une liste de lecture :
1 Assurez-vous que les fichiers multimédias que vous avez préparés se trouvent dans
le dossier de bibliothèque approprié (MP3 ou Movie) de QTSS Publisher. Vous pouvez
placer les fichiers dans QTSS Publisher en les glissant dedans.Chapitre 4 Gestion de vos données multimédias 35
2 Dans QTSS Publisher, cliquez sur Nouvelle liste de lecture.
3 Sélectionnez Liste de lecture MP3 ou Liste de lecture des données.
4 Tapez un nom pour la liste de lecture.
Une fois que vous avez saisi le nom, QTSS Publisher crée un nom d’URL (que vous pouvez
modifier si vous le souhaitez). La liste de lecture et les noms d’URL doivent être uniques ;
deux diffusions ne peuvent pas utiliser le même nom.
5 Cliquez sur Créer une liste de lecture.
6 Glissez des éléments de la liste de la bibliothèque (en haut) dans Contenu de la liste
de lecture.
Modification d’une liste de lecture
Pour modifier l’ordre des éléments d’une liste de lecture, faites-les glisser. Pour supprimer
un élément d’une liste de lecture, sélectionnez-le, puis cliquez sur Supprimer. Pour ajouter
des éléments à une liste de lecture, double-cliquez sur la liste, puis cliquez sur Ajouter
des éléments.
Vous pouvez également modifier des réglages tels que le nom, le genre et le mode
de lecture de la liste.
Pour modifier les réglages d’une liste de lecture :
m Dans QTSS Publisher, sélectionnez une liste de lecture et cliquez sur Réglages
(ou double-cliquez sur la liste de lecture).
Remarque : vous pouvez modifier le contenu d’une liste de lecture sans devoir l’arrêter
puis la redémarrer ; elle est mise à jour automatiquement. Vous pouvez modifier les
réglages d’une liste de lecture (par exemple, le fait que la liste soit lue de façon aléatoire
ou séquentielle) pendant sa diffusion, mais vous devez l’arrêter puis la redémarrer pour
appliquer les nouveaux réglages.
Modification de la pondération d’une piste dans une liste de lecture
Vous pouvez “pondérer” une piste afin de régler la fréquence à laquelle elle est lue.
Les pistes dotées d’une valeur de pondération plus élevée sont lues plus souvent que
les pistes à valeur de pondération plus faible (lorsque l’option Aléatoire pondéré est
sélectionnée dans le menu local Mode lecture du volet Liste de lecture).
Pour modifier la pondération d’une piste :
1 Dans QTSS Publisher, sélectionnez la piste.
2 Réglez le curseur Pondération sur une position comprise entre 0 et 10.
Création et modification des annotations de films
Vous pouvez ajouter des annotations à un film afin d’indiquer le format d’origine,
l’auteur et les acteurs. Si vous placez par exemple le nom complet d’un film dans
les annotations, il apparaît en tant que titre dans la fenêtre QuickTime Player.36 Chapitre 4 Gestion de vos données multimédias
Pour annoter un film :
1 Dans QTSS Publisher, sélectionnez un film et cliquez sur Réglages (ou double-cliquez
sur le film).
2 Cochez la case correspondant à l’annotation que vous souhaitez inclure, puis tapez
l’annotation dans le champ de texte.
Changement de l’image fixe d’un film intégré à une page Web
Lorsque vous utilisez QTSS Publisher pour intégrer un film à une page Web, vous
pouvez choisir une image personnalisée qui sera affichée jusqu’à ce que la lecture
du film commence. (Autrement dit, vous pouvez sélectionner une autre image en
plus de l’affiche du film.)
Pour sélectionner une image fixe destinée à représenter un film :
1 Dans QTSS Publisher, sélectionnez un film et cliquez sur Réglages du lien.
2 Faites glisser un fichier à partir du Finder ou cliquez sur Choisir.
3 Cliquez sur Appliquer.
Vous pouvez également taper une légende qui apparaîtra sous l’image.
Transmission de votre contenu
Une fois que vous avez préparé et organisé vos données, QTSS Publisher facilite leur
mise en ligne via Internet, par téléchargement progressif ou par enchaînement.
Mise en ligne du contenu pour l’enchaînement ou le
téléchargement
Le contenu de la bibliothèque de données de QTSS Publisher est automatiquement
téléchargé vers le serveur, mais il n’est pas disponible pour la diffusion à la demande
tant que vous ne l’avez pas spécifié (sauf si vous lancez une liste de lecture).
Pour rendre le contenu disponible publiquement :
1 Sélectionnez l’élément et cliquez sur Réglages (ou double-cliquez sur l’élément).
2 Cliquez sur URL (si cette option n’est pas déjà sélectionnée).
3 Cochez l’une des cases Accès utilisateur ou les deux.
Démarrage et arrêt de listes de lecture
Le volet Réglages de QTSS Publisher vous permet de démarrer ou d’arrêter la diffusion
de listes de lecture.
Pour démarrer ou arrêter la diffusion d’une liste de lecture :
1 Dans QTSS Publisher, sélectionnez la liste de lecture et cliquez sur Réglages (ou doublecliquez sur la liste de lecture).
2 Dans le volet Liste de lecture, cliquez sur le bouton Démarrer ou Arrêter.Chapitre 4 Gestion de vos données multimédias 37
Utilisez le menu local Mode lecture pour spécifier la façon dont la liste de lecture doit
être lue.
• Séquentiel diffuse les données multimédias dans l’ordre où elles apparaissent
dans le fichier de la liste de lecture.
• Séquentiel en boucle diffuse les données multimédias dans l’ordre où elles
apparaissent dans le fichier de la liste de lecture. Une fois que le dernier fichier
multimédia a été lu, la liste de lecture est répétée dans le même ordre.
• Aléatoire pondéré diffuse les données multimédias de façon aléatoire, selon les
valeur de pondération spécifiées pour déterminer la fréquence de lecture de chaque
élément. Plus la pondération est élevée, plus la fréquence de lecture de l’élément
est élevée. Vous pouvez spécifier le nombre d’éléments à diffuser avant la répétition
d’un élément.
Conversion du contenu en page Web
Dans QTSS Publisher, vous pouvez facilement convertir une liste de lecture
(ou n’importe quel fichier multimédia que vous proposez en diffusion ou en
téléchargement) en une page Web, en la sélectionnant puis en cliquant sur Créer une
page Web. Plusieurs modèles de page Web sont fournis (voir l’échantillon ci-après).
Lorsque QTSS Publisher a terminé la création de la page Web, cette dernière s’ouvre
dans Safari. Les utilisateurs peuvent accéder à la page Web en tapant l’URL dans leur
navigateur. Vous pouvez modifier l’URL dans le volet Liens.
QTSS Publisher génère également du code HTML que vous pouvez glisser dans votre
éditeur de page Web afin de créer des liens vers des données multimédias. Pour
accéder au code, sélectionnez les éléments et cliquez sur Liens, sélectionnez le lien,
puis cliquez sur HTML.
Vous pouvez également spécifier certains réglages pour choisir, par exemple, si le flux
doit être lu dès le chargement de la page Web ou seulement lorsque l’utilisateur clique
sur l’affiche, ou encore si le film doit s’ouvrir dans une fenêtre QuickTime Player.38 Chapitre 4 Gestion de vos données multimédias
Pour modifier les réglages relatifs au contenu intégré à une page Web :
1 Dans QTSS Publisher, sélectionnez un film ou une liste de lecture et cliquez sur URL.
2 Cliquez sur Réglages du lien.5
39
5 Dépannage
Ce chapitre contient des informations sur les opérations
à effectuer si vous rencontrez des problèmes lors de la
diffusion de données.
Utilisation de fichiers d’historique pour surveiller la diffusion de
listes de lecture
Si vous activez la consignation, vous pouvez utiliser le fichier d’historique pour résoudre
les problèmes qui se produisent au cours d’une diffusion.
• Si les données de la liste de lecture ne sont pas diffusées, examinez Admin Serveur
Enchaînement pour vous assurer que le serveur d’enchaînement est en cours
d’exécution.
• Si le serveur d’enchaînement est en cours d’exécution, assurez-vous qu’un processus
nommé PlaylistBroadcaster est exécuté sur l’ordinateur serveur. Si tel est le cas, arrêtez
la diffusion, supprimez du répertoire de données du serveur d’enchaînement le fichier
SDP relatif à la diffusion, puis redémarrez cette dernière. Un nouveau fichier SDP est
généré lorsque vous redémarrez la diffusion.
Les fichiers multimédias ne sont pas diffusés correctement
• Essayez de diffuser un échantillon de film afin de déterminer si le serveur y parvient.
Des échantillons sont fournis avec le serveur.
Si le serveur diffuse l’échantillon, le problème provient peut-être de la préparation
de votre fichier de film. Recréez le film.
Si l’échantillon n’est pas diffusé, le problème provient peut-être de l’ordinateur
serveur ou du réseau.
• Vérifiez l’activité du serveur d’enchaînement et, si nécessaire, réduisez le nombre
maximal de connexions ou le débit.
• Si le problème se produit sur un ordinateur client, assurez-vous que l’utilisateur
dispose des réglages Proxy d’enchaînement et Transport d’enchaînement appropriés.
L’administrateur du réseau de l’ordinateur client doit pouvoir fournir les réglages
corrects.40 Chapitre 5 Dépannage
• Assurez-vous que le logiciel client gère le format de fichier diffusé.
• Vérifiez la structure de l’URL.
• Vérifiez la liste de lecture. Si vous avez créé une liste de lecture en boucle contenant
des fichiers MPEG-1 QuickTime à indications, les clients QuickTime risquent de
rencontrer des problèmes pour visualiser le flux.
Les utilisateurs ne peuvent pas se connecter à votre diffusion
• Assurez-vous que QuickTime 4 (ou une version ultérieure) est installé sur l’ordinateur
client. Si les utilisateurs se connectent via un navigateur Web, assurez-vous que le
plug-in QuickTime 4 est installé correctement.
• Assurez-vous que les utilisateurs disposent de l’URL correcte.
• Si les utilisateurs tentent de se connecter à votre diffusion via HTTP, veillez à désactiver
tout serveur Web susceptible de provoquer un conflit avec votre serveur d’enchaînement.
Par ailleurs, assurez-vous que l’enchaînement sur le port 80 est activé dans le volet
Réglages généraux d’Admin Serveur Enchaînement.
Les utilisateurs reçoivent des messages d’erreur lors de la
diffusion de données
Voici la signification des messages :
Code d’erreur 401 : l’utilisateur a tenté d’accéder à un fichier protégé. La mise à niveau
vers QuickTime 5 ou une version ultérieure peut s’avérer nécessaire.
Code d’erreur 404 : le serveur ne peut pas localiser l’URL saisie par l’utilisateur. Assurezvous que les utilisateurs saisissent l’URL appropriée pour la diffusion. Demandez aux
utilisateurs de ne pas essayer de visualiser les données en tapant directement l’URL
RTSP dans le champ d’adresse d’un navigateur Web. Les URL RTSP sont utilisées
uniquement avec la commande Ouvrir l’URL de QuickTime Player.
Code d’erreur 415 : le fichier de film ne comporte pas d’indications ou dispose d’une
ressource compressée. Vous devez réaffecter des indications au film à l’aide de la version
Pro de QuickTime Player. Vous pouvez également essayer de diffuser de façon native des
fichiers MP3 à la demande (c’est-à-dire sous forme de téléchargement HTTP). La gestion
QTSS des flux MP3 concerne les flux en direct compatibles shoutcast/icecast (tels que ceux
créés par une liste de lecture MP3) ou les flux en direct d’autres diffuseurs compatibles de
flux MP3 en direct. Pour diffuser des fichiers MP3 individuels à la demande (plutôt que
sous forme de flux en direct), hébergez simplement ces fichiers sur un serveur Web.Chapitre 5 Dépannage 41
Code d’erreur 453 : le serveur est trop occupé pour que les utilisateurs puissent visualiser
le flux. Les utilisateurs doivent réessayer plus tard. Vous pouvez augmenter le nombre
maximal de connexions dans le volet Réglages généraux d’Admin Serveur Enchaînement.
Code d’erreur 454 : la connexion au serveur a été interrompue. Les utilisateurs doivent
relancer la visualisation du flux. Vérifiez si le serveur se trouve derrière un coupe-feu ou
si le client utilise un logiciel de traduction d’adresses réseau (NAT). Consultez “Diffusion
de flux à travers des coupe-feu via le port 80” à la page 29 et “Enchaînement à travers
des coupe-feu ou des réseaux avec traduction d’adresses” à la page 29.
Code d’erreur –5420 : le serveur n’est peut-être pas en cours d’exécution. Vérifiez-le puis
redémarrez-le si nécessaire. Vérifiez si le serveur se trouve derrière un coupe-feu ou si
le client utilise un logiciel de traduction d’adresses réseau (NAT). Consultez les sections
“Diffusion de flux à travers des coupe-feu via le port 80” à la page 29 et “Enchaînement
à travers des coupe-feu ou des réseaux avec traduction d’adresses” à la page 29.6
43
6 Exemple de configuration
Ce chapitre décrit les principaux composants requis pour
une configuration générique de diffusion sur le Web,
ainsi que la façon dont ils sont interconnectés.
Les instructions d’installation ci-après conviennent à un environnement d’enseignement
tel qu’un campus universitaire. Cet exemple peut néanmoins être facilement adapté à
de nombreuses utilisations, notamment :
• L’enseignement à distance
• Les communications d’entreprise à l’intention des employés, clients, fournisseurs
ou actionnaires
• Un concert ou une présentation ponctuels
• La diffusion dans une crèche à l’intention des parents
Enchaînement de présentations, en direct et à la
demande
Cet exemple illustre la façon dont l’administrateur réseau d’une université peut configurer
un serveur d’enchaînement et d’autres composants pour diffuser des présentations, en
direct et à la demande, à l’intention des étudiants qui utilisent des ordinateurs connectés
au réseau du campus et à Internet.44 Chapitre 6 Exemple de configuration
Une telle configuration permet aux étudiants qui n’ont pas pu assister à un cours de le
suivre en ligne. Elle permet également aux étudiants de revoir ultérieurement une partie
du cours en visualisant une version archivée sur leur ordinateur.
La configuration de cet exemple, illustrée ci-dessus, présente les fonctionnalités
suivantes :
• Un réseau local existant doté de connexions Ethernet aux salles de cours et aux
amphithéâtres à partir desquels les présentations en direct doivent être diffusées.
• Un caméscope numérique (DV) et un microphone installés dans une salle de cours
ou un amphithéâtre pour convertir la présentation en direct au format numérique.
Le caméscope effectue un enregistrement DV haute qualité de la présentation et
fournit le signal numérique qui sera codé pour la diffusion en direct.
• Le caméscope numérique DV est connecté par l’intermédiaire d’un port FireWire à un
ordinateur portable qui exécute QuickTime Broadcaster, lequel code la présentation
en direct numérisée et transmet le signal via une connexion Ethernet au serveur
d’enchaînement sur le réseau du campus.
• Le serveur d’enchaînement est un serveur Xserve monté en rack fonctionnant en mode
“headless” (c’est-à-dire sans moniteur ni clavier). Le serveur exécute Mac OS X Server
avec QTSS (QuickTime Streaming Server) configuré pour transmettre la présentation
codée en direct sous forme de flux monodiffusion vers chaque ordinateur client (sur le
réseau du campus ou sur Internet) qui se connecte à la diffusion. Le serveur Xserve est
livré avec Mac OS X Server et QTSS préinstallés.
Diffuseur
Serveur
d'enchaînement
Clients sur Internet
Clients sur
réseau local
InternetChapitre 6 Exemple de configuration 45
• Tout type d’ordinateur sur lequel est installé QuickTime Player ou tout autre logiciel
compatible MPEG-4, peut accéder au serveur d’enchaînement Xserve via le réseau
du campus. D’autres ordinateurs client peuvent accéder au serveur d’enchaînement
via Internet.
• L’ordinateur portable de diffusion qui exécute iMovie est utilisé pour produire des
versions à la demande haute qualité de la présentation en direct une fois cette
dernière terminée. La présentation numérisée enregistrée est transférée, via la
connexion FireWire, du caméscope DV vers l’ordinateur afin d’y être compressée.
Remarque : QuickTime Broadcaster peut être configuré pour enregistrer sur disque le
flux en direct codé en vue de son archivage. Pour un résultat optimal, il est cependant
préférable que la séquence soit codée séparément.
• L’ordinateur portable de diffusion est également utilisé pour contrôler le serveur
Xserve à distance via l’application Admin Serveur (ou via Admin Web, l’application
d’administration QTSS basée sur le Web).
Remarque : l’ordinateur portable peut également être connecté sans fil au réseau
local via une borne d’accès AirPort pour une portabilité accrue. La borne d’accès
AirPort est compatible avec la norme 802.11 et fonctionne avec QTSS. Sa bande
passante de 11 mégabits par seconde (Mbps) est largement suffisante pour notre
exemple de configuration, tant que d’autres clients n’imposent pas de charge
importante sur la même borne d’accès.
Configuration
Les étapes ci-après montrent comment configurer le serveur Enchaînement QuickTime
et les autres composants requis pour la diffusion en direct et à la demande dans notre
environnement universitaire hypothétique.
Étape 1 : Préparation des lieux
Une salle de cours standard n’offre pas un environnement de diffusion et d’enregistrement
comparable à celui d’un studio professionnel de télévision ou d’enregistrement.
Les mesures suivantes permettent d’obtenir des résultats satisfaisants :
• Rendez-vous dans la salle ou l’amphithéâtre que vous souhaitez utiliser pour
l’enchaînement en direct, fermez les portes et essayez de détecter tout bruit qui
risque d’interférer avec une diffusion. Si vous remarquez du bruit provenant d’une
pièce, d’une salle de jeu vidéo, du trafic dans la rue ou de toute autre source et que
vous ne pouvez pas l’éliminer, trouvez une autre pièce.
• S’il n’y a pas de problème de bruit, placez-vous au centre de la pièce, tapez dans vos
mains ou criez, et déterminez la présence éventuelle d’un écho. La présence d’un
écho risque de nuire à la qualité sonore de la diffusion en direct. Vous pouvez réduire
ou supprimer l’écho en posant d’épais rideaux sur les murs nus ou en disposant des
panneaux acoustiques en damier sur chaque mur.46 Chapitre 6 Exemple de configuration
• Examinez ensuite les sols et les meubles. Les sols recouverts de tapis et les chaises
rembourrées constituent un environnement idéal. Le pupitre doit être recouvert d’un
tissu ou d’une surface rembourrée pour éviter tout bruit provoqué, par exemple, par
un verre que l’orateur pose sur la surface.
• Les fenêtres peuvent provoquer des problèmes d’éclairage. Pour un meilleur contrôle,
vous devez pouvoir tirer les stores et compléter l’éclairage de la pièce par un kit
d’éclairage portatif pouvant être rapidement installé.
Étape 2 : Préparation du réseau
Vérifiez que la pièce où doit avoir lieu la diffusion est équipée d’une connexion Ethernet.
Si nécessaire, installez, réparez ou remplacez les câbles et les connecteurs à l’aide de
composants de haute qualité.
N’oubliez pas que l’enchaînement, surtout en direct, peut solliciter fortement les
ressources réseau, en particulier la bande passante disponible. Pour vous assurer que
le réseau peut gérer la charge supplémentaire, il peut être nécessaire d’effectuer l’une
ou l’ensemble des opérations suivantes :
• Déterminez la capacité du réseau existant et calculez le trafic supplémentaire
prévisible qui sera généré par la diffusion en direct et à la demande.
• Tracez la carte des segments de bande passante de votre réseau, en indiquant la
capacité entre tous les points.
• Déterminez les applications utilisées dans votre réseau, leur mode d’utilisation,
l’emplacement où elles sont hébergées, ainsi que la bande passante qu’elles utilisent
normalement pendant les périodes de forte utilisation et de faible utilisation.
• En fonction de la configuration et de la capacité de votre réseau, sélectionnez
l’emplacement approprié pour installer votre serveur d’enchaînement, en évitant
les goulets d’étranglement potentiels.
• Si nécessaire, augmentez la capacité du réseau (ajout de lignes T1, routeurs,
commutateurs, etc.) afin de gérer le nombre maximum prévu de spectateurs
simultanés en direct, en plus du trafic réseau maximal habituel.
N’oubliez pas qu’un réseau local typique fournit en interne une bande passante
de 10 à 100 Mbps. À l’inverse, une ligne T1, fréquemment utilisée pour la connexion
à Internet, fournit seulement une bande passante d’environ 1,5 Mbps.
Les lignes T1 fonctionnent correctement avec les protocoles HTTP et FTP, car les
demandes sont alors brèves ou peu urgentes, tandis que l’enchaînement est beaucoup
plus exigeant. Ce dernier ne souffre aucun ralentissement : pour garantir la diffusion,
les données doivent être transférées au moins aussi rapidement que le débit original.
Dans cet exemple, nous supposons un maximum de 10 spectateurs simultanés, pour
moitié via le réseau local et pour moitié via Internet, et un débit d’environ 256 Kbps
pour chaque flux de monodiffusion. La bande passante maximale complémentaire
requise est alors d’environ 3,2 à 3,3 Mbps. Cette estimation inclut une marge
complémentaire de 25 à 30 pour cent pour l’encombrement réseau non planifié et
les pics de transmission de flux susceptibles de survenir pour diverses raisons.Chapitre 6 Exemple de configuration 47
Étape 3 : Configuration de votre serveur d’enchaînement
Un ordinateur administrateur doit être configuré avant que vous puissiez configurer et gérer
votre serveur d’enchaînement si, comme dans cet exemple, le serveur d’enchaînement est
exécuté en mode “headless”. Pour plus d’informations sur la configuration d’un ordinateur
administrateur, consultez le guide de premiers contacts Mac OS X Server pour la version
10.3 ou ultérieure (inclus sur le CD-ROM de Mac OS X Server).
Pour configurer et gérer QTSS, vous devez utiliser l’application Admin Serveur, installée
avec Mac OS X Server version 10.3 ou ultérieure. Après la configuration de Mac OS X
Server, vous pouvez également utiliser l’application d’administration basée sur le Web, à
savoir Admin Web, pour administrer QTSS à distance à partir de n’importe quel ordinateur
connecté directement au réseau local ou à Internet. Dans cet exemple, nous supposons
que l’ordinateur portable de diffusion du système d’enchaînement illustré est également
utilisé à cet effet.
Bien que le serveur Xserve soit livré avec Mac OS X Server et QTSS préinstallés, ces
logiciels doivent être configurés pour le réseau particulier auquel ils sont ajoutés et
pour les utilisations spécifiques pour lesquelles ils sont prévus. Pour plus d’informations
sur la configuration de Mac OS X Server, consultez le guide de premiers contacts inclus
sur le CD-ROM de Mac OS X Server.
Voici quelques-unes des questions auxquelles il est nécessaire de répondre lors de la
configuration d’un serveur d’enchaînement :
L’ordinateur serveur peut-il être dédié uniquement à l’enchaînement ?
Il est préférable que votre serveur d’enchaînement ne soit pas également chargé du
service Web, du service de courrier ou de tout autre service. Notre exemple concerne
un serveur d’enchaînement dédié.
Quelle est la quantité de mémoire vive (RAM) nécessaire ?
La quantité minimale de mémoire requise pour exécuter QTSS est de 128 mégaoctets
(Mo). Prévoyez environ 256 Mo de RAM pour chaque tranche de 50 Mo de débit prévu.
Cette configuration suppose 256 Mo de RAM.
Quelle est la quantité d’espace disque requise ?
Les fichiers vidéo peuvent être très volumineux. Une présentation d’une heure avec
indications, codée à 300 Kbps (non optimisée pour un serveur), nécessite environ 135
Mo d’espace sur disque dur. Un disque dur de 60 Go peut ainsi stocker plus de 400
présentations à ce format.
Remarque : voici une formule pour calculer la taille des fichiers d’enchaînement :
débitEnBits / 8 bits * duréeEnSecondes = taille du fichier
Exemple pour un flux d’une heure à 300 Kbps :
300 000 / 8 bits * 3 600 = 135 000 000 octets = 135 Mo48 Chapitre 6 Exemple de configuration
De nombreux réseaux locaux incluent des systèmes de stockage RAID (Redundant
Array of Independent Disks) qui procurent des quantités beaucoup plus importantes
d’espace disque.
Si vous stockez les fichiers d’enchaînement ailleurs que dans l’emplacement QTSS
par défaut (à savoir /Bibliothèque/QuickTimeStreaming/Movies), vous devrez saisir le
chemin dans le volet Réglages d’Enchaînement QuickTime, dans Admin Serveur (voir
“Changement du répertoire réservé aux flux de données multimédias” à la page 26).
Placez tout fichier SDP (Session Description Protocol) faisant référence à des diffusions
Web en direct dans le même emplacement, afin qu’ils puissent être reconnus par QTSS.
Dans cet exemple, tous les fichiers d’enchaînement archivés et les fichiers de référence
SDP résident dans le dossier Movies par défaut sur le serveur d’enchaînement.
Le serveur d’enchaînement est-il équipé d’une carte réseau appropriée ?
La carte réseau est un composant essentiel de votre serveur d’enchaînement, dans la
mesure où elle permet la connectivité Ethernet entre le serveur et votre public. Une
carte Ethernet doit fournir un débit minimum de 100 mégaoctets (environ 0,9 gigabits)
par seconde.
Où sera placé le serveur d’enchaînement sur le réseau ? Un coupe-feu sera-t-il
utilisé ?
Le serveur d’enchaînement doit se trouver dans un emplacement accessible par les
utilisateurs (les étudiants, dans notre exemple) qui se connectent à la fois via le réseau
local et via Internet. Il doit également être protégé par un coupe-feu contre l’accès non
autorisé au serveur et aux fichiers multimédias archivés.
Mac OS X Server inclut le service Coupe-feu IP, qui analyse les paquets IP entrants et les
rejette ou les accepte en fonction d’un ensemble de filtres que vous créez. Pour plus
d’informations sur la configuration de ce service, consultez le guide d’administration
des services réseau.
Des ports spécifiques doivent être ouverts dans le coupe-feu pour autoriser les
demandes RTSP (Real-Time Streaming Protocol) provenant des utilisateurs, les
séquences vidéo et audio codées provenant du diffuseur, ainsi que les flux sortants
transmis aux clients via le réseau local et Internet. Le tableau ci-après répertorie les
ports utilisés par Serveur Enchaînement QuickTime pour les demandes entrantes et
sortantes.
Ports Demandes
Ports utilisés pour communiquer avec le client 554, 7070 TCP ou 80 TCP
Ports utilisés pour envoyer les données 6970-6999 UDP ou 80 TCP
Ports utilisés pour recevoir la diffusion 10000-65635 UDP
Ports utilisés par le serveur pour émettre la diffusion 554 RTSP 7070 TCP ou 80 TCPChapitre 6 Exemple de configuration 49
Dans cet exemple de configuration, nous supposons que les étudiants qui se connectent
au serveur d’enchaînement via Internet ne se trouvent pas derrière leur propre coupe-feu.
Dans ce cas, nous n’activons pas l’enchaînement sur le port 80, port généralement
destiné au transport du trafic Internet HTTP et autorisé par la plupart des coupe-feu.
Si certains clients se trouvent derrière des coupe-feu, il peut être préférable d’activer
l’enchaînement sur le port 80 pour que ces clients puissent accéder aux flux. Pour
obtenir des instructions, consultez la section “Diffusion de flux à travers des coupe-feu
via le port 80” à la page 29.
Sera-t-il nécessaire de configurer un compte d’utilisateur broadcaster sur le
serveur d’enchaînement ?
Dans cet exemple de configuration, il est nécessaire de créer un nom d’utilisateur et un
mot de passe de diffusion, car le logiciel de codage et QTSS résident sur des ordinateurs
distincts. La création d’un utilisateur de diffusion permet la création sur le serveur d’un
fichier SDP (Session Description Protocol) qui fournit des informations sur le format,
l’heure et l’auteur d’un flux diffusé en direct. Une fois spécifiés, le nom d’utilisateur et
le mot de passe sont saisis via QuickTime Broadcaster.
Pour des instructions sur la création ou la modification du nom d’utilisateur et du mot
de passe de diffusion, consultez la section “Utilisation de la monodiffusion automatique
(annonce) à l’aide de QTSS sur un ordinateur distinct” à la page 30. Vous devrez utiliser
le compte d’administrateur précédemment configuré.
Les utilisateurs nécessiteront-ils une authentification pour accéder aux
présentations en direct ou archivées ?
Dans notre exemple de configuration, aucune authentification n’est nécessaire.
Cependant, si vous souhaitez limiter l’accès à vos flux, vous devrez définir des noms
d’utilisateur et des mots de passe d’enchaînement individuels ou de groupe. Pour plus
d’informations sur la configuration et la gestion de ce type de compte, consultez les
rubriques appropriées de la section “Sécurité et accès” à la page 28.
Port par défaut généralement utilisé par les diffuseurs MP3 8000 TCP
Port utilisé pour la gestion à distance de QTSS à l’aide
d’Admin Serveur
687 TCP
Port utilisé pour la gestion à distance de QTSS à l’aide
d’Admin Web
1220 TCP
Ports Demandes50 Chapitre 6 Exemple de configuration
Étape 4 : Configuration pour une diffusion Web en direct
Pour notre exemple de configuration, les éléments suivants sont requis :
• Un caméscope numérique DV de bonne qualité
• Un microphone placé près de l’orateur (sur un pied ou accroché à sa chemise)
et connecté à l’entrée audio du caméscope via un câble audio de bonne qualité
• Un trépied robuste sur lequel le caméscope sera monté.
• Kit d’éclairage portatif
Le caméscope est le premier maillon
Le caméscope est un élément essentiel car il constitue le premier maillon de la chaîne
du signal vidéo. Deux éléments principaux déterminent la qualité d’image d’un
caméscope numérique DV :
• La qualité de la lentille. Plus la qualité de la lentille est élevée, meilleure est l’image.
• Le mécanisme de capture d’image. Les caméscopes numériques DV utilisent des
capteurs CCD (Charge-Coupled Devices) pour convertir l’image en signaux
électroniques. Le nombre et la taille des capteurs CCD affectent la qualité de l’image.
Le zoom optique offre une qualité supérieure à celle du zoom numérique, mais
l’utilisation du zoom doit être évitée ou réduite au minimum lors d’une présentation
diffusée en direct afin d’éviter toute dégradation du flux.
Les caméscopes numériques bas de gamme utilisent un capteur CCD unique pour
capturer toute l’image, tandis que les caméscopes haut de gamme utilisent trois
capteurs CCD distincts pour balayer le contenu rouge, bleu et vert de l’image,
permettant ainsi une qualité supérieure. La taille des capteurs CCD varie de 1/4 à 2/3
de pouce ; les capteurs CCD de plus grande taille offrent une meilleure résolution.
Voici d’autres fonctionnalités intéressantes :
• Vous devez pouvoir modifier les réglages automatiques du caméscope.
• Il est recommandé d’utiliser un microphone séparé pouvant être branché sur le
caméscope afin d’obtenir une prise de son optimale. Le microphone intégré du
caméscope est inadapté à la plupart des situations.
• Le caméscope doit accepter les connecteurs XLR professionnels (plutôt que les
connecteurs mini-jack 1/8 de pouce). Il doit également comporter une prise jack
de casque d’écoute, permettant de contrôler l’entrée audio.
• Enfin, une sortie FireWire permet le transfert numérique et la capture automatisée,
ce qui permettra de gagner du temps par la suite.
Parlez près du microphone
Le microphone constitue le premier maillon de la chaîne du signal audio et est donc
également très important. Les microphones dynamiques constituent un bon choix
global et vous pouvez en trouver pour environ 100 $ (87 euros).Chapitre 6 Exemple de configuration 51
Le meilleur moyen d’améliorer la qualité audio lorsque l’acoustique de la pièce est de
mauvaise qualité consiste à placer le microphone le plus près possible de la personne
qui parle. Utilisez un petit micro-cravate attaché à la chemise de l’orateur, juste sous la
bouche, ou un microphone à main.
Dans le cas d’une conférence à plusieurs intervenants, utilisez plusieurs microphones,
si possible fixés sur des pieds solides, ainsi qu’une petite table de mixage. Connectez
la sortie stéréo mixée de la table de mixage à l’entrée ligne du caméscope.
Si vous utilisez une table de mixage ou un microphone externe, assurez-vous que tous
les connecteurs sont fermement branchés, afin de garantir la fiabilité du signal audio.
Connectez un casque à la sortie casque du caméscope afin de vous assurer que vous
pouvez entendre le signal audio et qu’il ne présente aucune distorsion.
Un trépied est essentiel
Il est important d’utiliser un caméscope sur trépied lors d’une présentation en direct et
d’éviter les panoramiques, inclinaisons, zooms et autres mouvements de caméra. Tout
déplacement du caméscope, ne serait-ce que d’un degré, entraîne le changement de
chaque pixel de l’image, augmentant ainsi la difficulté de codage du flux. Une scène
simple à coder devient soudainement beaucoup plus complexe.
Le trépied doit être léger, tout en offrant un support stable pour le poids du caméscope.
Procurez-vous un kit d’éclairage simple
L’éclairage est un vaste sujet qui n’entre pas dans le cadre de ce guide, mais voici
cependant quelques suggestions.
Même un caméscope de haute qualité donnera des résultats médiocres si l’éclairage
est inadapté. Il est peu probable que l’éclairage standard d’une salle de classe soit
adapté à la prise de vue d’une présentation en direct. Il est recommandé d’ajouter
au moins un éclairage d’arrière-plan afin de faire ressortir l’orateur. Un kit d’éclairage
portatif à trois points, ainsi qu’un ou deux réflecteurs si vous prévoyez des prises de
vue extérieures, peuvent améliorer considérablement les résultats.
Étape 5 : Configuration du diffuseur
Dans cet exemple, QuickTime Broadcaster est installé sur un ordinateur portable.
Ce logiciel de codage est inclus sur le CD-ROM de Mac OS X Server et peut également
être téléchargé gratuitement à partir du site Web QuickTime Broadcaster à l’adresse
http://www.apple.com/quicktime/products/broadcaster/
Pour installer QuickTime Broadcaster, double-cliquez sur le fichier d’installation
(QuickTimeBroadcaster.pkg) et suivez les instructions à l’écran.
Une fois le logiciel de codage installé, connectez le caméscope au portable via le port
FireWire, allumez le caméscope et voyez s’il est reconnu par QuickTime Broadcaster.
1 Ouvrez QuickTime Broadcaster et cliquez sur Afficher les détails.52 Chapitre 6 Exemple de configuration
2 Cliquez sur Vidéo et sélectionnez une source vidéo dans le menu local Source.
Si le caméscope est reconnu, il apparaît dans le menu Source. Les réglages vidéo
doivent être actifs également (non estompés).
Si le caméscope n’apparaît pas dans le menu Source, quittez QuickTime Broadcaster,
assurez-vous que le caméscope est connecté et sous tension, puis ouvrez de nouveau
QuickTime Broadcaster. Si votre caméscope n’apparaît toujours pas, consultez le site
Web de QuickTime ou le site Apple Knowledge Base pour en savoir plus sur la
compatibilité et les autres problèmes.
En cas de diffusion vers QTSS situé sur un autre ordinateur, comme dans notre
exemple, il est recommandé d’utiliser la méthode de transmission Monodiffusion
automatique (Annonce). Elle est simple à configurer.
1 Dans QuickTime Broadcaster, cliquez sur Afficher les détails, sur Réseau, puis choisissez
Monodiffusion automatique (Annonce) dans le menu local Transmission.
2 Dans le volet Réseau, tapez l’adresse IP ou le nom d’hôte du serveur destinataire
(Xserve dans cet exemple), un nom pour le fichier diffusé, le nom d’utilisateur et le
mot de passe de l’utilisateur de diffusion créé à l’étape 3, ainsi que la durée de mise
en mémoire tampon (ou acceptez la valeur par défaut).
Remarque : la durée de mise en mémoire tampon fixe le nombre de secondes pendant
lesquelles QuickTime place la diffusion en mémoire tampon avant la lecture. Pour les
connexions haut débit, QuickTime Player 6 (ou ultérieur) remplit la mémoire tampon
plus rapidement que le temps réel, ce qui permet la visualisation en mode “Lecture
instantanée”.
3 Cliquez sur Diffusion et démarrez QTSS (s’il n’est pas déjà en cours d’exécution) en
sélectionnant l’ordinateur dans Admin Serveur, en cliquant sur Enchaînement
QuickTime, puis en cliquant sur Démarrer le service.
Pour déterminer si le flux en direct peut être visualisé sur un client, ouvrez QuickTime
Player sur l’un des ordinateurs client et effectuez les opérations suivantes :
1 Cliquez sur Fichier > Ouvrir l’URL dans le nouveau lecteur.
2 Tapez l’URL RTSP (Real-Time Streaming Protocol) affichée dans la section Emplacement
de la fenêtre QuickTime Broadcaster (par exemple, rtsp://monserveur.com/monflux.sdp).
Remarque : l’URL reconnaît les majuscules et minuscules et doit être saisie exactement
comme dans la fenêtre QuickTime Broadcaster.
La lecture du flux en direct doit alors commencer dans QuickTime Player.Chapitre 6 Exemple de configuration 53
Étape 6 : Test de votre configuration
La dernière étape consiste à tester la configuration. Ce test doit être le plus réaliste
possible.
• Configurez votre équipement tel qu’il sera utilisé pour la présentation réelle, si
possible dans le même lieu.
• Demandez à un collègue de jouer le rôle du présentateur, ou mieux, demandez
au présentateur de participer au test, afin d’en faire une “répétition”.
• Vérifiez l’image vidéo et le son.
• Vérifiez si les clients du réseau local et d’Internet peuvent se connecter au flux
en direct.
• Ajustez si nécessaire la position du caméscope et du microphone, ainsi que
l’éclairage, et résolvez les autres problèmes éventuels.
Création d’une page Web pour simplifier l’accès
L’accès à partir d’une page Web permet d’éviter aux étudiants d’avoir à mémoriser
l’URL RTSP ainsi que le nom du serveur d’enchaînement et des fichiers SDP.
Dans notre exemple, la page Web peut être ajoutée au site Web de l’université, mais
elle peut également résider sur n’importe quel serveur Web. Les étudiants peuvent
accéder à la présentation en direct (ainsi qu’aux archives) en cliquant sur les liens dans
leur navigateur.
Pour savoir comment créer une page Web contenant des liens vers les données
diffusées, consultez la section “Conversion du contenu en page Web” à la page 37.
Prise de vue de la présentation en direct
Si tout le travail préparatoire a été effectué selon la procédure décrite ci-dessus et que
l’équipement et les connexions ont été testés, la prise de vue devrait être simple.
Voici quelques conseils qui permettront d’éviter les problèmes survenant pendant
l’événement :
• Le jour de la diffusion en direct de l’événement, installez votre matériel suffisamment
tôt, afin de pouvoir vérifier une nouvelle fois que tous les composants fonctionnent
comme prévu.
• Si un public est présent, faites-leur savoir à l’avance que vous allez diffuser la
présentation en direct sur le Web et sollicitez leur coopération.
• Fixez bien tous les câbles au sol de façon à limiter les risques de trébuchement.
• Recherchez les sources potentielles de bruit et prenez si possible les mesures
appropriées.54 Chapitre 6 Exemple de configuration
Archivage de la présentation en direct
Dans notre exemple, l’application iMovie, fournie avec Mac OS X, est installée sur
l’ordinateur portable. Cette application permet d’importer les données numériques
enregistrées depuis la bande, puis de coder et d’archiver les présentations.
Pour archiver une présentation en direct, commencez par importer les données
numériques enregistrées :
1 Connectez le caméscope numérique DV à l’ordinateur portable via le port FireWire
et mettez-le sous tension.
2 Insérez la bande contenant la séquence vidéo à archiver et passez en mode VTR.
3 Sur l’ordinateur portable, ouvrez iMovie et réglez le commutateur de mode situé sous
le moniteur iMovie sur le mode Caméra (faites glisser le curseur bleu vers l’icône
représentant un caméscope).
4 Utilisez les commandes de lecture afin d’afficher une partie de la bande dans le
moniteur iMovie. Si la lecture de la bande ne démarre pas, vérifiez les connexions
et assurez-vous que le caméscope est sous tension.
5 Rembobinez la bande jusqu’à quelques secondes avant le point où vous souhaitez
démarrer l’importation.
6 Cliquez sur Lire sous le moniteur iMovie.
7 Cliquez sur Importer dès que vous voyez le point de la présentation à partir duquel
vous souhaitez commencer l’importation.
8 Cliquez de nouveau sur Importer lorsque vous souhaitez arrêter l’importation.
9 Pour éviter que certaines séquences soient incluses dans votre présentation archivée,
vous pouvez éditer cette dernière plus tard à l’aide d’iMovie.
Important : surveillez l’espace disponible sur disque dur pendant l’importation des
données vidéo et la création de votre film iMovie. Une minute de vidéo numérique
utilise environ 220 Mo d’espace disque, de sorte qu’une présentation d’une heure peut
utiliser plus de 13 gigaoctets d’espace disque. La barre d’état Espace libre, située sous le
clip, montre à tout moment la quantité d’espace disque disponible pendant le
processus d’importation.
Utilisez ensuite iMovie pour compresser et coder les données vidéo pour
l’enchaînement :
1 Dans iMovie, choisissez Fichier > Exporter le film.
2 Sélectionnez Vers QuickTime dans le menu local Exporter le film.
3 Sélectionnez un format de film dans le menu local Formats.
Vous pouvez soit choisir l’un des formats QuickTime optimisés pour différentes
utilisations, soit choisir Expert, une option qui offre des réglages QuickTime
personnalisés tels que Vidéo MPEG-4.Chapitre 6 Exemple de configuration 55
4 Cliquez sur Exporter.
5 Attribuez un nom à votre film, sélectionnez une destination pour le fichier, puis cliquez
sur Enregistrer.
Le temps nécessaire à l’enregistrement du film dépend de sa longueur et du format
choisi.
Remarque : il est recommandé d’enregistrer plusieurs fichiers d’enchaînement, chacun
compressé pour une vitesse de connexion différente. Vous pouvez par exemple choisir
des réglages de compression plus faibles pour les clients du réseau du campus et des
réglages de compression plus élevés pour les clients qui se connectent via Internet.
6 Une fois que vous avez enregistré le ou les fichiers codés, assurez-vous que chaque
fichier est diffusé correctement. 57
Glossaire
Glossaire
Ce glossaire définit les termes et abréviations que vous pouvez rencontrer en utilisant
l’aide en ligne ou Administration QTSS.
administrateur Utilisateur disposant d’autorisations d’administration de serveur ou de
domaine de répertoires. Les administrateurs sont toujours membres du groupe “admin”
prédéfini.
Adresse IP Adresse numérique unique qui identifie un ordinateur sur Internet.
adresse IP statique Adresse IP affectée de manière permanente à un ordinateur ou
un périphérique.
AppleScript Langage de pilotage par script dont la syntaxe est semblable à celle
de l’anglais, utilisé pour écrire des fichiers de script permettant le contrôle de votre
ordinateur. AppleScript fait partie du système d’exploitation Mac et est donc inclus
sur chaque ordinateur Macintosh.
autorisations Réglages qui définissent le type d’accès aux éléments partagés dont
bénéficient les utilisateurs. Vous pouvez attribuer quatre types d’autorisations d’accès
à un point de partage, un dossier ou un fichier :lecture/écriture, lecture seule, écriture
seule et aucune (pas d’accès).
AVI (Audio Visual Interleave) Format de fichier vidéo Windows.
bande passante Capacité d’une connexion réseau, mesurée en bits ou octets par
seconde, à transporter des données.
bit Unité d’information, dont la valeur peut être 0 ou 1.
client Logiciel ou ordinateur situé côté utilisateur, servant à afficher les données
diffusées.
codec Technologie de compression et de décompression de données. Les codecs
peuvent être implémentés dans le logiciel, le matériel ou une combinaison des deux. 58 Glossaire
compression temporelle Compression d’images effectuée entre les trames d’une
séquence. Cette technique de compression tire parti de la redondance entre trames
adjacentes d’une séquence, pour réduire la quantité de données requises pour
représenter avec précision chaque trame de la séquence. Les séquences soumises
à une compression temporelle contiennent généralement des images clé placées
à intervalles réguliers.
connecteur XLR Connecteur audio à trois broches, qui peut être utilisé avec des câbles
équilibrés à trois fils, ce qui permet d’éliminer les interférences électromagnétiques.
couche Mécanisme d’affectation de priorités aux pistes d’un film ou de
chevauchement de sprites. Lorsque QuickTime lit un film, il affiche les images en
fonction de leur couche ; les images dont le numéro de couche est inférieur sont
affichées au-dessus, celles dont le numéro de couche est supérieur peuvent être
masquées par les premières.
coupe-feu Logiciel destiné à protéger les applications réseau exécutées sur votre
serveur. Le service de coupe-feu IP, qui fait partie du logiciel Mac OS X Server, analyse
les paquets IP entrants et rejette ou accepte ces paquets en fonction d’un ensemble de
filtres que vous créez.
débit Vitesse à laquelle les bits sont transmis sur un réseau, généralement exprimée
en bits par seconde.
débit de données Quantité d’informations transmises par seconde.
diffusion Processus de transmission d’une copie de flux de données sur l’ensemble
d’un réseau.
diffusion annoncée Méthode, telle que Monodiffusion automatique (Annonce),
permettant à un diffuseur de négocier avec un serveur l’acceptation d’une diffusion.
diffusion Web Diffusion de séquences vidéo ou audio en direct sur Internet.
DNS (Domain Name System) Base de données distribuée qui fait correspondre des
adresses IP à des noms de domaines. Un serveur DNS, appelé également “serveur de
noms”, conserve une liste des noms et des adresses IP associées à chaque nom.
DSL (Digital Subscriber Line) Technologie de transmission de données à haut débit
fonctionnant sur les lignes téléphoniques.
DV (Digital Video) Format numérique d’enregistrement sur bandes, utilisant une
compression d’environ 5:1 pour générer une qualité Betacam sur une cassette de très
petite taille.
enchaînement Distribution en temps réel de données vidéo ou audio via un réseau,
sous forme d’un flux de paquets plutôt que par téléchargement d’un fichier unique. Glossaire 59
FAI (Fournisseur d’accès à Internet) Entreprise qui commercialise un accès à Internet
et propose généralement l’hébergement Web d’applications de commerce
électronique et de services de courrier.
fichier d’accès Fichier texte nommé qtaccess et contenant des informations sur les
utilisateurs et les groupes autorisés à visualiser les données multimédias du répertoire
dans lequel le fichier d’accès est stocké.
fichier M3U Métafichier audio créé à l’aide d’un éditeur de texte et enregistré sur un
serveur Web. Le fichier dirige le navigateur Web de l’utilisateur vers une liste de lecture
MP3 résidant sur le même serveur Web et ouvre le lecteur MP3 de l’utilisateur.
film Structure de données temporelles gérée par QuickTime. Un film QuickTime peut
contenir du son, de la vidéo, des animations ou une combinaison de ces différents
types de données. Un film QuickTime contient une ou plusieurs pistes, chacune
représentant un flux de données unique du film.
film de référence Fichier .mov créé à l’aide d’un utilitaire tel que MakeRefMovie,
disponible gratuitement auprès d’Apple pour les ordinateurs Macintosh et Windows.
Le fichier contient l’emplacement d’un fichier multimédia d’enchaînement et peut
également contenir l’emplacement de plusieurs fichiers d’enchaînement. Un fichier de
référence inclus sous forme de lien dans une page Web, par exemple, peut diriger un
lecteur client vers la présentation à la demande codée en fonction de sa vitesse de
connexion particulière.
FireWire Technologie matérielle pour l’échange de données avec des périphériques,
définie par la norme IEEE 1394.
flux réfléchi Diffusion en direct distribuée en tant que flux monodiffusion. Les listes
de lecture de film et MP4 génèrent également des flux réfléchis.
flux relayé Flux transmis d’un serveur à un ou plusieurs autres serveurs. Les relais
peuvent également être utilisés pour générer un flux multidiffusion. QTSS ne gère
pas le relais des flux MP3.
fréquence d’échantillonnage Nombre d’échantillons par seconde utilisé pour
les données audio. Plus la fréquence est élevée, meilleure est la qualité audio.
fréquence d’images clé Fréquence à laquelle les images clé sont placées dans des
séquences de données temporellement compressées.
FTP (File Transfer Protocol) Protocole permettant aux ordinateurs de transférer des
fichiers sur un réseau. Les clients FTP dont le système d’exploitation gère le protocole
FTP peuvent se connecter à un serveur de fichiers et télécharger des fichiers, en
fonction des autorisations d’accès dont ils bénéficient. La plupart des navigateurs
Internet et bon nombre d’applications gratuites (“freeware”) peuvent être utilisés pour
accéder à un serveur FTP.60 Glossaire
HTML (Hypertext Markup Language) Ensemble de symboles ou de codes insérés dans
un fichier à afficher par un navigateur Web. Le balisage indique au navigateur Web
comment afficher les mots et images d’une page Web pour l’utilisateur.
HTTP (Hypertext Transfer Protocol) Protocole client/serveur utilisé pour le World Wide
Web. Le protocole HTTP permet à un navigateur Web d’accéder à un serveur Web et de
demander des documents multimédias créés en code HTML.
IEEE (Institute of Electrical and Electronics Engineers, Inc.) Organisation dédiée
à la promotion de normes dans le domaine de l’ingénierie informatique et électrique.
image clé Échantillon provenant d’une séquence d’échantillons temporellement
compressés, dont les informations sont indépendantes des autres échantillons de
la séquence. Les images clé sont placées dans des séquences temporellement
compressées, selon une fréquence déterminée par la fréquence d’images clé.
indications Processus qui crée une piste pour chaque piste de données diffusable du
fichier, afin d’indiquer au serveur Enchaînement QuickTime comment et quand diffuser
chaque trame de données. Le processus d’insertion d’indications effectue à l’avance les
calculs nécessaires, ce qui permet à QTSS de diffuser un plus grand nombre de flux. Il
permet également l’utilisation de nouveaux codecs sans qu’il soit nécessaire de mettre
le serveur à niveau.
IP (Internet Protocol) Également appelé IPv4. Méthode utilisée conjointement avec
le protocole TCP (Transmission Control Protocol) pour envoyer des données d’un
ordinateur à un autre via un réseau local ou via Internet. Le protocole IP distribue
les paquets de données, tandis que le protocole TCP effectue le suivi des paquets.
JavaScript Langage de pilotage par script utilisé pour ajouter une certaine interactivité
aux pages Web.
LAN (réseau local) Réseau établi au sein d’un même bâtiment, par opposition à
un réseau étendu (WAN) qui relie des installations géographiquement disséminées.
Lecture instantanée Avancée dans la technologie Apple de protection contre les
coupures, permettant de réduire considérablement les temps d’attente ou de mise en
mémoire tampon, afin d’obtenir une expérience de visualisation instantanée pour la
diffusion de flux vidéo à travers des connexions haut débit.
liste de lecture Ensemble de fichiers multimédias du dossier de données QTSS, dont
la lecture s’effectue de manière séquentielle ou aléatoire.
Mac OS X Version la plus récente du système d’exploitation Apple. Mac OS X associe
la fiabilité d’UNIX à la simplicité d’utilisation de Macintosh. Glossaire 61
Mac OS X Server Plate-forme de serveur puissante capable de gérer, sans préparation
préalable, les clients Mac, Windows, UNIX et Linux et qui offre une suite de services
réseau et de groupe de travail évolutifs, ainsi que des outils de gestion avancés.
MBONE (dorsale de multidiffusion) Réseau virtuel gérant la multidiffusion IP. Un
réseau MBONE utilise le même support physique qu’Internet, mais est conçu pour
réassembler les paquets de données de multidiffusion afin qu’ils aient l’aspect de
paquets de données de diffusion individuelle.
MIDI (Musical Instrument Digital Interface) Format standard pour l’envoi
d’instructions à un synthétiseur musical.
monodiffusion Forme d’enchaînement de type 1 à 1. Si le protocole RTSP est utilisé,
l’utilisateur peut se déplacer librement d’un point à un autre dans un film à la
demande.
Monodiffusion automatique (Annonce) Méthode de distribution d’une diffusion sur
un serveur d’enchaînement, dans laquelle un fichier SDP est automatiquement copié et
tenu à jour sur le serveur. Un mot de passe et un nom d’utilisateur de diffusion doivent
être créés avant le démarrage d’une telle diffusion.
Monodiffusion manuelle Méthode de transmission en direct d’un flux de données
vers un client QuickTime Player unique ou vers un ordinateur qui exécute QTSS. Un
fichier SDP est généralement créé par l’application de diffusion et doit ensuite être
envoyé manuellement au spectateur ou au serveur d’enchaînement.
mov Extension de fichier des films QuickTime d’Apple, utilisée pour nommer à la fois
les fichiers de redirection de film et les fichiers multimédias QuickTime proprement dits.
MP3 (MPEG layer 3) Format populaire de compression de musique.
MPEG-4 Norme ISO basée sur le format de fichier QuickTime et qui définit des formats
de compression et des fichiers multimédias.
multi-adressage Capacité à gérer plusieurs connexions réseau. Lorsque plusieurs
connexions sont disponibles, Mac OS X sélectionne la meilleure connexion en fonction
de l’ordre indiqué dans les préférences réseau.
multidiffusion Forme efficace d’enchaînement, de type 1 à n. Les utilisateurs peuvent
se joindre à une multidiffusion ou la quitter, mais ils ne peuvent pas interagir avec elle.
NAT (Network Address Translation) Méthode de connexion de plusieurs ordinateurs à
Internet (ou à tout autre réseau IP) à l’aide d’une adresse IP unique. NAT convertit les
adresses IP que vous attribuez aux ordinateurs de votre réseau privé interne en une
adresse IP légitime unique pour les communications Internet.
octet Huit bits.62 Glossaire
open-source Terme désignant le développement coopératif de logiciels par la
communauté Internet. Le principe de base consiste à impliquer le plus grand nombre
possible de personnes dans l’écriture et le débogage du code, en publiant le code
source et en encourageant la constitution d’une large communauté de développeurs
qui peuvent proposer des modifications et des améliorations.
ordinateur administrateur Ordinateur Mac OS X sur lequel vous avez installé les
applications d’administration du serveur à partir du CD Admin de Mac OS X Server.
paquet Unité d’informations constituée d’un en-tête, d’informations, d’un élément
de détection d’erreurs et d’enregistrements complémentaires. QTSS utilise des paquets
TCP, UDP et IP pour communiquer avec les clients.
piste Structure de données QuickTime qui représente un flux de données unique dans
un film QuickTime. Un film peut contenir une ou plusieurs pistes. Chaque piste est
indépendante des autres pistes du film et représente son propre flux de données.
piste de modification Piste d’un film qui modifie les données ou la présentation
d’autres pistes. Par exemple, une piste “tween” est une piste de modification.
piste tween Piste qui modifie l’affichage d’autres pistes.
pixel Point unique d’une image, dotée d’une couleur et d’une valeur de luminosité
données.
plug-in de navigateur Logiciels que vous intégrez à un navigateur afin de permettre
l’affichage de formats de données spécifiques.
point de montage Chaîne utilisée pour identifier un flux en direct, lequel peut être
un flux de film relayé, un flux de film non relayé ou un flux MP3. Les points de montage
qui décrivent les flux de film en direct se terminent toujours par une extension .sdp.
Port Sorte de fente virtuelle de boîte aux lettres. Un serveur utilise des numéros de
port pour déterminer l’application qui doit recevoir les paquets de données. Les coupefeu utilisent les numéros de port pour déterminer si les paquets de données sont ou
non autorisés à traverser un réseau local. Le terme “port” fait généralement référence à
un port TCP ou UDP.
protocole Ensemble de règles qui détermine la façon dont les données sont
échangées entre deux applications.
QTSS (serveur Enchaînement QuickTime) Technologie permettant de diffuser des
données en temps réel sur Internet.
QuickTime Ensemble d’extensions système Macintosh ou bibliothèque de liens
dynamiques Windows gérant la composition et la lecture de films.Glossaire 63
QuickTime Player Application incluse dans le logiciel système QuickTime et
permettant la lecture des films QuickTime.
QuickTime Pro Version de QuickTime Player dotée de fonctionnalités avancées, de
montage essentiellement.
RAID (Redundant Array of Independent Disks) Batterie de disques durs permettant
soit d’accélérer la vitesse des entrées/sorties disque, soit de mettre les données en
miroir pour la redondance, soit d’obtenir ces deux avantages. Les utilisateurs peuvent
accéder au système RAID comme s’il s’agissait d’un disque unique, bien que celui-ci
puisse être divisé en plusieurs partitions.
RTP (Real-Time Transport Protocol) Protocole de transport réseau “point à point”
adapté aux applications qui transmettent des données en temps réel (audio, vidéo
ou simulation) par l’intermédiaire de services de réseau en multi ou en monodiffusion.
RTSP (Real Time Streaming Protocol) Protocole de couche applicative servant à
contrôler la transmission des données ayant des propriétés de temps réel. Ce protocole
RTSP propose une structure extensible qui permet de transmettre les données en
temps réel sous contrôle et sur demande, des données audio ou vidéo par exemple.
Les sources de données peuvent inclure aussi bien des données en temps réel que
des clips enregistrés.
SDP (Session Description Protocol) Fichier texte utilisé avec le serveur Enchaînement
QuickTime, qui fournit des informations sur le format, l’heure et l’auteur d’une diffusion
en direct et transmet à l’ordinateur de l’utilisateur les instructions de connexion.
serveur proxy Serveur placé entre une application client, telle qu’un navigateur Web,
et un serveur réel. Le serveur proxy intercepte toutes les requêtes destinées au serveur
réel pour vérifier s’il ne peut y répondre lui-même. Si ce n’est pas le cas, il fait suivre la
requête au serveur réel.
SMTP (Simple Mail Transfer Protocol) Protocole utilisé pour envoyer et transférer le
courrier. Sa capacité à placer les messages entrants en file d’attente est limitée ; il n’est
donc généralement utilisé que pour envoyer les messages, POP ou IMAP étant utilisés
pour les recevoir.
sous-réseau IP Partie d’un réseau IP, qui peut être un segment de réseau
physiquement indépendant, partageant une adresse réseau avec d’autres parties
du réseau et identifiée par un numéro de sous-réseau.
sprite Image animée gérée par QuickTime. Une telle image est définie une seule fois,
puis elle est animée par des commandes qui en modifient la position ou l’apparence.
SSL (Secure Sockets Layer) Protocole Internet permettant d’envoyer sur Internet des
informations cryptées et authentifiées.64 Glossaire
TCP (Transmission Control Protocol) Méthode utilisée avec le protocole IP (Internet
Protocol) pour envoyer, via Internet, des données sous forme d’unités de messages
entre ordinateurs. Le protocole IP se charge de gérer le transfert des données, alors que
le protocole TCP effectue le suivi individuel des unités de données (appelées “paquets”).
Chaque message est fractionné en plusieurs unités afin d’assurer un routage efficace
via Internet.
téléchargement progressif Données d’un film “poussées” vers le client via le protocole
HTTP. Le film peut être visualisé par l’utilisateur pendant le transfert. Il ne s’agit pas
d’une forme de diffusion de flux de données.
trame Image unique d’un film ou d’une séquence d’images.
TTL (time-to-live) Durée spécifiée pendant laquelle les informations DNS sont stockées
dans la mémoire cache. Lorsqu’une paire nom de domaine/adresse IP se trouve en
mémoire cache depuis plus longtemps que la durée TTL spécifiée, l’entrée est
supprimée du cache du serveur de noms (mais pas du serveur DNS principal).
UDP (User Datagram Protocol) Méthode de communication utilisant le protocole IP
pour envoyer une unité de données (appelée datagramme) d’un ordinateur à un autre
sur un réseau. Les applications réseau qui ont de toutes petites unités de données à
échanger peuvent utiliser le protocole UDP à la place du protocole TCP.
URL (Uniform Resource Locator) Adresse d’un ordinateur, d’un fichier ou d’une
ressource accessible sur un réseau local ou sur Internet. L’adresse URL se compose du
nom du protocole utilisé pour accéder à la ressource, du nom de domaine qui identifie
un ordinateur spécifique sur Internet et de la description hiérarchique de
l’emplacement du fichier sur l’ordinateur.
utilisateur de diffusion Utilisateur ayant l’autorisation de diffuser vers le serveur
d’enchaînement. Le nom d’utilisateur et le mot de passe de diffusion sont définis dans
le volet Réglages généraux d’Admin Serveur Enchaînement et sont utilisés
conjointement avec les diffusions annoncées. Il n’est pas nécessaire de créer un
utilisateur de diffusion pour les diffusions UDP.
VBR (débit variable) Méthode de compression de données qui tire parti des
changements de débit des données.
vitesse de défilement Dans un film, il s’agit du nombre d’images par seconde.
wav Format Windows de fichier audio.
XML Langage de balisage extensible, semblable au HTML, mais plus formel et plus
souple.
65
Index
Index
A
administration des serveurs d'enchaînement. Voir
application d'administration du serveur
d'enchaînement
Admin Web 7, 24
adresses IP
association 26
ordinateur source 28
Annonce (monodiffusion automatique) 30, 52
archivage des présentations en direct 54–55
articles de la base de connaissances Knowledge
Base 11
audio
enchaînement 15
enchaînement audio MP3 9
en direct 15
audio en direct
configuration pour l'enchaînement 15
configuration requise 20
authentification
accès aux données diffusées 49
fonctionnalités 9
B
bande passante
considérations 20
enchaînement en direct 16, 46
réseaux 46
borne d'accès AirPort 45
Broadcaster. Voir QuickTime Broadcaster
C
caméras
vidéo 18
caméras vidéo 18
caméscope numérique DV
diffusions Web en direct 50–51
enchaînement de présentations 44
QuickTime Broadcaster 51
caméscopes
DV. Voir caméscope numérique DV
trépied 50, 51
capteurs CCD (Charge-Coupled Devices) 50
cartes Ethernet 48
cartes réseau 48
casque 51
CCD (Charge-Coupled Devices) 50
codecs 32
codes d'erreur 40
codeur de données utiles RTP 34
compte d'utilisateur Broadcaster 30, 49
comptes d'utilisateur
Broadcaster 30
diffusion 49
configuration de la diffusion sur le Web 43–55
configuration matérielle requise 20, 47–48
connecteurs XLR 50
connexions
débits 20
diffusion 40
DSL 20
Ethernet 46, 48
haut débit 19
HTTP 29, 40
interruption 41
large bande 15
modem câble 20
nombre maximum 25, 39, 41
sans fil 45
connexions Ethernet 46, 48
connexions haut débit 19
connexions HTTP 29, 40
connexions large bande 15
connexions sans fil 45
consignation, activation 39
conversations en direct 18
coupe-feu 29, 48
cours d'enchaînement QuickTime 11
D
Darwin Streaming Server (DSS)
QuickTime Broadcaster et 15
débits 20
dépannage 39–41
Voir aussi erreurs66 Index
fichiers multimédias 39–40
listes de lecture 39
diffusion en direct 20
configuration réseau 46
spectateurs simultanés 46
diffusion MP3 40
diffusions
configuration générique de la diffusion sur le
Web 43–55
connexion impossible 40
connexion via HTTP 40
données multimédias préenregistrées 32, 33–34
en direct 20
listes de lecture 32, 36
relayées 18
diffusions MP3 30
diffusions relayées 18
diffusion sur le Web en direct 43–55
Digital Subscriber Line (DSL) 20
distribution, à la demande 14
distribution, en direct 14
distribution à la demande 14
distribution en direct 14
données
enchaînement Lecture instantanée 14
données diffusées
erreurs 40–41
données multimédias 16, 31–39
considérations relatives à la bande passante 20
diffusion. Voir données multimédias diffusées
envoi via Internet 16
préenregistrées 32, 33–34
visualisation à partir d'un ordinateur client 22
données multimédias préenregistrées 33–34
DSL (Digital Subscriber Line) 20
DSS (Darwin Streaming Server)
administration. Voir application d'administration
du serveur d'enchaînement
code source 12
configuration 20–22
description 10
disponibilité 7
support 12
version 4 9
version 4.1 9
E
enchaînement
codecs 32
en direct. Voir enchaînement en direct
en temps réel 14
lecture instantanée 9, 14, 19
MP3 40
MPEG-4 9
processus pour 16–18
sur le port 80 29
vue d'ensemble 13–15
enchaînement de présentations 43–55
enchaînement en direct
audio 15
choix de l'environnement 45–46
exemple 43–55
vidéo 15
enchaînement en temps réel 14
enchaînement Lecture instantanée 19
enchaînement MPEG-4 9
enchaînement QuickTime
Voir enchaînement
erreur 453 25
erreurs
Voir aussi dépannage
liste 40–41
pendant la diffusion de données 40–41
serveur occupé 25
espace disque 47, 48, 54
événements en direct 14
exportation d'éléments
films QuickTime à indications 32
extension .mp3 21
F
fichiers
MP3 21, 40
MPEG-1 40
MPEG-4 9, 19
SDP. Voir fichiers SDP
fichiers d'enchaînement 47
fichiers de film 40
fichiers MP3 21, 34, 40
fichiers MPEG-1 40
fichiers MPEG-1 à indications 40
fichiers MPEG-4 9, 19
fichiers multimédias
diffusion incorrecte 39–40
types de données 33
URL 22
fichiers SDP
listes de lecture 39
objectif 49
fichiers Session Description Protocol. Voir fichiers
SDP
fichiers vidéo 47
films
QuickTime. Voir films QuickTime
films à indications 32
erreurs 40
exportation de films QuickTime 32
performances 34
films QuickTime
Voir aussi films67 Index
échantillon 21
exportation comme films à indications 34
flux de données multimédias
relais 18
visualisation à partir d'un ordinateur client 22
flux de listes de lecture MP3 19
flux RTP 20
fournisseurs de services d'enchaînement 11
H
historique des accès 28
historique des listes de lecture 39
historiques
accès 28
listes de lecture 39
réinitialisation 28
I
IETF (Internet Engineering Task Force) 12
iMovie 54
compression/codage des séquences
numériques 54
présentations en direct 45
indications
fichiers MP3 34
Internet, envoi de données multimédias via 16
Internet Engineering Task Force (IETF) 12
iTunes 19
K
kit d'éclairage 50, 51
L
lecteur MPEG-4 19
lecteurs
MPEG-4 19
QuickTime. Voir QuickTime Player
lignes T1 46
listes de lecture 32, 35–39
arrêt 36
côté serveur 9
création 34
démarrage 36
description 32
diffusion de données multimédias
préenregistrées 32
en boucle 40
film 34
MP3. Voir listes de lecture MP3
MPEG-4 34
noms 35
préparation de données multimédias
préenregistrées 34
problèmes 39
listes de lecture côté serveur 9
listes de lecture de films 34
Voir aussi listes de lecture
listes de lecture en boucle 40
listes de lecture MP3
Voir aussi listes de lecture
création 34
écoute 19
listes de lecture MPEG-4 34
logiciel client QuickTime 19
logiciel de diffusion 14
logiciels requis 19–20, 47
M
Mac OS X Server
page de support AppleCare 11
ressources 11
Mbone (dorsale de multidiffusion) 17
mémoire 47
microphone 50
mode “Aléatoire pondéré” 37
modems câble 20
mode “Séquentiel” 37
mode “Séquentiel en boucle” 37
monodiffusion 16–17
Monodiffusion automatique (Annonce) 30, 52
mots de passe
compte d'utilisateur broadcaster 30, 49
diffusions MP3 30
multi-adressage 22, 24, 26
multidiffusion 16–17
N
navigateurs. Voir navigateurs Web
navigateurs Web
plug-in QuickTime 16
visualisation de flux de données multimédias 22
nom d'hôte DNS 28
norme RTP 12
norme RTSP 12
O
ordinateurs
adresse IP 28
client. Voir ordinateurs client
source 28
ordinateurs client
accès aux serveurs d'enchaînement 45
comparaison du transport multidiffusion et
monodiffusion 16–17
configuration requise 19
données multimédias envoyées à 16
visualisation de flux de données multimédias 22
visualisation de flux en direct 5268 Index
P
page des produit QTSS 11
pages Web
accès à la diffusion Web via 53
lecture de flux de données multimédias 16
paquets IP 48
paquets UDP 29
performances
films à indications 34
pistes, indication 32
plug-in QuickTime 16, 40
port 80, enchaînement 29
ports
Firewire 44
utilisés par QTSS/DSS 48
ports Firewire 44
présentations, enchaînement 43–55
prise jack de casque d'écoute 50
problèmes. Voir dépannage
problèmes d'éclairage 46, 51
processus PlaylistBroadcaster 39
Q
QTSS (QuickTime Streaming Server)
administration. Voir application d'administration
du serveur d'enchaînement
configuration 20, 22, 49
configuration requise 47–48
QuickTime Broadcaster et 15
répertoires multimédias multiples 27
Serveur Enchaînement QuickTime (QTSS)
Voir aussi serveurs d'enchaînement
QuickTime Broadcaster
capture vidéo 20
configuration 20, 51–52
configuration audio/vidéo en direct 15
configuration requise 20
description 10
disponibilité 20, 51
enchaînement de présentations 44
présentations en direct 45
QTSS/DSS et 15
site Web 20, 51
“QuickTime for the Web” 11
QuickTime Player
affichage de flux de données multimédias 16
description 10
visualisation de données multimédias à partir des
clients 22
visualisation de films 21
QuickTime Pro
description 10
inclus avec “QuickTime for the Web” 11
R
RAM 47
Real-Time Streaming Protocol. Voir RTSP
Real-Time Transport Protocol. Voir RTP
réglage Demander une diffusion entrante 27
réglage “Débit maximal” 25
réglage “Mode lecture” 37
réglage “Nom” 35
réglage “Nombre de connexions max.” 25
réglages du proxy d'enchaînement 39
réglages du transport d'enchaînement 39
relais
flux de données multimédias 18
gestion 9
utilisations pour 18
répertoires multimédias
liens symboliques 27
multiples 27
réseaux
bande passante 46
capacité 46
préparation pour la diffusion en direct 46
traduction d'adresses 29
résolution 50
ressources 11–12
RTP (Real-Time Transport Protocol) 12, 13
RTSP (Real-Time Streaming Protocol) 12, 13
S
Secure Sockets Layer. Voir SSL
sécurité 28–30
coupe-feu 29
enchaînement sur le port 80 29
mots de passe. Voir mots de passe
réseaux avec traduction d'adresses 29
segments de bande passante 46
Serveur Enchaînement QuickTime (QTSS)
configuration 47
description 10
disponibilité 7
support 11
version 4 9
version 4.1 9
serveurs
Apache 7
connexion interrompue 41
exécution interrompue 41
occupés 25, 41
Xserve 44
serveurs d'enchaînement
Voir aussi DSS (Darwin Streaming Server); Serveur
Enchaînement QuickTime; serveurs
configuration 19–22, 47–49
configuration requise 47–48
considérations 47–4969 Index
listes de diffusion 11
restriction de l'accès 49
test de la configuration 21
vue d'ensemble 13
serveurs Web 7
serveur Web Apache 7
serveur Xserve 44
service coupe-feu IP 48
sites Web
Darwin Streaming Server 12
Internet Engineering Task Force 12
norme RTP 12
norme RTSP 12
page de support AppleCare de Mac OS X
Server 11
QuickTime Broadcaster 20, 51
Serveur Enchaînement QuickTime 11
services QuickTime 11
site de formation QuickTime 11
support AppleCare 11
site Web de formation QuickTime 11
site Web des services QuickTime 11
sortie Firewire 50
suite de produits QuickTime 7
support AppleCare 11
systèmes de stockage RAID 48
systèmes Windows 16
T
technologie Apple de protection contre les
coupures 14
technologie de protection contre les coupures 9, 14
technologie Firewire 20
téléchargements HTTP 40
traduction d'adresses 29
trafic HTTP 49
trépied 50, 51
U
URL
fichiers multimédias 22
localisation impossible 40
RTSP 22
User Datagram Protocol. Voir UDP
utilisateurs
diffusion 30
impossible de se connecter à la diffusion 40
répertoires multimédias multiples 27
V
vidéo
capture 20
enchaînement 15
vidéo en direct
archivage 54–55
configuration pour l'enchaînement 15
configuration requise 20
prise de vue 53
W
WinAmp 19
Mac OS X Server
Administration des
technologies Web
Pour la version 10.3 ou ultÈrieureApple Computer Inc.
© 2003 Apple Computer, Inc. Tous droits réservés.
Le propriétaire ou l’utilisateur autorisé d’une copie
valide du logiciel Mac OS X Server peut reproduire cette
publication pour les besoins de l’apprentissage de
l’utilisation de ce logiciel. Aucune partie de cette
publication ne peut être reproduite ou transmise à des
fins commerciales, telles que la vente de copies de cette
publication ou la fourniture de services de support
payants.
Tous les efforts ont été déployés afin de garantir la
précision des informations de ce manuel. Apple
Computer, Inc. n’est pas responsable des erreurs
d’impression ou des erreurs typographiques.
L’utilisation de ce logo à des fins commerciales via le
clavier (Option-1) pourra constituer un acte de
contrefaçon et/ou de concurrence déloyale.
Apple, le logo Apple, Mac, Mac OS, Macintosh et
Sherlock sont des marques d’Apple Computer, Inc.,
déposées aux États-Unis et dans d’autres pays.
Adobe et PostScript sont des marques d’Adobe Systems
Incorporated.
Java et tous les logos et marques dérivés de Java sont
des marques ou des marques déposées de Sun
Microsystems, Inc., aux États-Unis et dans d’autres pays.
Netscape Navigator est une marque de Netscape
Communications Corporation.
UNIX est une marque déposée aux États-Unis et dans
d’autres pays, sous licence exclusive de X/Open
Company Ltd.
Remarque : Apple améliore continuellement les
performances et le design de ses produits. Il se peut que
certaines illustrations de ce manuel soient légèrement
différentes de votre version du logiciel.
F022-1327 3
1 Table des matières
Chapitre 1 7 Vue d’ensemble des technologies Web
8 Principaux composants Web
8 Serveur Web Apache
8 WebDAV
8 Prise en charge CGI
9 Prise en charge SSL
9 Contenu dynamique avec SSI (Server-Side Includes)
9 Cache frontal
9 Avant de commencer
9 Configuration de votre serveur Web
9 Assurer la sécurité des transactions
10 Configuration de sites Web
10 Hébergement de plusieurs sites Web
10 À quoi sert WebDAV
12 Description de MIME (Multipurpose Internet Mail Extension)
Chapitre 2 15 Gestion des technologies Web
15 Première configuration du serveur Web
17 Utilisation d’Admin Serveur pour la gestion de votre serveur Web
17 Démarrage et arrêt du service Web
18 Modification des mappages MIME et des gestionnaires de contenu
19 Gestion des connexions
19 Configuration des connexions simultanées pour le serveur Web
20 Configuration de connexions persistantes pour le serveur Web
20 Configuration d’un intervalle de délai de connexion
22 Configuration de la mise en cache proxy
23 Blocage du placement de certains sites Web dans la mémoire cache de votre serveur
Web
23 Utilisation de SSL (Secure Sockets Layer)
23 À propos de SSL
24 Utilisation de WebDAV
24 Utilisation de Tomcat
25 Affichage de l’état d’un service Web4 Table des matières
25 Vue d’ensemble du service Web
25 Modules de service Web en cours d’utilisation
26 Affichage des historiques d’activité du service Web
Chapitre 3 27 Gestion des sites Web
27 Utilisation d’Admin Serveur pour gérer les sites Web
27 Configuration du dossier Documents d’un site Web
28 Activation d’un site Web sur un serveur
29 Modification du dossier Web par défaut d’un site
29 Configuration de la page par défaut d’un site Web
30 Changement du port d’accès d’un site Web
30 Amélioration des performances des sites Web statiques (mémoire cache de
performances)
30 Conséquences de l’utilisation de la mémoire cache de performances du service Web
31 Activation des historiques des accès et des erreurs d’un site Web
32 Configuration de listes de répertoires pour un site Web
33 Création d’index pour la recherche de contenu dans un site Web
34 Connexion à votre site Web
34 Activation de WebDAV sur des sites Web
35 Configuration de l’accès pour les sites utilisant WebDAV
36 Autorisations des fichiers et des dossiers de contenu Web et WebDAV
37 Activation de l’authentification Digest WebDAV intégrée
37 Conflit entre WebDAV et la mémoire cache de performances Web
37 Activation d’un script CGI (Common Gateway Interface)
38 Activation de SSI (Server Side Includes)
39 Affichage des réglages d’un site Web
39 Configuration des réponses du serveur aux types MIME et aux gestionnaires de
contenu
40 Activation de SSL
41 Configuration de l’historique SSL pour un site Web
41 Activation de PHP
42 Contenu utilisateur sur les sites Web
42 Configuration du service Web
42 Contenu par défaut
43 Accès au contenu WebTable des matières 5
Chapitre 4 45 WebMail
45 Notions élémentaires de WebMail
45 Utilisateurs de WebMail
46 WebMail et votre serveur de courrier
46 Protocoles WebMail
47 Activation de WebMail
47 Configuration de WebMail
Chapitre 5 51 SSL (Secure Sockets Layer)
51 Configuration de SSL
51 Génération d’une requête CSR (Certificate Signing Request) pour votre serveur.
52 Acquisition d’un certificat de site Web
53 Installation du certificat sur votre serveur
53 Activation de SSL pour le Site
54 Le mot de passe SSL du serveur Web n’est pas accepté lorsqu’il est saisi
manuellement
Chapitre 6 55 Utilisation d’applications open-source
55 Apache
56 Emplacement des principaux fichiers Apache
56 Modification des fichiers de configuration Apache
57 Démarrage et arrêt du service Web à l’aide du script apachectl
58 Activation de l’enregistrement Apache via Rendezvous
62 Expérimentation avec Apache 2
63 JBoss
64 Sauvegarde et restauration des configurations JBoss
65 Tomcat
66 MySQL
66 Installation de MySQL
Chapitre 7 69 Installation et affichage des modules Web
69 Modules Apache
69 Modules spécifiques à Macintosh
70 mod_macbinary_apple
70 mod_sherlock_apple
70 mod_auth_apple
70 mod_hfs_apple
70 mod_digest_apple
70 mod_rendezvous_apple
71 Modules Open-Source
71 Tomcat
71 PHP : Hypertext Preprocessor
71 mod_perl6 Table des matières
Chapitre 8 73 Résolution de problèmes
73 Les utilisateurs ne parviennent pas à se connecter à un site Web sur votre serveur
74 Un module Web ne fonctionne pas comme prévu
74 Un script CGI ne fonctionne pas
Chapitre 9 75 Où trouver des informations supplémentaires
Glossaire 77
Index 811
7
1 Vue d’ensemble des technologies
Web
Familiarisez-vous avec les technologies Web et leurs
principaux composants avant de configurer vos services
et sites.
Les technologies Web de Mac OS X Server offrent une solution de serveur Internet
intégrée. Également appelées service Web dans ce guide, elles sont faciles à configurer
et à administrer ; il n’est pas nécessaire d’être un administrateur Web expérimenté pour
installer plusieurs sites Web et pour configurer et surveiller un serveur Web.
Les technologies Web de Mac OS X Server utilisent le serveur Apache. Ce serveur Web
HTTP open-source répond aux requêtes concernant les pages Web HTML stockées sur
votre site. Les logiciels libres ou open-source autorisent quiconque à consulter et éditer
le code source afin d’y apporter modifications et améliorations. Cela a contribué à
populariser Apache, qui est aujourd’hui le serveur Web le plus utilisé sur Internet.
Les administrateurs Web peuvent utiliser Server Admin pour administrer les
technologies Web sans connaissance préalable des réglages avancés ni des fichiers
de configuration. Les administrateurs Web spécialistes d’Apache peuvent choisir
d’administrer les technologies Web à l’aide des fonctions avancées d’Apache.
En outre, les technologies Web de Mac OS X Server incluent un cache frontal qui
améliore les performances des sites Web utilisant des pages HTML statiques. Grâce à ce
cache, le serveur accède systématiquement aux donnés statiques chaque fois que cela
est requis.
Le service Web gère également le protocole WebDAV (Web-based Distributed Authoring
and Versioning). Avec WebDAV, vos utilisateurs client peuvent consulter des pages Web,
apporter des modifications, puis vérifier le résultat en temps réel. En outre, l’ensemble
des commandes élaborées de WebDAV permet aux ordinateurs client fonctionnant sous
Mac OS X d’utiliser un serveur Web compatible WebDAV de la même façon qu’un serveur
de fichiers.8 Chapitre 1 Vue d’ensemble des technologies Web
Dans la mesure où le service Web de Mac OS X Server utilise le serveur Apache, vous
pouvez ajouter des fonctionnalités avancées à l’aide de modules Apache, dont la
gestion du protocole SOAP (Simple Object Access Protocol), de Java et de langages CGI
tels que Python.
Principaux composants Web
Les technologies Web de Mac OS X Server sont constituées de divers composants
essentiels, qui offrent un environnement serveur souple et évolutif.
Serveur Web Apache
Apache est un serveur Web HTTP open-source que les administrateurs peuvent
configurer avec l’application Server Admin.
Apache présente une structure modulaire et le jeu de modules activé par défaut
s’adapte à la plupart des utilisations. Server Admin peut contrôler quelques modules
facultatifs. Les utilisateurs Apache expérimentés peuvent ajouter ou supprimer des
modules, et modifier le code du serveur. Pour plus d’informations sur les modules,
consultez “Modules Apache” à la page 69.
Apache version 1.3 est installé dans Mac OS X Server. Apache version 2 est fourni avec
le logiciel serveur à des fins d’évaluation ; il se trouve dans le répertoire /opt/apache2/.
WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) est particulièrement utile
pour la mise à jour de contenu sur un site Web. Les utilisateurs qui disposent d’un accès
WebDAV au serveur peuvent ouvrir les fichiers, apporter des modifications ou effectuer
des ajouts, puis enregistrer ces modifications.
Vous pouvez également utiliser la fonctionnalité de gestion des royaumes de WebDAV
afin de contrôler l’accès à tout ou partie du contenu d’un site Web.
Prise en charge CGI
CGI (Common Gateway Interface) représente l’interface de communication entre le
serveur et les clients. Par exemple, les scripts CGI permettent aux utilisateurs de
commander un produit sur un site Web ou d’envoyer des réponses à des demandes
d’informations.
Vous pouvez écrire les scripts CGI dans n’importe quel langage, notamment Perl et
Python. Le dossier /Library/WebServer/CGI-Executables est l’emplacement par défaut
des scripts CGI.Chapitre 1 Vue d’ensemble des technologies Web 9
Prise en charge SSL
Le service Web prend en charge le protocole SSL (Secure Sockets Layer), permettant
le cryptage des informations échangées entre le client et le serveur. SSL utilise un
certificat numérique qui permet de certifier l’identité de son propriétaire au serveur
et d’établir un échange sécurisé et crypté des informations.
Contenu dynamique avec SSI (Server-Side Includes)
SSI (Server-Side Includes) permet d’utiliser le même contenu sur plusieurs pages d’un
site. Il peut également indiquer au serveur d’exécuter un script ou d’insérer des
données spécifiques dans une page. Cette fonctionnalité facilite énormément la mise
à jour du contenu, car vous ne modifiez les informations qu’en un seul emplacement
et la commande SSI met à jour ces informations sur plusieurs pages.
Cache frontal
Le serveur Web inclut un cache qui améliore les performances des sites Web affichant
des pages statiques. Le contenu statique reste dans le cache après son utilisation, de
sorte que le serveur peut rapidement extraire ce contenu lorsqu’il est demandé une
nouvelle fois.
Avant de commencer
Cette section contient les informations nécessaires à une première installation de votre
serveur Web. Il est conseillé de lire ce chapitre même si vous êtes un administrateur
Web expérimenté, car certaines fonctionnalités et certains comportements peuvent
être différents de ce à quoi vous vous attendez.
Configuration de votre serveur Web
Vous pouvez utiliser Server Admin pour installer et configurer la plupart des
fonctionnalités de votre serveur Web. Si vous êtes un administrateur Apache
expérimenté et que vous avez besoin de fonctionnalités du serveur Web Apache qui ne
sont pas incluses dans Server Admin, vous pouvez modifier les fichiers de configuration
appropriés. Sachez toutefois qu’Apple ne procure toutefois pas l’assistance technique
en cas de modification des fichiers de configuration Apache. Si vous décidez de
modifier un fichier, veillez à effectuer dans un premier temps une copie de sauvegarde.
Utilisez cette copie en cas de problème.
Pour plus d’informations sur les modules Apache, consultez le site Web Apache
Software Foundation à l’adresse http://www.apache.org.
Assurer la sécurité des transactions
Pour assurer la sécurité des transactions sur votre serveur, configurez la protection SSL
(Secure Sockets Layer). SSL permet d’envoyer sur Internet des informations cryptées et
authentifiées. Si vous souhaitez autoriser l’utilisation de cartes de crédit sur votre site
Web, vous pouvez utiliser SSL pour protéger les informations qui transitent par votre
site.10 Chapitre 1 Vue d’ensemble des technologies Web
Pour obtenir des instructions sur la manière de configurer des transactions sécurisées,
consultez le chapitre 5, “SSL (Secure Sockets Layer)”, à la page 51.
Configuration de sites Web
Pour héberger un site Web, vous devez :
• Enregistrer votre nom de domaine auprès d’une autorité compétente
• Créer un dossier pour votre site Web sur le serveur
• Créer une page par défaut dans le dossier, que les utilisateurs pourront visualiser une
fois connectés à celle-ci
• Vérifier que le service DNS est correctement configuré si vous souhaitez que les
clients accèdent à votre site Web par l’intermédiaire de son nom
Une fois prêt à publier ou à activer votre site, vous pouvez utiliser Server Admin. Le
volet Sites de la fenêtre Réglages permet d’ajouter un site et de sélectionner un
ensemble de réglages pour chacun des sites hébergés.
Pour plus de détails, consultez le chapitre 3, “Gestion des sites Web”, à la page 27.
Hébergement de plusieurs sites Web
Vous pouvez héberger simultanément plusieurs sites Web sur votre serveur Web. Selon
le mode de configuration de vos sites, il se peut qu’ils possèdent les mêmes nom de
domaine, adresse IP ou port. En revanche, la combinaison d’un nom de domaine, d’une
adresse IP et d’un port doit être unique pour chacun des sites. Vos noms de domaines
doivent être enregistrés auprès d’une autorité compétente, telle que InterNIC. À défaut,
le site Web associé au domaine ne sera pas visible sur Internet. Chaque nouvelle
inscription est payante.
Si vous configurez des sites Web avec plusieurs noms de domaine et une seule adresse
IP, les anciens navigateurs ne prenant pas en charge HTTP 1.1 ou une version ultérieure
(c’est-à-dire ceux n’incluant pas l’en-tête de requête “Host”) ne peuvent pas accéder à
vos sites. Ce problème n’affecte que les logiciels antérieurs à 1997 et ne concerne pas
les navigateurs modernes. Si vous pensez que vos utilisateurs utilisent d’anciens
logiciels de navigateurs, configurez vos sites à l’aide d’un nom de domaine par
adresse IP.
À quoi sert WebDAV
Si vous utilisez WebDAV pour la création dynamique de contenu sur votre site Web,
vous devez créer des royaumes et définir des autorisations d’accès pour les utilisateurs.
Chaque site que vous hébergez peut être divisé en plusieurs royaumes, disposant
chacun de ses propres utilisateurs et groupes ayant soit des autorisations de navigation
ou de création.Chapitre 1 Vue d’ensemble des technologies Web 11
Définition de royaumes
Lorsque vous définissez un royaume, généralement sous forme de dossier (ou de
répertoire), les autorisations d’accès définies pour le royaume s’appliquent à l’ensemble
du contenu de ce répertoire. Si un nouveau royaume est défini pour l’un des dossiers
du royaume existant, seules les autorisations du nouveau royaume s’appliqueront à ce
dossier et à son contenu. Pour obtenir plus d’informations sur la création de royaumes
et la définition d’autorisations d’accès, consultez la section “Configuration de l’accès
pour les sites utilisant WebDAV” à la page 35.
Définition d’autorisations WebDAV
Le processus Apache qui s’exécute sur le serveur doit avoir accès aux fichiers et aux
dossiers du site Web. Pour ce faire, Mac OS X Server installe un utilisateur nommé
“www” et un groupe nommé “www” dans la liste Utilisateurs et groupes du serveur. Les
processus Apache qui fournissent les pages Web fonctionnent comme utilisateur
“www” et membres du groupe “www”. Vous devez attribuer au groupe “www” l’accès
en lecture aux fichiers des sites Web afin que le serveur puisse envoyer ces fichiers aux
navigateurs lorsque des utilisateurs se connectent aux sites. Si vous utilisez WebDAV,
l’utilisateur “www” et le groupe “www” requièrent tous deux l’accès en écriture aux
fichiers et dossiers des sites Web. L’utilisateur et le groupe “www” doivent en outre
pouvoir écrire dans le répertoire /var/run/davlocks.
Comprendre la sécurité WebDAV
WebDAV autorise les utilisateurs à mettre à jour les fichiers d’un site Web en ligne.
Lorsque le protocole WebDAV est activé, le serveur Web doit disposer d’un accès en
écriture aux fichiers et dossiers du site que les utilisateurs sont en train de mettre à jour.
Cette situation engendre des risques importants lorsque d’autres sites sont en cours
d’exécution sur le serveur, car les responsables d’un site sont alors en mesure d’en
modifier d’autres.
Vous pouvez éviter ce problème en définissant avec soin les autorisations d’accès aux
fichiers du site via le module Partage de l’application Gestionnaire de groupe de travail.
Mac OS X Server utilise un groupe prédéfini nommé “www”, lequel contient les
processus Apache. Vous devez accorder au groupe “www” l’accès en lecture et en
écriture aux fichiers du site Web. Vous devez également attribuer l’autorisation Lecture
et écriture à l’administrateur du site Web (propriétaire) et Aucun accès à Tous.
Si vous êtes préoccupé par la sécurité de votre site Web, vous pouvez choisir de
désactiver WebDAV et d’utiliser plutôt le service de fichiers Apple ou le service FTP
pour modifier le contenu d’un site Web.12 Chapitre 1 Vue d’ensemble des technologies Web
Description de MIME (Multipurpose Internet Mail Extension)
MIME (Multipurpose Internet Mail Extension) est une norme Internet permettant de
spécifier le logiciel nécessaire lorsqu’un navigateur Web demande un certain type de
fichier. Vous pouvez définir la réponse du serveur Web en fonction de l’extension du
fichier. Vos choix dépendent en partie des modules que vous avez installés sur votre
serveur Web. Pour chaque association d’une extension de fichier et de la réponse
correspondante, on parle de mappage MIME.
Extensions MIME
Une extension décrit le type de données d’un fichier. Vous trouverez ci-dessous
quelques exemples :
• txt pour les fichiers texte
• cgi pour les fichiers Common Gateway Interface
• gif pour les fichiers GIF (graphiques)
• php pour les fichiers PHP : Hypertext Preprocessor (scripts HTML intégrés) utilisé
pour WebMail, etc.
• tiff pour les fichiers TIFF (graphiques)
Mac OS X Server comprend un ensemble d’extensions MIME par défaut. Cet ensemble
inclut toutes les extensions du fichier mime.types distribuées avec Apache, ainsi que
quelques ajouts. Si une extension dont vous avez besoin n’est pas répertoriée ou ne
présente pas le comportement souhaité, utilisez Server Admin pour ajouter l’extension
à l’ensemble d’extensions ou pour modifier son comportement.
Remarque : n’ajoutez ni ne modifiez d’extensions MIME en éditant les fichiers de
configuration.
Réponses du serveur Web (gestionnaires de contenu)
Lorsqu’un fichier est demandé, le serveur Web traite celui-ci en fonction de la réponse
spécifiée pour ce type de fichier . Les réponses, également appelées gestionnaires de
contenu, peuvent être une action ou un mappage MIME. Voici quelques-unes des
réponses possibles :
• Renvoyer le fichier comme type MIME (saisissez le mappage que vous souhaitez
renvoyer)
• Send-as-is (envoyer le fichier tel quel)
• Script cgi (exécuter un script CGI de votre choix)
• Fichier imap (générer un message électronique IMAP)
• Mac-binary (télécharger un fichier compressé au format MacBinary)
Les mappages MIME sont divisés en deux sous-champs séparés par une barre oblique,
par exemple text/plain. Mac OS X Server inclut une liste de mappages MIME par défaut.
Vous pouvez les modifier et en ajouter d’autres.Chapitre 1 Vue d’ensemble des technologies Web 13
Lorsque vous spécifiez un type MIME comme réponse, le serveur identifie le type de
données sollicitées et envoie la réponse spécifiée. Ainsi, si le navigateur demande un
fichier avec l’extension “jpg” et que le mappage MIME correspondant est image/jpeg, le
serveur sait qu’il doit envoyer un fichier image au format JPEG. La seule tâche du
serveur consiste à servir les données sollicitées.
Le traitement des opérations est différent. Si vous avez associé une opération à une
extension, votre serveur exécute un programme ou un script, et le résultat est transféré
sur le navigateur à l’origine de la requête. Par exemple, si un navigateur demande un
fichier avec l’extension “cgi” et que la réponse associée est l’action cgi-script, le serveur
exécute le script et envoie les données résultantes au navigateur. 2
15
2 Gestion des technologies Web
Utilisez Admin Serveur pour la configuration initiale des
technologies Web et pour gérer les réglages et les
composants Web.
Si vous êtes familiarisé avec les serveurs Web et leur contenu, vous pouvez utiliser cette
procédure simplifiée pour démarrer le serveur Web. Si vous souhaitez des instructions
plus détaillées, consultez les rubriques similaires dans “Utilisation d’Admin Serveur pour
la gestion de votre serveur Web” à la page 17 et le chapitre 3, “Gestion des sites Web”, à
la page 27.
Première configuration du serveur Web
Étape 1 : Configuration du dossier Documents
Lors de l’installation du logiciel serveur, un dossier nommé Documents est configuré
automatiquement dans le répertoire WebServer. Vous pouvez placer dans ce dossier
tous les éléments que vous souhaitez rendre disponibles via un site Web. Vous pouvez
créer des sous-dossiers dans le dossier Documents pour organiser les informations.
Il se trouve dans le répertoire /Library/WebServer/Documents.
En outre, chaque utilisateur référencé possède un dossier Sites dans son propre
répertoire d’accueil. Tout graphique ou page HTML stocké(e) dans le dossier Sites
de l’utilisateur peut être affiché via l’URL serveur.exemple.com/~nom_utilisateur/.
Étape 2 : Création d’une page par défaut
La page par défaut s’affiche chaque fois que des utilisateurs se connectent à votre site
Web. Lors de la première installation du logiciel, le fichier index.html du dossier
Documents constitue la page par défaut. Remplacez ce fichier par la page d’accueil de
votre site Web et appelez-le index.html. Si vous souhaitez attribuer un autre nom à ce
fichier, prenez soin d’ajouter ce nom à la liste des fichiers d’index par défaut et de le
déplacer au début de la liste dans le volet Général de la fenêtre des réglages du site
de Server Admin. Voir “Configuration de la page par défaut d’un site Web” à la page 29
pour les instructions relatives à la spécification des noms des fichiers d’index par
défaut.16 Chapitre 2 Gestion des technologies Web
Pour plus d’informations sur l’ensemble des réglages d’un site Web, consultez le
chapitre 3, “Gestion des sites Web”, à la page 27.
Étape 3 : Attribution d’autorisations pour un site Web
Les processus Apache qui fournissent les pages Web doivent disposer d’un accès en
lecture aux fichiers, ainsi que d’un accès en lecture/exécution aux dossiers. Dans le cas
des dossiers, un accès en exécution signifie la possibilité de lire les noms des fichiers et
des dossiers contenus dans ce dossier particulier. Ces processus Apache s’exécutent en
tant qu’utilisateur www, un utilisateur spécial créé pour Apache lors de l’installation de
Mac OS X Server. L’utilisateur www est membre du groupe www. Ainsi, pour que le
processus Apache puisse accéder au contenu du site Web, les fichiers et les dossiers
doivent être lisibles par l’utilisateur www.
Vous devez donc attribuer au groupe “www” au moins l’accès en lecture seule aux
fichiers de votre site Web, de sorte qu’il puisse envoyer ces fichiers aux navigateurs
lorsque les utilisateurs se connectent au site. Voici comment procéder :
• Rendez les fichiers et les dossiers lisibles par tous, indépendamment de leur
appartenance à un utilisateur ou à un groupe.
• Faites de l’utilisateur “www” le possesseur des fichiers et des dossiers et assurez-vous
que ces derniers sont lisibles par le possesseur.
• Faites du groupe “www” le possesseur des fichiers et des dossiers et assurez-vous
que ces derniers sont lisibles par le groupe.
Pour plus d’informations sur l’attribution d’autorisations, consultez le guide
d’administration des services de fichiers.
Étape 4 : Configuration de votre serveur Web
La configuration par défaut fonctionne pour la plupart des serveurs Web qui hébergent
un site Web unique, mais vous pouvez configurer l’ensemble des fonctionnalités
élémentaires du service Web et des sites Web via Server Admin. Pour les options de
configuration plus avancées, consultez le chapitre 6, “Utilisation d’applications opensource”, à la page 55.
Pour héberger les sites Web des utilisateurs, vous devez configurer au moins un site
Web.
Pour configurer un site :
1 Ouvrez Server Admin.
2 Cliquez sur Web dans la liste correspondant au serveur souhaité.
3 Cliquez sur Réglages dans la barre des boutons.
4 Dans le volet Sites, cliquez sur le bouton Activé correspondant au site à activer.
5 Double-cliquez sur le nom du site et sélectionnez les options de configuration
souhaitées pour le site.Chapitre 2 Gestion des technologies Web 17
Pour plus d’informations sur ces réglages, consultez “Utilisation d’Admin Serveur pour
la gestion de votre serveur Web” à la page 17 et le chapitre 3, “Gestion des sites Web”, à
la page 27.
Étape 5 : Démarrage du service Web
1 Ouvrez Server Admin et cliquez sur Web dans la liste située sous le nom du serveur.
2 Cliquez sur Démarrer le service dans la barre d’outils.
Important : utilisez toujours Server Admin pour démarrer et arrêter le serveur Web.
Vous pouvez le démarrer à partir de la ligne de commande, mais Server Admin
n’affichera pas le changement d’état pendant plusieurs secondes. Server Admin
constitue la méthode préférée pour démarrer et arrêter le serveur Web, ainsi que pour
modifier les réglages correspondants.
Étape 6 : Connexion à votre site Web
Pour vous assurer du bon fonctionnement du site Web, ouvrez votre navigateur et
tentez de vous connecter au site Web via Internet. Si votre site ne fonctionne pas
correctement, consultez le chapitre 8, “Résolution de problèmes”, à la page 73.
Utilisation d’Admin Serveur pour la gestion de votre
serveur Web
L’application Server Admin permet de définir et de modifier la plupart des options de
votre serveur Web.
Pour accéder à la fenêtre des réglages Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
Remarque : cliquez sur l’un des cinq boutons du haut afin d’afficher les réglages dans
ce volet.
3 Apportez les modifications souhaitées aux réglages.
4 Cliquez sur Enregistrer.
Le serveur redémarre lorsque vous enregistrez vos modifications.
Démarrage et arrêt du service Web
Vous démarrez et arrêtez le service Web à partir de l’application Server Admin.
Pour démarrer ou arrêter le service Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Démarrer le service ou Arrêter le service dans la barre d’outils.
Si vous arrêtez le service Web, les utilisateurs connectés à un site Web hébergé sur
votre serveur seront immédiatement déconnectés.18 Chapitre 2 Gestion des technologies Web
Important : utilisez toujours Server Admin pour démarrer et arrêter le serveur Web.
Vous pouvez le démarrer à partir de la ligne de commande, mais Server Admin
n’affichera pas le changement d’état pendant plusieurs secondes. Server Admin
constitue la méthode préférée pour démarrer et arrêter le serveur Web, ainsi que pour
modifier les réglages correspondants.
Démarrage automatique du service Web
Le service Web est configuré pour démarrer automatiquement lorsque le serveur
démarre (s’il était en cours d’exécution avant l’arrêt). Cela permet de garantir la
disponibilité de vos sites Web en cas de panne de courant ou de défaillance
quelconque du serveur.
Lorsque vous démarrez le service Web dans la barre d’outils Server Admin, le service
démarre automatiquement chaque fois que le serveur redémarre. Si vous désactivez le
service Web et que vous redémarrez le serveur, vous devez réactiver le service Web.
Modification des mappages MIME et des gestionnaires de
contenu
MIME (Multipurpose Internet Mail Extension) est une norme standard Internet servant à
décrire le contenu d’un fichier. Le volet Types MIME permet de configurer le mode de
réponse du serveur lorsqu’un navigateur demande certains types de fichier. Pour plus
d’informations sur les types MIME et les mappages de types MIME, consultez la section
“Description de MIME (Multipurpose Internet Mail Extension)” à la page 12.
Les gestionnaires de contenu sont des programmes Java utilisés pour gérer les
différentes combinaisons type/sous-type MIME, telles que text/plain et text/richtext.
Le serveur inclut le type MIME dans sa réponse à un navigateur afin de décrire les
informations envoyées. Le navigateur peut ensuite utiliser sa liste de préférences MIME
afin de déterminer comment gérer les informations.
Le type MIME par défaut du serveur est text/html et indique qu’un fichier contient du
texte HTML.
Le serveur Web est configuré pour gérer les types MIME et les gestionnaires de contenu
les plus courants. Vous pouvez ajouter, modifier ou supprimer des mappages MIME et
de gestionnaire de contenu. Dans l’application Server Admin, ces fichiers s’affichent
dans deux listes : Types MIME et Gestionnaires de contenu. Vous pouvez modifier des
éléments dans chaque liste et ajouter ou supprimer des éléments.
Pour ajouter ou modifier un mappage de MIME ou de gestionnaire de contenu :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.Chapitre 2 Gestion des technologies Web 19
3 Dans le volet Types MIME, cliquez sur le bouton Ajouter sous la liste appropriée afin
d’ajouter un mappage, ou sélectionnez un mappage et cliquez sur le bouton
Supprimer ou Modifier (si vous choisissez Supprimer, vous avez terminé).
4 Dans la nouvelle feuille qui apparaît, effectuez l’une des opérations suivantes :
• Pour un nouveau type MIME, saisissez chaque partie du nom (en les séparant par des
barres obliques), sélectionnez le suffixe et tapez son nom, utilisez le bouton Ajouter
pour ajouter les suffixes souhaités, puis cliquez sur OK.
• Pour un nouveau gestionnaire de contenu, tapez un nom pour le gestionnaire,
sélectionnez l’extension et tapez son nom, utilisez le bouton Ajouter pour ajouter les
extensions souhaitées, puis cliquez sur OK.
• Pour modifier un type MIME ou un gestionnaire de contenu, modifiez son nom en
fonction de vos besoins, sélectionnez l’extension et modifiez-la si nécessaire, ajoutez
les suffixes souhaités à l’aide du bouton Ajouter, puis cliquez sur OK.
5 Cliquez sur Enregistrer.
Si vous ajoutez ou modifiez un gestionnaire comportant un script CGI (Common
Gateway Interface), prenez soin d’activer l’exécution CGI pour votre site dans le volet
Options de la fenêtre Réglages/Sites.
Gestion des connexions
Vous pouvez limiter la période pendant laquelle les utilisateurs sont connectés au
serveur. En outre, il est possible de spécifier le nombre de connexions simultanées aux
sites Web sur le serveur.
Configuration des connexions simultanées pour le serveur Web
Vous pouvez spécifier le nombre de connexions simultanées à votre serveur Web.
Lorsque le nombre maximal de connexions est atteint, les nouvelles requêtes reçoivent
un message indiquant que le serveur est occupé.
Les connexions simultanées sont des connexions du client HTTP se déroulant au cours
d’un intervalle de temps commun. Les navigateurs demandent souvent simultanément
plusieurs parties d’une page Web ; chacune de ces demandes représente une
connexion. Un nombre élevé de connexions simultanées est donc possible si le site
comporte des pages contenant de multiples éléments et si de nombreux utilisateurs
tentent de se connecter au serveur simultanément.
Pour définir le nombre maximal de connexions à votre serveur Web :
1 Dans Server Admin, cliquez sur Web pour sélectionner le serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Général, tapez un nombre dans le champ “Maximum de connexions
simultanées”.20 Chapitre 2 Gestion des technologies Web
Le nombre maximum de connexions simultanées est compris entre 1 et 2048. La valeur
maximale par défaut est de 500, mais vous pouvez configurer une valeur différente, en
tenant compte des performances souhaitées de votre serveur.
4 Cliquez sur Enregistrer.
Le service Web redémarre.
Configuration de connexions persistantes pour le serveur Web
Vous pouvez configurer votre serveur Web pour répondre à plusieurs demandes
provenant d’un ordinateur client sans avoir à fermer chaque fois la connexion.
L’ouverture et la fermeture répétées des connexions s’avèrent peu efficaces et
diminuent les performances.
La plupart des navigateurs demandent une connexion persistante au serveur et ce
dernier maintient la connexion ouverte jusqu’à ce qu’elle soit fermée par le navigateur.
Cela signifie que le navigateur utilise une connexion même lorsqu’aucune information
n’est transférée. Vous pouvez autoriser davantage de connexions persistantes (et ainsi
éviter l’envoi d’un message Serveur occupé aux autres utilisateurs) en augmentant le
nombre de connexions persistantes autorisées.
Pour définir le nombre de connexions persistantes :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Général, tapez un nombre dans le champ “Maximum de connexions
persistantes”.
Le nombre maximal de connexions persistantes est compris entre 1 et 2048. La valeur
par défaut de 500 offre de meilleures performances.
4 Cliquez sur Enregistrer.
Le service Web redémarre.
Configuration d’un intervalle de délai de connexion
Vous pouvez spécifier une période au bout de laquelle le serveur supprimera une
connexion inactive.
Pour définir l’intervalle de délai de connexion :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Général, tapez un nombre dans le champ “Délai de connexion” afin de
spécifier la durée pouvant s’écouler entre deux demandes avant déconnexion de la
session par le serveur Web.
Le délai de connexion est compris entre 0 et 9999 secondes.Chapitre 2 Gestion des technologies Web 21
4 Cliquez sur Enregistrer.
Le service Web redémarre.
Configuration de la mise en cache proxy
Un serveur proxy permet aux utilisateurs de rechercher des fichiers fréquemment
utilisés sur un serveur local. Vous pouvez utiliser un serveur proxy pour accélérer les
délais de réponse et réduire le trafic sur le réseau. Le proxy conserve les derniers
fichiers ouverts en mémoire cache sur votre serveur Web. Les navigateurs de votre
réseau vérifient la présence des fichiers en mémoire cache avant de les rechercher sur
des serveurs distants.
Pour tirer parti de cette fonctionnalité, les ordinateurs client doivent désigner votre
serveur Web comme serveur proxy dans les préférences de leur navigateur.
Si vous souhaitez configurer un proxy Web, prenez soin de créer et d’activer un site
Web pour le proxy. Vous pouvez désactiver la consignation sur le site du proxy ou
configurer le site pour qu’il enregistre son historique d’accès dans un fichier distinct
des historiques d’accès de vos autres sites. Le site ne doit pas nécessairement utiliser le
port 80, bien que préférable pour la configuration des clients Web, car les navigateurs
utilisent ce port par défaut.
Pour configurer un serveur proxy :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Proxy, cliquez sur Activer le proxy.
4 Configurez la taille maximale de la mémoire cache.
Lorsque la taille de la mémoire cache atteint cette valeur, les fichiers les plus anciens
sont supprimés du dossier cache.
5 Tapez le nom du chemin correspondant au dossier du cache dans le champ “Dossier
cache”.
Vous pouvez également cliquer sur le bouton Parcourir afin de rechercher le dossier à
utiliser.
Si vous administrez un serveur distant, le service de fichiers doit s’exécuter sur le
serveur distant pour permettre l’utilisation du bouton Parcourir.
Si vous modifiez l’emplacement par défaut du dossier, vous devrez sélectionner le
nouveau dossier dans le Finder, choisir Fichier > Lire les informations, puis nommer le
possesseur et le groupe “www”.
6 Cliquez sur Enregistrer.
Le service Web redémarre.22 Chapitre 2 Gestion des technologies Web
Remarque : si le proxy est activé, n’importe quel site du serveur peut être utilisé en
tant que proxy.
Blocage du placement de certains sites Web dans la mémoire
cache de votre serveur Web
Si votre serveur Web est configuré pour servir de proxy, vous pouvez interdire la mise
en mémoire cache de certains sites Web inacceptables.
Important : pour tirer parti de cette fonctionnalité, les ordinateurs client doivent
désigner votre serveur Web comme serveur proxy dans les préférences de leur
navigateur.
Vous pouvez importer une liste de sites Web en les faisant glisser vers la liste des sites.
Cette liste doit être un fichier texte avec les noms d’hôte séparés par des virgules ou
des tabulations (également appelé chaînes csv et tsv). Assurez-vous que la dernière
entrée du fichier se termine par un retour chariot/une nouvelle ligne ; à défaut, elle sera
ignorée.
Pour bloquer des sites Web :
1 Dans Server Admin, cliquez sur Web pour le serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Proxy, cliquez sur Activer le proxy.
4 Effectuez l’une des opérations suivantes :
• Cliquez sur le bouton Ajouter, tapez l’URL du site Web que vous souhaitez bloquer
dans le champ Ajouter, puis cliquez sur Ajouter.
• Faites glisser une liste de sites Web (fichier texte au format séparé par des virgules ou
des tabulations) vers le champ “Hôtes bloqués”.
5 Cliquez sur Enregistrer.
Le service Web redémarre.
Utilisation de SSL (Secure Sockets Layer)
SSL (Secure Sockets Layer) garantit la sécurité pour un site et pour ses utilisateurs via
l’authentification du serveur, le cryptage des informations et la préservation de
l’intégrité des messages.
À propos de SSL
Le protocole SSL a été développé par Netscape et utilise la technologie
d’authentification et de cryptage de RAS Data Security, Inc. Pour plus d’informations sur
le protocole SSL, consultez les sites suivants :
• www.netscape.com/eng/ssl3/draft302.txt
• http://developer.netscape.com/misc/developer/conference/proceedings/cs2/
index.htmlChapitre 2 Gestion des technologies Web 23
Le protocole SSL est placé entre les protocoles des applications (par exemple HTTP) et
TCP/IP. Cela signifie que lorsque SSL fonctionne sur le serveur et dans le logiciel du
client, toutes les informations sont cryptées avant leur envoi.
Le serveur Web Apache de Mac OS X Server prend en charge SSLv2, SSLv3 et TLSv1.
Vous trouverez davantage d’informations sur les versions de ces protocoles sur le site
www.modssl.org.
Le serveur Apache de Mac OS X Server utilise une combinaison clé publique/clé privée
pour protéger les informations. Un navigateur crypte les informations à l’aide d’une clé
publique fournie par le serveur. Seul le serveur possède une clé privée permettant de
décrypter ces informations.
Lorsque le protocole SSL est mis en œuvre sur un serveur, un navigateur s’y connecte à
l’aide du préfixe https plutôt que http, dans l’URL. Le “s” indique que le serveur est
sécurisé.
Lorsqu’un navigateur engage une connexion avec un serveur protégé par le protocole
SSL, il se connecte à un port spécifique (443) et envoie un message qui décrit le code
de cryptage qu’il reconnaît. Le serveur répond avec son code le plus puissant, puis le
navigateur et le serveur continuent d’échanger des messages jusqu’à ce que le serveur
détermine le code de cryptage le plus puissant pouvant être interprété à la fois par le
navigateur et par lui-même. Le serveur envoie ensuite son certificat (le serveur Web
Apache utilise un certificat ISO X.509) au navigateur ; ce certificat identifie le serveur et
l’utilise pour créer une clé de cryptage qui sera utilisée par le navigateur. À ce stade,
une connexion sécurisée a été établie et le navigateur et le serveur peuvent échanger
des informations cryptées.
Utilisation de WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) permet d’apporter des
modifications aux sites Web alors qu’ils sont en cours d’exécution. WebDAV est activé
pour des sites individuels et vous devez également attribuer des autorisations d’accès
pour les sites et les dossiers Web. Pour plus de détails, consultez la section “Activation
de WebDAV sur des sites Web” à la page 34 .
Utilisation de Tomcat
Tomcat ajoute les fonctionnalités de servlet Java et JSP (JavaServer Pages) à Mac OS X
Server. Les servlets Java sont des applications de type Java qui s’exécutent sur votre
serveur, contrairement aux applets Java qui s’exécutent sur l’ordinateur de l’utilisateur.
JavaServer Pages permet d’incorporer des servlets Java dans vos pages HTML.24 Chapitre 2 Gestion des technologies Web
Vous pouvez configurer le démarrage automatique de Tomcat à chaque démarrage du
serveur. Cela permet d’assurer le démarrage du module Tomcat en cas de panne de
courant ou de défaillance inopinée du serveur.
Vous pouvez utiliser Admin Serveur ou l’outil de ligne de commande afin d’activer le
module Tomcat. Voir “Tomcat” à la page 65 pour plus d’informations sur Tomcat et sur
son utilisation avec votre serveur Web.
Affichage de l’état d’un service Web
Dans Server Admin, vous pouvez déterminer l’état actuel du serveur Apache ainsi que
les modules serveur actifs.
Vue d’ensemble du service Web
La vue d’ensemble de Server Admin synthétise l’activité du serveur.
Pour afficher la vue d’ensemble de l’état du service Web :
1 Ouvrez Server Admin.
2 Cliquez sur Vue d’ensemble dans la barre de boutons.
Le champ Messages d’état Démarrage/Arrêt affiche une synthèse de l’activité du
serveur, ainsi que la date et l’heure de démarrage du serveur.
Vous pouvez également afficher les historiques d’activité pour chaque site de votre
serveur. Pour plus de détails, consultez la rubrique “Affichage des réglages d’un site
Web” à la page 39.
Modules de service Web en cours d’utilisation
Vous pouvez afficher la liste des modules en cours d’utilisation sur le serveur, ainsi que
les modules disponibles mais non utilisés.
Pour déterminer quels modules sont activés :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Modules, faites défiler l’affichage afin de voir l’ensemble des modules
en cours d’utilisation ou disponibles dans le serveur. Chapitre 2 Gestion des technologies Web 25
Affichage des historiques d’activité du service Web
Le service Web de Mac OS X Server utilise le format d’historique Apache standard,
de sorte que vous pouvez également utiliser n’importe quel outil tiers d’analyse
d’historique pour interpréter les données.
Pour afficher les fichiers d’historique :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Historiques dans la barre de boutons.
3 Sélectionnez dans la liste l’historique que vous souhaitez afficher.
Vous pouvez activer un historique d’accès et un historique des erreurs pour chaque site
du serveur. Pour plus de détails, consultez la rubrique “Activation des historiques des
accès et des erreurs d’un site Web” à la page 31.3
27
3 Gestion des sites Web
Utilisez l’application Admin Serveur pour configurer et
gérer les principaux composants du service Web.
Vous pouvez administrer les sites Web de votre serveur via Server Admin, une
application qui permet de définir les réglages, de spécifier les dossiers et les chemins,
d’activer différentes options et d’afficher l’état des sites.
Utilisation d’Admin Serveur pour gérer les sites Web
Le volet Sites dans Server Admin répertorie les sites Web et fournit des informations
générales sur chaque site. La sous-fenêtre Sites permet d’ajouter de nouveaux sites ou
de modifier les réglages des sites présents.
Pour accéder à la sous-fenêtre Sites :
m Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité,
cliquez sur Réglages dans la barre de boutons, puis cliquez sur Sites.
Le volet affiche la liste des sites sur le serveur.
m
Pour modifier un site, double-cliquez sur son nom.
Configuration du dossier Documents d’un site Web
Pour rendre les fichiers disponibles via un site Web, placez les fichiers dans le dossier
Documents du site. Pour organiser les informations, créez des dossiers à l’intérieur
du dossier Documents. Le dossier se trouve dans le répertoire
/Library/WebServer/Documents/.
En outre, chaque utilisateur référencé possède un dossier Sites dans son propre
répertoire d’accueil. Tous les graphiques ou pages HTML qui s’y trouvent seront affichés
via l’URL suivante : http://serveur.exemple.com/~nom/.28 Chapitre 3 Gestion des sites Web
Pour configurer le dossier Documents de votre site Web :
1 Ouvrez le dossier Documents sur votre serveur Web.
Si vous n’avez pas modifié l’emplacement du dossier Documents, il se trouve dans
le répertoire suivant : /Library/WebServer/Documents/.
2 Remplacez le fichier index.html par la page principale de votre site Web.
Assurez-vous que le nom de votre page principale correspond au nom du document
par défaut défini sous l’onglet Général de la fenêtre Réglages du site. Consultez
“Configuration de la page par défaut d’un site Web” à la page 29 pour plus
d’informations.
3 Copiez dans le dossier Documents les fichiers qui devront être disponibles sur votre
site Web.
Activation d’un site Web sur un serveur
Pour pouvoir activer un site Web, vous devez créer le contenu du site et en configurer
les dossiers.
Pour activer un site Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez sur le bouton Ajouter pour ajouter un nouveau site, ou sur
le bouton Activé du site que vous souhaitez activer. Si le site est déjà répertorié,
l’opération est terminée.
4 Dans le volet Général, tapez le nom DNS entièrement qualifié de votre site Web dans l
e champ Nom.
5 Tapez l’adresse IP et le numéro de port (tout numéro jusqu’à 8 999) du site.
Le numéro de port par défaut est 80. Vérifiez si ce numéro n’est pas utilisé par un autre
service sur le serveur.
Important : afin de mettre votre site Web en ligne sur le serveur, vous devez lui
attribuer un nom, une adresse IP et un numéro de port uniques. Pour plus
d’informations, consultez la section “Hébergement de plusieurs sites Web” à la page 10.
6 Tapez le chemin d’accès au dossier configuré pour ce site Web.
Vous pouvez également cliquer sur le bouton Parcourir afin de rechercher le dossier à
utiliser.
7 Tapez le nom de fichier de votre document par défaut (il s’agit de la première page que
les utilisateurs voient en accédant à votre site).
8 Appliquez d’autres réglages au site et cliquez sur Enregistrer.
9 Cliquez sur le bouton Précédent dans la partie supérieure droite de la fenêtre d’édition.
10 Cliquez sur la case Activé en regard du nom du site dans le volet Sites.Chapitre 3 Gestion des sites Web 29
11 Cliquez sur Enregistrer.
Le service Web redémarre.
Modification du dossier Web par défaut d’un site
Le dossier Web par défaut d’un site est utilisé en tant que racine du site. En d’autres
termes, il constitue le premier niveau de la structure de répertoire du site.
Pour modifier le dossier Web par défaut d’un site hébergé sur votre serveur :
1 Connectez-vous au serveur à administrer.
2 Faites glisser le contenu de votre dossier Web précédent vers le nouveau dossier Web.
3 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur où réside le
site Web.
4 Cliquez sur Réglages dans la barre des boutons.
5 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
6 Tapez le chemin du dossier Web dans le champ Dossier Web ou cliquez sur le bouton
Parcourir et recherchez l’emplacement du nouveau dossier Web (en cas d’accès à
distance à ce serveur, le service de fichiers doit être activé ; consultez le guide
d’administration des services de fichiers pour en savoir plus).
7 Cliquez sur Enregistrer.
Le service Web redémarre.
Configuration de la page par défaut d’un site Web
La page par défaut apparaît lorsqu’un utilisateur se connecte à votre site Web. Pour
cela, spécifiez un répertoire ou un nom d’hôte plutôt qu’un nom de fichier.
Il est possible d’utiliser plusieurs pages par défaut pour un site (appelées fichier d’index
par défaut dans Admin Serveur). Si plusieurs fichiers d’index sont répertoriés pour un
site, le serveur Web affiche le premier fichier de la liste présent dans le dossier du site.
Pour définir la page Web par défaut :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Général, cliquez sur le bouton Ajouter et tapez un nom dans le champ
“Fichiers d’index par défaut”. N’utilisez aucun espace dans le nom.
Ce nom de fichier doit se trouver dans le dossier du site Web.
5 Pour que le serveur affiche un fichier en tant que page par défaut, faites-le en haut de
la liste.
6 Cliquez sur Enregistrer.
Le service Web redémarre.30 Chapitre 3 Gestion des sites Web
Remarque : si vous prévoyez d’utiliser une seule page d’index pour un site, vous
pouvez conserver le fichier index.html comme fichier d’index par défaut et modifier le
contenu du fichier existant dans /Library/WebServer/Documents.
Changement du port d’accès d’un site Web
Par défaut, le serveur utilise le port 80 pour les connexions aux sites Web sur votre
serveur. Vous pouvez être amené à changer le port utilisé pour un site Web particulier,
par exemple si vous souhaitez configurer un serveur de diffusion sur le port 80.
Assurez-vous que le numéro choisi n’entre pas en conflit ceux utilisés sur le serveur
(pour FTP, le service de fichiers Apple, SMTP, etc.). Si vous changez le numéro de port
d’un site Web, vous devez modifier toutes les adresses URL qui renvoient au serveur
Web afin d’y inclure le nouveau numéro de port.
Pour configurer le port d’un site Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Général, tapez le numéro du port dans le champ Port.
5 Cliquez sur Enregistrer.
Le service Web redémarre.
Amélioration des performances des sites Web statiques
(mémoire cache de performances)
Si vos sites Web contiennent des fichiers HTML statiques et que vous prévoyez de très
nombreuses connexions à vos pages, vous pouvez activer la mémoire cache de
performances pour améliorer les performances du serveur. Elle est activée par défaut.
Vous devez désactiver la mémoire cache performances dans les cas suivants :
• Vous ne prévoyez pas d’utilisation intensive de votre site Web.
• La plupart des pages de votre site Web sont générées dynamiquement.
Conséquences de l’utilisation de la mémoire cache de
performances du service Web
La mémoire cache de performances du service Web est activée par défaut et améliore
de manière significative les performances de la plupart des sites Web. Les sites qui
tirent le meilleur parti de le mémoire cache de performances contiennent
essentiellement des informations statiques pouvant tenir entièrement dans la mémoire
RAM. Le contenu du site Web est stocké dans la mémoire RAM du système et les clients
peuvent y accéder très rapidement.Chapitre 3 Gestion des sites Web 31
L’activation de la mémoire cache de performances n’entraîne pas systématiquement
une amélioration des performances. Par exemple, lorsque la quantité de contenu Web
statique dépasse la quantité de mémoire RAM physique du serveur, l’utilisation d’une
mémoire cache de performances augmente la permutation, entraînant une
dégradation des performances.
De plus, lorsque le serveur exécute d’autres services nécessitant de la mémoire
physique, tels que AFP, la mémoire cache de performances peut s’avérer moins efficace,
voire affecter de manière négative les performances de ces autres services.
Pour activer ou désactiver la mémoire cache de performances pour votre
serveur Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Options, cliquez sur Cache performances afin de modifier son état.
5 Cliquez sur Enregistrer.
Le service Web redémarre.
Vous pouvez également améliorer les performances du serveur en désactivant
l’historique des accès.
Activation des historiques des accès et des erreurs d’un
site Web
Vous pouvez configurer des historiques des erreurs et des accès pour des sites Web
individuels que vous hébergez sur votre serveur. Cependant, en activant les historiques,
vous risquez de ralentir les performances du serveur.
Pour activer les historiques des accès et des erreurs d’un site Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Consignation, cochez la case Activer l’historique des accès afin d’activer
cet historique.
5 Définissez la fréquence selon laquelle les historiques doivent être archivés en cliquant
sur la case à cocher et en tapant un nombre de jours.
6 Tapez le chemin du dossier dans lequel vous souhaitez enregistrer les historiques.
Vous pouvez également cliquer sur le bouton Parcourir afin de localiser le dossier à
utiliser.32 Chapitre 3 Gestion des sites Web
Si vous administrez un serveur distant, le service de fichiers doit s’exécuter sur ce
serveur pour permettre l’utilisation du bouton Parcourir.
7 Sélectionnez un format d’historique dans le menu local Format.
8 Modifiez la chaîne de format, si nécessaire.
9 Tapez l’archive, l’emplacement et le niveau pour l’historique des erreurs.
10 Cliquez sur Enregistrer.
Le service Web redémarre.
Description du nouveau format de l’historique des accès du service Web
Dans la version 10.3 de Mac OS X Server, la mémoire cache de performances Web
n’empêche pas l’enregistrement de l’adresse IP d’un client distant dans l’historique des
accès. Le processus de la mémoire cache de performances Web ajoute désormais un
en-tête HTTP nommé “PC-Remote-Addr”, contenant l’adresse IP du client, avant de
transmettre une requête au serveur Web Apache.
Lorsque la mémoire cache de performances est désactivée, la chaîne de format
standard de l’historique dans la directive CustomLog du fichier httpd.conf reste
identique à celle des versions antérieures :
%h %l %u %t “%r” %>s %b
Lorsque la mémoire cache de performances est activée (par défaut), l’élément “%h”
extrait l’adresse IP de l’ordinateur local. Pour permettre l’extraction de l’adresse IP du
client distant, la chaîne de format de l’historique doit être modifiée de la façon suivante :
%{PC-Remote-Addr}i %l %u %t “%r” %>s %b
Lorsque vous utilisez l’application Server Admin pour activer et désactiver la mémoire
cache des performances Web de chaque site (hôte virtuel), la directive CustomLog du
fichier httpd.conf de chaque site est ajustée automatiquement afin que les historiques
des accès contiennent toujours l’adresse correcte du client distant.
Configuration de listes de répertoires pour un site Web
Lorsque des utilisateurs spécifient l’URL d’un répertoire, vous pouvez afficher une
page Web par défaut (par exemple index.html) ou la liste du contenu du répertoire.
Vous pouvez afficher une liste de dossiers. Pour configurer les listes de répertoires,
vous devez activer l’indexation pour le site Web.
Remarque : les listes de contenus de dossiers ne sont affichées que si les documents
par défaut sont introuvables.Chapitre 3 Gestion des sites Web 33
Pour activer l’indexation d’un site Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Options, sélectionnez Liste des dossiers.
5 Cliquez sur Enregistrer.
Le service Web redémarre.
Création d’index pour la recherche de contenu dans un site Web
La version 10.3 de Mac OS X Server continue de prendre en charge le module Apache
mod_sherlock_apple, lequel permet aux navigateurs Web de rechercher du contenu
dans votre site Web. Comme dans les versions précédentes du serveur, vous devez
générer un index avant toute recherche de contenu.
Dans les versions antérieures du serveur, les index de contenu devaient être créés dans
Sherlock. Vous pouvez désormais les créer à l’aide du Finder. Sélectionnez le dossier
contenant les fichiers à indexer, puis cliquez sur Fichier > Lire les informations. Cliquez
sur Content Index, puis sur Index Now. Vous pouvez supprimer un index en cliquant sur
le bouton Delete Index dans la fenêtre Infos.
En outre, de nouvelles contraintes limitent la création des fichiers d’index. Pour créer
un index, vous devez être le possesseur du dossier et posséder tous les fichiers devant
être indexés dans ce dossier. Dans le cas du contenu du dossier /Library/WebServer/
Documents, le dossier et tous les fichiers qu’il contient appartiennent à root. Même si le
dossier et les fichiers peuvent être écrits par les membres du groupe admin, vous devez
être connecté en tant que root pour créer un index de contenu.
La création d’un index à distance ou sur un serveur Headless est effectuée par
l’intermédiaire d’un outil de ligne de commande nommé indexfolder. Consultez les
“pages man” pour plus d’informations sur l’utilisation de cet outil. Le fonctionnement
de l’outil indexfolder varie en fonction de la fenêtre de connexion. Si personne ne s’est
connecté dans la fenêtre de connexion, l’outil doit être exécuté en tant que root. Si un
administrateur est connecté, l’outil doit être exécuté sous le nom de cet administrateur.
Dans le cas contraire, l’outil échoue et affiche les messages d’avertissement ci-dessous :
kCGErrorIllegalArgument : initCGDisplayState: cannot map display interlocks.
kCGErrorIllegalArgument : CGSNewConnection cannot get connection port.
Que l’indexation du contenu soit effectuée via le Finder ou l’outil indexfolder, un
dossier nommé “.FBCIndex” est créé dans le dossier à indexer ou dans l’un de ses
dossiers parent.34 Chapitre 3 Gestion des sites Web
Connexion à votre site Web
Une fois votre site Web configuré, il est judicieux de l’afficher dans un navigateur Web
afin de vérifier que tout s’affiche comme prévu.
Pour vous assurer qu’un site Web fonctionne correctement :
1 Ouvrez un navigateur Web et tapez l’adresse Web de votre serveur.
Vous pouvez utiliser soit l’adresse IP, soit le nom du domaine du serveur.
2 Tapez le numéro du port si vous n’utilisez pas le port par défaut.
3 Si vous avez limité l’accès à des utilisateurs particuliers, tapez un nom d’utilisateur
et un mot de passe valides.
Activation de WebDAV sur des sites Web
WebDAV (Web-based Distributed Authoring and Versioning) permet d’apporter des
modifications aux sites Web alors qu’ils sont en cours d’exécution. Si vous activez
WebDAV, vous devez également affecter des autorisations d’accès aux sites et aux
dossiers Web.
Pour activer WebDAV pour un site :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Options, sélectionnez WebDAV et cliquez sur Enregistrer.
5 Cliquez sur Royaumes. Double-cliquez sur un royaume pour l’éditer ou cliquez sur le
bouton Ajouter afin de créer un royaume.
Le royaume est la partie du site Web accessible par l’utilisateur.
6 Tapez le nom qui s’affichera lorsque les utilisateurs se connectent.
Le nom par défaut du royaume est “sans_titre”.
7 Si vous souhaitez activer l’authentification Digest pour le royaume, sélectionnez Digest
dans le menu local Autorisation.
L’autorisation élémentaire est activée par défaut.
8 Tapez le chemin vers l’emplacement dans le site Web auquel vous souhaitez limiter
l’accès, puis cliquez sur OK.
Vous pouvez également cliquer sur le bouton Parcourir afin de localiser le dossier
à utiliser.
Si vous administrez un serveur distant, le service de fichiers doit s’exécuter sur le
serveur distant pour permettre l’utilisation du bouton Parcourir.
9 Cliquez sur Enregistrer.Chapitre 3 Gestion des sites Web 35
Le service Web redémarre.
Remarque : si vous avez désactivé le module WebDAV dans le volet Modules d’Admin
Serveur, vous devez le réactiver pour que l’option WebDAV prenne effet pour un site.
Cela est vrai même si l’option WebDAV est cochée dans le volet Options du site.
Consultez “Modules Apache” à la page 69 pour plus d’informations sur l’activation de
modules.
Configuration de l’accès pour les sites utilisant WebDAV
Vous pouvez créer des royaumes afin de sécuriser les sites Web. Les royaumes sont des
emplacements, à l’intérieur d’un site, que les utilisateurs peuvent visualiser ou modifier
lorsque WebDAV est activé. Quand vous définissez un royaume, vous pouvez attribuer
aux utilisateurs des autorisations d’exploration et de création sur celui-ci.
Pour ajouter des utilisateurs et des groupes à un royaume :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Royaumes, sélectionnez le royaume que vous souhaitez modifier.
Si aucun nom de royaume n’est répertorié, créez-en un à l’aide des instructions de la
section “Activation de WebDAV sur des sites Web” à la page 34.
5 Pour définir l’accès pour tous les utilisateurs, effectuez l’une des opérations suivantes :
• Si vous souhaitez que tous les utilisateurs puissent explorer ou créer du contenu,
sélectionnez Peut explorer ou Peut créer pour Tous.
Lorsque vous sélectionnez des autorisations pour Tous, les options suivantes sont
disponibles :
Explorer permet à tous les utilisateurs ayant accès à ce royaume de le voir. Vous
pouvez ajouter des utilisateurs et groupes à la liste Utilisateur ou Groupe pour qu’ils
puissent accéder à la création.
Explorer et Créer permet à tous les utilisateurs ayant accès à ce royaume de le voir et
d’y apporter des modifications.
• Si vous souhaitez autoriser l’accès à des utilisateurs spécifiques (et non à tous les
utilisateurs), ne sélectionnez pas Peut explorer ou Peut créer pour Tous.
6 Pour spécifier l’accès pour les utilisateurs et groupes individuels, cliquez sur Utilisateurs
et groupes afin d’ouvrir un tiroir qui répertorie les utilisateurs et les groupes.
7 Cliquez sur Utilisateurs ou Groupes dans la barre de boutons du tiroir afin d’afficher la
liste souhaitée.
8 Faites glisser le nom des utilisateurs vers le champ Utilisateurs ou le nom des groupes
vers le champ Groupes.36 Chapitre 3 Gestion des sites Web
Remarque : vous pouvez également utiliser le bouton Ajouter (+) pour ouvrir une
feuille, dans laquelle vous tapez un nom d’utilisateur ou de groupe et vous
sélectionnez les options d’accès.
9 Sélectionnez Peut explorer et Peut créer pour chaque utilisateur et groupe souhaité.
10 Cliquez sur Enregistrer.
Le service Web redémarre.
Utilisez le volet Royaumes pour supprimer un utilisateur ou un groupe en sélectionnant
son nom et en cliquant sur le bouton Supprimer (–).
Autorisations des fichiers et des dossiers de contenu Web et
WebDAV
Mac OS X Server impose les contraintes suivantes sur les fichiers et dossiers de contenu
Web (lesquels se trouvent par défaut dans le répertoire /Library/WebServer/
Documents) :
• Pour des raisons de sécurité, les fichiers et dossiers de contenu Web ne doivent pas
autoriser d’accès en écriture par tout le monde.
• Les fichiers et dossiers de contenu Web appartiennent par défaut à l’utilisateur root
et au groupe admin ; ils peuvent donc être modifiés par n’importe quel
administrateur, mais pas par l’utilisateur ou le groupe “www”.
• Pour permettre l’utilisation de WebDAV, les fichiers de contenu Web doivent autoriser
la lecture et l’écriture par l’utilisateur ou le groupe “www” et les dossiers doivent être
accessibles en lecture, écriture et exécution par l’utilisateur ou le groupe “www”.
• Si vous devez modifier des fichiers et dossiers de contenu Web alors que vous êtes
connecté en tant qu’administrateur, il est nécessaire qu’ils puissent être modifiés par
l’administrateur.
Si vous souhaitez utiliser WebDAV, vous devez l’activer dans Server Admin et remplacer
manuellement l’appartenance des fichiers ou dossiers de contenu Web par l’utilisateur
et le groupe “www”. Si vous utilisez WebDAV et que vous souhaitez apporter des
modifications aux fichiers ou dossiers de contenu Web en étant connecté en tant
qu’administrateur, vous devez remplacer par “admin” les autorisations sur les fichiers et
dossiers de contenu Web, apporter vos modifications, puis rétablir les autorisations sur
“www”.
Pour ajouter des sites à votre serveur Web lors de l’utilisation de WebDAV :
1 Remplacez par admin les autorisations de groupe du dossier contenant vos sites Web
(l’emplacement par défaut du dossier est le suivant : /Library/Webserver/Documents).
2 Ajoutez le nouveau dossier au site.
3 Rétablissez sur “www” les autorisations de groupe du dossier contenant vos sites Web.Chapitre 3 Gestion des sites Web 37
Activation de l’authentification Digest WebDAV intégrée
Vous pouvez activer l’authentification Digest pour les royaumes WebDAV dans le volet
Royaumes d’Admin Serveur. Pour plus de détails, consultez la rubrique “Configuration
de l’accès pour les sites utilisant WebDAV” à la page 35.
Conflit entre WebDAV et la mémoire cache de performances Web
Si vous activez à la fois WebDAV et la mémoire cache de performances Web sur un
ou plusieurs hôtes virtuels (sites), les clients WebDAV risquent de rencontrer des
problèmes s’ils tentent de télécharger plusieurs fichiers dans le Finder ; le
téléchargement peut même échouer.
Pour éviter ce problème, désactivez le cache de performances Web pour les hôtes
virtuels avec WebDAV activé. Consultez la section “Amélioration des performances des
sites Web statiques (mémoire cache de performances)” à la page 30 pour plus
d’informations sur la mémoire cache de performances.
Activation d’un script CGI (Common Gateway Interface)
Les scripts (ou programmes) CGI (Common Gateway Interface) échangent des
informations entre votre site Web et les applications qui fournissent différents services
pour le site.
• Si un script CGI est destiné à n’être utilisé que par un seul site, installez-le dans le
dossier Documents du site. Le nom du script CGI doit se terminer par l’extension
“.cgi.”
• Si un script CGI doit être utilisé par tous les sites sur le serveur, installez-le dans
le dossier /Library/WebServer/CGI-Executables. Dans ce cas, les clients doivent
inclure /cgi-bin/ dans l’adresse URL du site. Par exemple, http://www.exemple.com/
cgi-bin/test-cgi.
• Vérifiez que les autorisations d’accès du fichier CGI rendent possible son exécution
par l’utilisateur “www”. Du fait que le fichier CGI n’appartient généralement pas au
Web, le fichier peut être exécuté par quiconque.
Pour activer un script CGI pour un site Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Options, sélectionnez Exécution CGI.
5 Cliquez sur Enregistrer.
Le service Web redémarre.38 Chapitre 3 Gestion des sites Web
Activation de SSI (Server Side Includes)
L’activation de SSI (Server Side Includes) permet le partage d’un morceau de code
HTML ou d’autres informations par différentes pages Web de votre site. Les SSI peuvent
également fonctionner comme des CGI et exécuter des commandes ou des scripts sur
le serveur.
Remarque : l’activation de SSI nécessite la modification des fichiers de configuration
UNIX à l’aide de l’application Terminal. Pour activer SSI, vous devez être familiarisé avec
la saisie de commandes UNIX et l’utilisation d’un éditeur de texte UNIX.
Pour activer SSI :
1 Dans l’application Terminal, utilisez la commande sudo avec un éditeur de texte pour
procéder à la modification en tant que superutilisateur (root) :
2 Ajoutez la ligne suivante à chaque hôte virtuel (“Virtual Host”) pour lequel vous
souhaitez activer SSI :
Options Includes
Chaque site se trouve dans un fichier distinct du répertoire /etc/httpd/sites/.
Pour activer SSI pour tous les hôtes virtuels, ajoutez la ligne en dehors de n’importe
quel bloc “virtual host”.
3 Dans Server Admin pour le serveur souhaité, cliquez sur Réglages dans la barre de
boutons.
4 Dans le volet Sites, double-cliquez sur l’un des sites d’hôte virtuel.
5 Dans le volet Général, ajoutez index.shtml à l’ensemble des fichiers d’index par défaut
de ce site.
Répétez cette procédure pour chaque site d’hôte virtuel utilisant SSI. Consultez la
section “Configuration de la page par défaut d’un site Web” à la page 29 pour plus
d’informations.
Par défaut, le fichier /etc/httpd/httpd.conf géré par Server Admin contient les deux
lignes suivantes :
AddHandler server-parsed shtml
AddType text/html shtml
Vous pouvez ajouter des types MIME dans Server Admin à partir du volet Types MIME.
Les modifications prennent effet lorsque vous redémarrez le service Web.Chapitre 3 Gestion des sites Web 39
Affichage des réglages d’un site Web
Vous pouvez utiliser le volet Sites de Server Admin pour afficher la liste de vos sites
Web. Le volet Site indique :
• Si un site est activé
• Le nom DNS et l’adresse IP du site
• Le port en cours d’utilisation pour le site
Double-cliquez dans le volet Sites pour ouvrir la fenêtre des détails du site, dans
laquelle vous pouvez consulter ou modifier les réglages du site.
Configuration des réponses du serveur aux types MIME et
aux gestionnaires de contenu
MIME (Multipurpose Internet Mail Extension) est une norme Internet permettant de
spécifier le logiciel nécessaire au navigateur Web demande un fichier présentant des
caractéristiques particulières. Les gestionnaires de contenu sont semblables et utilisent
également des extensions pour déterminer la façon dont un fichier est géré. Une
extension de fichier décrit le type de données contenues dans ce fichier. Chaque
extension, avec la réponse associée, est appelé mappage MIME ou mappage de
gestionnaire de contenu. Pour plus d’informations, consultez la section “Description de
MIME (Multipurpose Internet Mail Extension)” à la page 12.
Pour définir la réponse du serveur pour un type MIME ou un gestionnaire de
contenu :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Types MIME ou Gestionnaires de contenu, cliquez sur le bouton Ajouter
ou sélectionnez dans la liste l’élément à modifier, puis cliquez sur le bouton Modifier.
4 Si nécessaire, tapez un nom pour un nouveau type MIME ou gestionnaire de contenu,
puis tapez l’extension de fichier associé à ce mappage dans le champ Suffixes.
Si vous utilisez l’extension cgi, assurez-vous d’avoir activé l’exécution CGI pour
le site Web.
5 Cliquez sur Enregistrer.
Le service Web redémarre.40 Chapitre 3 Gestion des sites Web
Activation de SSL
Pour activer la protection SSL (Secure Sockets Layer) pour un site Web, vous devez
obtenir les certificats appropriés. Pour plus de détails, consultez la section “SSL (Secure
Sockets Layer)” à la page 51. Une fois que vous avez obtenu un certificat, vous pouvez
configurer SSL pour un site.
Pour configurer SSL pour un site Web :
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
4 Dans le volet Sécurité, sélectionnez Activer SSL (Secure Sockets Layer).
5 Tapez un mot de passe dans le champ Phrase code.
6 Tapez l’emplacement du fichier d’historique SSL dans le champ Fichier d’historique SSL.
Vous pouvez également cliquer sur le bouton Parcourir afin de localiser le dossier à
utiliser.
Si vous administrez un serveur distant, le service de fichiers doit s’exécuter sur le
serveur distant pour permettre l’utilisation du bouton Parcourir.
7 Tapez l’emplacement de chaque fichier de certificat dans le champ approprié (si
nécessaire) ou utilisez le bouton Parcourir pour sélectionner l’emplacement.
8 Cliquez sur le bouton Modifier pour les champs Fichier de certificat, Fichier de clé et
Fichier CA, puis collez le contenu du certificat ou de la clé approprié(e) dans le champ
de texte correspondant. Cliquez sur OK chaque fois que vous collez du texte.
9 Cliquez sur Enregistrer.
10 Cliquez sur Arrêter le service, patientez un moment, puis cliquez sur Démarrer le
service.Chapitre 3 Gestion des sites Web 41
Configuration de l’historique SSL pour un site Web
Si vous utilisez SSL (Secure Sockets Layer) sur votre serveur Web, vous pouvez
configurer un fichier pour consigner les transactions et erreurs SSL.
Pour configurer un historique SSL :
1 Dans Server Admin, cliquez sur Web pour le serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Sites, double-cliquez sur le site à modifier.
4 Dans le volet Sécurité, assurez-vous que la case Activer SSL (Secure Sockets Layer) est
cochée, puis tapez dans le champ Fichier d’historique SSL le chemin du dossier dans
lequel vous souhaitez conserver l’historique SSL.
Vous pouvez également utiliser le bouton Parcourir pour accéder au dossier.
5 Cliquez sur Enregistrer.
Le service Web redémarre.
Activation de PHP
PHP (PHP : Hypertext Preprocessor) est un langage de script intégré au code HTML, utilisé
pour créer des pages Web dynamiques. PHP apporte des fonctions similaires à celles
des scripts CGI, mais gère toute une variété de formats de base de données et peut
communiquer à travers des réseaux via de nombreux protocoles. Les bibliothèques PHP
sont incluses dans Mac OS X Server, mais sont désactivées par défaut.
Pour obtenir plus d’information sur le langage PHP, consultez la section “Installation et
affichage des modules Web” à la page 69.
Pour activer PHP :
1 Dans Server Admin, cliquez sur Web pour le serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Dans le volet Modules, faites défiler jusqu’à php4_module dans la liste des modules,
puis cliquez sur Activé pour le module, si nécessaire.
4 Cliquez sur Enregistrer.
Le service Web redémarre.42 Chapitre 3 Gestion des sites Web
Contenu utilisateur sur les sites Web
Le client Mac OS X dispose d’une fonctionnalité de partage Web personnel, laquelle
permet à un utilisateur de placer du contenu dans le dossier Sites de son répertoire de
départ afin de le rendre visible sur le Web. Mac OS X Server offre des fonctionnalités de
service Web beaucoup plus étendues, notamment une forme de partage Web
personnel, mais il existe des différences importantes entre le client Mac OS X et
Mac OS X Server.
Configuration du service Web
Par défaut, sur Mac OS X Server :
• Le service Web ignore les fichiers contenus dans le dossier /etc/httpd/users/.
• Le Gestionnaire de groupe de travail n’apporte aucune modification à la
configuration du service Web.
• L’affichage de la liste des dossiers n’est pas activé pour les utilisateurs.
Toutes les listes de dossiers du service Web utilisent la directive Apache FancyIndexing,
qui rend les listes de dossiers plus lisibles. Dans Server Admin, le volet Sites/Options de
chaque site comporte une case à cocher nommée Liste des dossiers. Ce réglage permet
l’affichage des listes des dossiers d’un hôte virtuel spécifique via l’ajout d’un indicateur
“+Indexes” à la directive Apache Options pour cet hôte virtuel. Si les listes de dossiers
ne sont pas activées explicitement pour chaque site (hôte virtuel), les index de fichiers
ne sont pas affichés.
Les réglages propres à un site ne s’appliquent pas à l’extérieur du site ; par conséquent,
les réglages du site ne s’appliquent pas aux répertoires de départ des utilisateurs. Pour
que les utilisateurs bénéficient de la fonctionnalité d’indexation des dossiers dans leur
répertoire de départ, vous devez ajouter les directives appropriées aux fichiers de
configuration Apache. Pour un utilisateur spécifique, ajoutez les directives suivantes
dans le bloc du fichier httpd.conf :
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
Contenu par défaut
Le contenu par défaut du dossier Sites de l’utilisateur est un fichier index.html avec
quelques images. Il est important de noter que ce fichier index.html comporte du texte
qui décrit la fonctionnalité de partage Web personnel du client Mac OS X. L’utilisateur
doit remplacer ce fichier index.html par un fichier adapté au contenu de son
dossier Sites. Chapitre 3 Gestion des sites Web 43
Accès au contenu Web
Une fois le répertoire de départ créé, le contenu du dossier Sites dans le répertoire de
départ de l’utilisateur est visible chaque fois que le service Web s’exécute. Si votre
serveur se nomme exemple.com et que le nom abrégé de l’utilisateur est “refuser”, le
contenu du dossier Sites est accessible via l’URL http://exemple.com/~refuser.
Si l’utilisateur possède plusieurs noms abrégés, chacun peut également être utilisé
après le tilde pour accéder à ce même contenu.
Si l’utilisateur a placé un fichier de contenu nommé foo.html dans son dossier Sites, ce
fichier doit être disponible à l’adresse http://exemple.com/~refuser/foo.html.
Si l’utilisateur a placé plusieurs fichiers de contenu dans son dossier Sites et qu’il ne
peut pas modifier le fichier index.html pour inclure des liens vers ces fichiers, il peut
tirer parti de la fonctionnalité d’indexation automatique des dossiers, décrite
précédemment. Si le réglage “Activer les listes de dossier” est activé, une liste d’index
des noms de fichiers est visible par les navigateurs via l’URL http://exemple.com/
~refuser.
Les réglages d’indexation s’appliquent également aux sous-dossiers du dossier Sites de
l’utilisateur. Si l’utilisateur ajoute un sous-dossier de contenu nommé Exemple au
dossier Sites et qu’un fichier nommé index.html est présent dans le dossier Exemple, ou
que l’indexation des dossiers est activée pour le site de cet utilisateur, le dossier est
disponible pour les navigateurs à l’adresse http://exemple.com/~refuser/Exemple.
Le module mod_hfs_apple protège le contenu Web contre la prise en compte
des différences entre majuscules et minuscules dans le système de fichiers HFS
Mac OS X Server 10.3 présente une nouvelle fonctionnalité qui permet la distinction
des majuscules et des minuscules pour les noms des fichiers HFS. Cette nouvelle
fonctionnalité signifie que la protection complémentaire offerte par mod_hfs_apple
(abordée plus haut) n’est pas nécessaire.
Le format de volume étendu HFS couramment utilisé avec Mac OS X Server préserve la
casse des noms de fichiers, mais ne distingue pas un fichier ou un dossier nommé
“Exemple” d’un autre nommé “eXeMpLe”. Sans mod_hfs_apple, cela pourrait
représenter un problème potentiel lorsque le contenu Web réside sur un tel volume et
que vous tentez de limiter l’accès à tout ou partie du contenu Web à l’aide de
royaumes de sécurité. Si vous configurez un royaume de sécurité nécessitant des
navigateurs pour utiliser un nom et un mot de passe pour l’accès en lecture seule au
contenu d’un dossier nommé “Protege”, les navigateurs doivent s’authentifier pour
accéder aux URL suivantes :
http://exemple.com/Protege
http://exemple.com/Protege/secret44 Chapitre 3 Gestion des sites Web
http://exemple.com/Protege/secret
En revanche, l’authentification ne serait pas nécessaire avec les URL suivantes :
http://exemple.com/Protege
http://exemple.com/Protege/secret
http://exemple.com/Protege/secret
Fort heureusement, mod_hfs_apple empêche ces tentatives de contourner le royaume
de sécurité et ce module est activé par défaut.
Remarque : mod_hfs_apple opère sur les dossiers ; il N’est PAS destiné à empêcher
l’accès à des fichiers individuels. Un fichier nommé “secret” est accessible via le nom
“seCREt”. Il s’agit d’un comportement correct qui n’autorise pas le contournement des
royaumes de sécurité.
En raison du message d’avertissement qui s’affiche dans l’historique des erreurs du
service Web pour le module mod_hfs_apple, des questions ont été posées sur la
fonction de ce module. Les messages d’avertissement n’indiquent pas de problème
relatif au fonctionnement de mod_hfs_apple.
Vous pouvez vérifier que mod_hfs_apple fonctionne correctement en créant un
royaume de sécurité et en tentant de le contourner avec une variante de l’URL réelle.
L’accès vous sera refusé et votre tentative sera consignée dans l’historique des erreurs
du service Web. Les messages de ce type peuvent s’afficher :
[Wed Jul 31 10:29:16 2002] [error] [client 17.221.41.31] Mis-cased URI: /Library/WebServer/
Documents/PrOTecTED/secret, wants: /Library/WebServer/Documents/Protected/.4
45
4 WebMail
Activez WebMail pour les sites Web de votre serveur afin
de permettre l’accès aux opérations de messagerie
élémentaires par l’intermédiaire d’une connexion Web.
WebMail ajoute des fonctions de messagerie élémentaires à votre site Web. Si votre
service Web héberge plusieurs sites Web, WebMail peut fournir l’accès au service de
courrier sur l’un de ces sites ou sur tous les sites. Le service de courrier sera le même
sur tous les sites.
Notions élémentaires de WebMail
Le logiciel WebMail est inclus dans Mac OS X Server, mais il est désactivé par défaut.
Le logiciel WebMail repose sur SquirrelMail (version 1.4.1), un ensemble de scripts opensource exécutés par le serveur Apache. Pour plus d’informations sur SquirrelMail,
consultez le site Web www.squirrelmail.org.
Utilisateurs de WebMail
Si vous activez WebMail, un utilisateur de navigateur Web peut :
• Rédiger des messages et les envoyer
• Recevoir des messages
• Répondre aux messages reçus ou les faire suivre
• Gérer une signature qui sera automatiquement ajoutée à la fin de chaque message
envoyé
• Créer, supprimer et renommer des dossiers, puis transférer les messages d’un dossier
à l’autre
• Joindre des fichiers aux messages sortants
• Récupérer les fichiers joints aux messages entrants
• Gérer un carnet d’adresses privé
• Définir les préférences de WebMail, y compris les couleurs utilisées dans
le navigateur Web46 Chapitre 4 WebMail
Pour utiliser votre service WebMail, un utilisateur doit posséder un compte sur votre
serveur de courrier. Pour proposer WebMail sur vos sites Web, vous devez avoir
configuré un serveur de courrier.
Les utilisateurs accèdent à la page WebMail de votre site Web en ajoutant /WebMail à
l’adresse URL de votre site. Par exemple, http://monsite.exemple.com/WebMail/.
Les utilisateurs accèdent à WebMail à l’aide des nom et mot de passe qu’ils utilisent
pour la connexion au service de courrier normal. WebMail ne dispose pas de son
propre système d’authentification. Pour plus d’informations sur les utilisateurs du
service de courrier, consultez le guide d’administration de ce service.
Lorsque les utilisateurs se connectent à WebMail, leur mot de passe est envoyé en clair
(sans cryptage) sur Internet, sauf si le site Web a été configuré pour utiliser le protocole
SSL. Pour obtenir des instructions sur la configuration de SSL, consultez la section
“Activation de SSL” à la page 40.
Les utilisateurs de WebMail peuvent consulter le manuel utilisateur de SquirrelMail à
l’adresse www.squirrelmail.org/wiki/UserManual.
WebMail et votre serveur de courrier
Le service de courrier de WebMail est en fait fourni par votre serveur de courrier.
WebMail ne fait que fournir l’accès au service de courrier via un navigateur Web. Il ne
peut fournir le service de courrier sans la présence d’un serveur de courrier.
WebMail utilise le service de courrier de Mac OS X Server par défaut. Si vous êtes
familiarisé avec l’application Terminal et les outils de ligne de commandes UNIX, vous
pouvez désigner un autre serveur de courrier. Pour obtenir des instructions, consultez
la section “Configuration de WebMail” à la page 47.
Protocoles WebMail
WebMail utilise les protocoles de courrier standard et nécessite que ces derniers soient
gérés par votre serveur de courrier. Ces protocoles sont les suivants :
• Protocole IMAP (Internet Message Access Protocol) pour la récupération du courrier
entrant
• Protocole SMTP (Simple Mail Transfer Protocol) pour l’échange du courrier avec
d’autres serveurs de courrier (envoi du courrier sortant et réception du courrier
entrant)
WebMail ne gère pas la récupération du courrier entrant via le protocole POP (Post
Office Protocol), même si votre serveur de courrier gère ce protocole.Chapitre 4 WebMail 47
Activation de WebMail
Vous pouvez activer WebMail pour le(s) site(s) Web hébergé(s) par votre serveur Web.
Les modifications prennent effet au redémarrage du service Web.
Pour activer WebMail pour un site :
1 Assurez-vous que votre service de courrier est activé et configuré pour fournir le
service IMAP et SMTP.
2 Assurez-vous que le service de courrier IMAP est activé dans les comptes des
utilisateurs auxquels vous souhaitez donner l’accès à WebMail.
Pour plus d’informations sur les réglages du courrier dans les comptes d’utilisateur,
consultez le guide de gestion des utilisateurs.
3 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
4 Cliquez sur Réglages dans la barre des boutons.
5 Dans le volet Sites, cliquez deux fois sur le site dans la liste.
6 Dans le volet Options, sélectionnez WebMail.
7 Cliquez sur Enregistrer.
Le service Web redémarre.
Configuration de WebMail
Après avoir activé WebMail pour offrir des fonctions élémentaires de courrier sur votre
site Web, vous pouvez modifier certains réglages afin d’intégrer WebMail à votre site.
Pour cela, modifiez le fichier de configuration /etc/squirrelmail/config/config.php ou
utilisez l’application Terminal pour exécuter un script de configuration interactif avec
des autorisations root. Dans les deux cas, vous modifiez en fait les réglages de
SquirrelMail, logiciel open-source qui fournit le service WebMail au serveur Web
Apache de Mac OS X Server.
SquirrelMail, et donc WebMail, offre différentes options que vous pouvez configurer
pour intégrer WebMail à votre site. Ces options et leurs réglages par défaut sont les
suivants :
• Organization Name (nom de l’organisation) s’affiche sur la page principale de
WebMail lorsqu’un utilisateur se connecte. Le nom par défaut est “Mac OS X Server
WebMail”.
• Organization Logo (logo de l’organisation) spécifie le chemin d’accès relatif ou
absolu d’un fichier image. 48 Chapitre 4 WebMail
• Organization Title (titre de l’organisation) s’affiche comme titre de la fenêtre du
navigateur Web lors de la consultation d’une page WebMail. Le nom par défaut est
“Mac OS X Server WebMail”.
• Trash Folder (dossier Corbeille) est le nom du dossier IMAP dans lequel le service de
courrier place les messages supprimés par l’utilisateur. Le nom par défaut est
“Deleted Messages”.
• Sent Folder (dossier des éléments envoyés) est le nom du dossier IMAP dans lequel
le service de courrier place les messages après les avoir envoyés. Le nom par défaut
est “Sent Messages”.
• Draft Folder (dossier Brouillon) est le nom du dossier IMAP dans lequel le service de
courrier place les messages de brouillon de l’utilisateur. Le nom par défaut est
“Drafts”.
Vous pouvez configurer ces réglages et bien d’autres, tels que le serveur de courrier
désigné pour fournir le service de courrier à WebMail, en exécutant un script Perl
interactif dans le Terminal, à l’aide d’autorisations “root”. Le script lit les valeurs d’origine
à partir du fichier config.php, puis il y écrit les nouvelles valeurs.
Important : si vous utilisez le script de configuration interactif pour modifier les
réglages de SquirrelMail, vous devez également utiliser le script pour saisir le nom de
domaine de votre serveur. À défaut, WebMail ne pourra pas envoyer les messages.
Les réglages de configuration de WebMail s’appliquent à tous les sites Web hébergés
par votre service Web.
Pour configurer les options élémentaires de WebMail :
1 Dans l’application Terminal, tapez la commande suivante et appuyez sur Entrée :
sudo /etc/squirrelmail/config/conf.pl
2 Suivez les instructions qui s’affichent dans la fenêtre Terminal pour modifier les
réglages de SquirrelMail en fonction de vos besoins.
3 Remplacez le nom de domaine par celui de votre serveur, tel que exemple.com.
Le nom de domaine est le premier élément du menu Réglages du serveur du script
SquirrelMail.
Ce script lit les valeurs d’origine à partir du fichier config.php, puis il y écrit les
nouvelles valeurs.
Si vous ne saisissez pas correctement le nom de domaine réel du serveur, le script
interactif remplace la valeur d’origine, à savoir getenv(SERVER_NAME), par la même
valeur entre apostrophes. La valeur obtenue ne fonctionne plus en tant qu’appel de
fonction pour extraire le nom de domaine ; par conséquent, WebMail ne peut pas
envoyer de messages.Chapitre 4 WebMail 49
Les changements de configuration de WebMail ne nécessitent pas le redémarrage du
service Web, sauf si les utilisateurs sont connectés à WebMail.
Pour personnaliser davantage l’apparence (par exemple pour conférer une apparence
particulière à chacun de vos sites Web), vous devez savoir écrire des scripts PHP. Vous
devez en outre être familiarisé avec l’architecture des modules SquirrelMail et être
capable d’écrire vos modules SquirrelMail.5
51
5 SSL (Secure Sockets Layer)
Utilisez le protocole SSL (Secure Sockets Layer) pour
sécuriser les transactions et crypter les communications
des utilisateurs des sites Web de votre serveur.
Pour garantir la sécurité des transactions sur votre serveur, par exemple pour autoriser
les utilisateurs à acheter des articles sur un site Web, configurez la protection SSL
(Secure Sockets Layer). SSL permet d’envoyer sur Internet des informations cryptées et
authentifiées. Ainsi, si vous souhaitez autoriser l’utilisation de cartes bancaires via un
site Web, utilisez le protocole SSL pour protéger les informations qui transitent par ce
site.
Configuration de SSL
Lorsque vous générez une requête de signature de certificat (CSR), le fournisseur de
certificats vous envoie un certificat à installer sur votre serveur. Il peut également vous
envoyer un certificat CA (ca.crt). L’installation de ce fichier est facultative. Les certificats
CA se trouvent habituellement dans les applications clientes comme Internet Explorer
et permettent à ces applications de vérifier que le certificat du serveur a été délivré par
le fournisseur autorisé. Les certificats CA peuvent toutefois faire l’objet de modification
ou encore arriver à expiration, de sorte que certaines applications clientes risquent de
ne pas être actualisées.
Génération d’une requête CSR (Certificate Signing Request) pour
votre serveur.
La requête CSR est un fichier contenant des informations nécessaires à la configuration
du certificat de votre serveur.
Pour générer une requête CSR pour votre serveur :
1 Connectez-vous à votre serveur en utilisant le mot de passe root et ouvrez l’application
Terminal.
2 À l’invite, tapez les commandes ci-dessous et appuyez sur la touche Entrée à la fin de
chacune d’elles :52 Chapitre 5 SSL (Secure Sockets Layer)
cd
dd if=/dev/randon of=rand.dat bs=1m count=1
openssl genrsa -rand rand.dat -des 1024 > key.pem
3 À l’invite suivante, tapez une phrase d’accès, puis appuyez sur la touche Retour.
La phrase d’accès que vous créez débloque la clé de certificat du serveur. Utilisez cette
phrase d’accès pour activer le protocole SSL sur votre serveur Web.
4 S’il n’existe pas encore sur votre serveur, créez un répertoire à l’emplacement /etc/
httpd/ssl.key.
Effectuez une copie du fichier key.pem (créé à l’étape 2) et renommez-le server.key.
Copiez ensuite server.key sur le répertoire ssl.key.
5 À l’invite, tapez la commande ci-dessous et appuyez sur Entrée :
openssl req -new -key key.pem -out csr.pem
Un fichier nommé csr.pem est généré dans votre répertoire de départ.
6 À l’invite, tapez les informations suivantes :
• Pays : le pays où se trouve votre organisation.
• Province : le nom complet de votre province.
• Localité : la ville dans laquelle se trouve votre organisation.
• Nom de l’organisation : l’organisation pour laquelle votre nom de domaine est
enregistré.
• Section organisationnelle : il s’agit en général d’un nom de département ou d’une
unité similaire.
• Nom courant de votre serveur Web : le nom DNS, tel que serveur.apple.com.
• Adresse électronique : l’adresse à laquelle vous souhaitez recevoir le certificat.
Le fichier csr.pem est généré à partir des informations que vous avez saisies.
7 À l’invite, tapez ce qui suit, puis appuyez sur Entrée :
cat csr.pem
La commande cat permet de répertorier le contenu du fichier créé à l’étape 5 (csr.pem).
Vous devriez alors visualiser la phrase “Begin Certificate Request” (Entamer la requête
de certificat), suivie d’un message crypté. Le message se termine avec l’expression “End
Certificate Request” (Mettre fin à la requête de certificat). Cela correspond à votre
requête de signature de certificat (CSR).
Acquisition d’un certificat de site Web
Vous devez acquérir un certificat pour chaque site Web auprès d’une autorité
compétente.
Lors de l’acquisition de votre certificat, il est important de tenir compte des éléments
suivants :
• Vous devez fournir un nom de domaine InterNIC enregistré dans votre entreprise.Chapitre 5 SSL (Secure Sockets Layer) 53
• Si l’on vous demande de choisir un vendeur de logiciels, sélectionnez Apache
Freeware avec SSLeay.
• Comme vous avez déjà généré une requête CSR, ouvrez votre fichier CSR (à l’invite) à
l’aide d’un éditeur de texte. Ensuite, copiez et collez le contenu du fichier CSR dans le
champ approprié sur le site Web du fournisseur de certificats.
• Vous disposez d’un certificat SSL pour chaque adresse IP de votre serveur. Dans la
mesure où les certificats sont coûteux et doivent être renouvelés chaque année, vous
pouvez acheter un certificat pour un nom d’hôte et utiliser l’URL avec le nom d’hôte
suivi du nom de domaine, afin d’éviter de devoir acheter plusieurs certificats. Par
exemple, si votre nom de domaine est mywidgets.com, vous pouvez acheter un
certificat pour le nom d’hôte “buy” et les clients se connecteront via l’URL https://
buy.mywidgets.com.
• Le format de certificat par défaut de SSLeay/OpenSSL est PEM, qui est en fait le
format DER (Base64) avec une ligne d’en-tête et une ligne de pied de page. Pour plus
d’informations sur le format de certificat, consultez le site www.modssl.org.
Au terme de la procédure, vous recevez un message de courrier électronique
contenant un identifiant sécurisé “Secure Server ID”. Il s’agit de votre certificat de
serveur. Après réception du certificat, enregistrez-le sur le disque dur de votre serveur
Web sous la forme d’un fichier nommé server.crt.
Important : prenez soin de sauvegarder une copie du message ou du fichier de
certificat.
Installation du certificat sur votre serveur
Vous pouvez utiliser Admin Serveur ou l’outil de ligne de commande pour attribuer les
certificats à un site. Pour en savoir plus sur l’utilisation d’Admin Serveur dans ce cadre,
consultez la section “Activation de SSL” à la page 40.
Pour installer un certificat SSL à l’aide de l’outil de ligne de commande dans
l’application Terminal :
1 Connectez-vous à votre serveur en tant qu’administrateur ou superutilisateur
(également appelé “root”).
2 S’il n’existe pas sur votre serveur, créez un répertoire en utilisant ce nom :
/etc/httpd/ssl.crt
3 Copiez server.crt (le fichier contenant votre identifiant de serveur sécurisé) sur le
répertoire ssl.crt.
Activation de SSL pour le Site
1 Dans Server Admin, cliquez sur Web dans la liste correspondant au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.54 Chapitre 5 SSL (Secure Sockets Layer)
3 Dans le volet Sites, double-cliquez sur le site sur lequel vous prévoyez d’utiliser le
certificat.
4 Dans le volet Sécurité, sélectionnez Activer le protocole SSL.
5 Tapez le mot de passe de votre CSR dans le champ Phrase code.
6 Définissez l’emplacement du fichier d’historique dans lequel seront enregistrées les
transactions SSL.
7 Cliquez sur le bouton Modifier et collez le texte de votre fichier de certificat (celui que
vous avez obtenu auprès de l’autorité compétente) dans le champ Fichier de certificat.
8 Cliquez sur le bouton Modifier et collez le texte de votre fichier de clé (le fichier
key.pem que vous avez configuré précédemment) dans le champ Fichier de clé.
9 Cliquez sur le bouton Modifier et collez le texte du fichier ca.crt dans le champ Fichier
CA. Il s’agit d’un fichier facultatif que vous avez éventuellement reçu du fournisseur de
certificat.
10 Cliquez sur Enregistrer.
11 Arrêtez, puis redémarrez le service Web.
Le mot de passe SSL du serveur Web n’est pas accepté lorsqu’il
est saisi manuellement
Admin Serveur permet d’activer SSL avec ou sans enregistrement du mot de passe SSL.
Si vous n’avez pas enregistré la phrase codée avec les données du certificat SSL, le
serveur vous invite à saisir cette phrase lors du redémarrage, mais il n’accepte pas les
phrases codée saisies manuellement. Utilisez le volet Sécurité du site dans Admin
Serveur pour enregistrer la phrase codée avec les données du certificat SSL.6
55
6 Utilisation d’applications opensource
Familiarisez-vous avec les applications open-source
utilisées par Mac OS X Server pour administrer et fournir
les services Web.
Plusieurs applications open-source fournissent des fonctionnalités essentielles de
service Web. Ces applications sont les suivantes :
• Serveur Web Apache
• Serveur d’applications JBoss
• Conteneur de servlet Tomcat
• Base de données MySQL
Apache
Apache est le serveur Web http fourni avec Mac OS X Server. Vous pouvez utiliser
l’application Server Admin pour gérer la plupart des opérations du serveur, mais dans
certains cas, vous pouvez être amené à ajouter ou à modifier des éléments du serveur
Apache open-source. Dans ce cas, vous devez modifier les fichiers de configuration
Apache ainsi que modifier ou ajouter des modules.56 Chapitre 6 Utilisation d’applications open-source
Emplacement des principaux fichiers Apache
Les fichiers de configuration et emplacements Apache ont été simplifiés dans
Mac OS X Server 10.3. Les emplacements des principaux fichiers sont les suivants :
• Le fichier de configuration Apache du service Web se trouve dans le répertoire
/etc/httpd/.
• Les fichiers de configuration du site se trouvent dans le répertoire /etc/httpd/sites.
• L’historique des erreurs Apache, très utile pour diagnostiquer les problèmes relatifs
au fichier de configuration, se trouve dans le répertoire /var/log/httpd/ (avec un lien
symbolique permettant d’afficher le répertoire en tant que /Library/Logs/WebServer/).
• Les hôtes virtuels provisoirement désactivés se trouvent dans le répertoire /etc/
httpd/’sites_disabled/.
Remarque : tous les fichiers du répertoire /etc/httpd/sites/ sont lus et traités par
Apache lors d’un redémarrage matériel ou logiciel. Chaque fois que vous enregistrez
des modifications, le serveur procède à un redémarrage logiciel. Si vous modifiez un
fichier à l’aide d’un éditeur de texte qui crée une copie temporaire ou de sauvegarde,
le redémarrage du serveur peut échouer en raison de la présence de deux fichiers
portant des noms presque identiques. Pour éviter ce problème, supprimez les fichiers
temporaires ou de sauvegarde créés par modification des fichiers dans ce dossier.
Modification des fichiers de configuration Apache
Vous pouvez modifier les fichiers de configuration Apache si vous devez travailler avec
des fonctionnalités du serveur Web Apache qui ne sont pas intégrées à Server Admin.
Pour modifier les fichiers de configuration, vous devez être un administrateur Apache
expérimenté et être familiarisé avec les outils d’édition de texte. Prenez soin de créer
une copie du fichier de configuration original avant de le modifier.
Le fichier de configuration httpd.conf gère toutes les directives contrôlées par
l’application Server Admin. Vous pouvez modifier ce fichier dès lors que vous suivez
les conventions en place (ainsi que les commentaires de ce fichier). Celui-ci comporte
également une directive pour inclure le répertoire sites/. Dans ce répertoire se trouvent
tous les hôtes virtuels de ce serveur. Les fichiers sont nommés avec l’identificateur
unique de l’hôte virtuel (par exemple,
10.201.42.7410_80_17.221.43.127_www.exemple.com.conf). Vous pouvez désactiver des
sites spécifiques en les déplaçant vers le répertoire sites_disabled, puis en redémarrant
le service Web. Vous pouvez également modifier les fichiers du site dès lors que vous
respectez les conventions dans le fichier.Chapitre 6 Utilisation d’applications open-source 57
Un fichier masqué présent dans le dossier sites_disabled se nomme
“default_default.conf”. Ce fichier est utilisé en tant que modèle pour tous les nouveaux
hôtes virtuels créés dans Server Admin. Un administrateur peut modifier le fichier de
modèle pour le personnaliser, en prenant soin de suivre les conventions établies dans
le fichier.
Pour plus d’informations sur Apache et ses modules, consultez la section “Modules
Apache” à la page 69.
Démarrage et arrêt du service Web à l’aide du script
apachectl
Le moyen par défaut de démarrer et d’arrêter Apache sur Mac OS X Server consiste
à utiliser le module Web de Server Admin.
Si vous souhaitez utiliser le script apachectl pour démarrer et arrêter le service Web
plutôt que d’utiliser Server Admin, tenez compte des éléments suivants :
• La mémoire cache de performances Web est activée par défaut. Lorsque le service
Web démarre, le processus principal du service Web (httpd) et un processus
webperfcache démarrent. Ce dernier fournit du contenu statique à partir d’une
mémoire cache et transmet les demandes à httpd si nécessaire. Le script apachectl
fourni avec Mac OS X Server n’a pas connaissance de webperfcache. Par conséquent,
si vous n’avez pas désactivé la mémoire cache de performances, vous devez
également utiliser le script webperfcachectl pour démarrer et arrêter webperfcache.
• Le script apachectl n’augmente pas la limite des processus logiciels au-delà de la
valeur par défaut de 100. Server Admin augmente cette limite lorsqu’il démarre
Apache. Si votre serveur Web reçoit beaucoup de trafic et repose sur des scripts CGI,
l’exécution du service Web peut échouer une fois la limite du nombre de processus
logiciels atteinte.
• Le script apachectl ne démarre pas Apache automatiquement au redémarrage du
serveur.
Description du script apachectl et de la limite du nombre de processus
logiciels pour le service Web
Lorsque Apache est démarré avec le script apachectl, la limite du nombre de processus
logiciels est de 100, soit la limite par défaut.
Lorsque vous utilisez des scripts CGI, il se peut que cette limite ne soit pas suffisante.
Dans ce cas, vous pouvez démarrer le service Web via Admin Serveur, ce qui a pour
effet de définir sur 2048 la limite du nombre de processus logiciels. Vous pouvez
également taper “ulimit -u 2048” avant d’utiliser apachectl.58 Chapitre 6 Utilisation d’applications open-source
Activation de l’enregistrement Apache via Rendezvous
Depuis la version 10.2.4 de Mac OS X et Mac OS X Server, le service Web Apache 1.3
préinstallé peut enregistrer des sites via Rendezvous. Cette fonctionnalité, qui permet
aux navigateurs compatibles avec Rendezvous (tels que Safari) de trouver les sites par
leur nom, est mise en œuvre à l’aide d’un nouveau module Apache, à savoir
mod_rendezvous_apple. Ce module est différent du module mod_rendezvous fourni
par un tiers. Apache Rendezvous n’est pas pris en charge sur le service Web Apache 2
préinstallé.
Le module mod-rendezvous_apple permet aux administrateurs de contrôler la façon
dont les sites Web sont enregistrés avec Rendezvous. Le module
mod_rendezvous_apple est désactivé par défaut sur Mac OS X Server.
Pour activer mod_rendezvous_apple sur Mac OS X Server :
m
Pour activer le module, utilisez le volet Modules dans Server Admin.
Pour configurer mod_rendezvous_apple sur Mac OS X Server :
m
Pour une consignation supplémentaire, laquelle peut s’avérer utile en cas de problème,
recherchez la directive LogLevel dans le fichier httpd.conf et remplacez-la par un
réglage plus détaillé, tel que “info.”
Remarque : chaque fois que des utilisateurs sont ajoutés, redémarrez le service Web
afin que leurs sites soient enregistrés.
Comme toujours, suivez les règles ajoutées par Apple sous forme de commentaires
dans les fichiers de configuration. Ces règles expliquent les procédures servant à
modifier de façon sûre ces fichiers.
Notez que le répertoire de départ d’un utilisateur, qui inclut un dossier Sites, peut être
absent si l’administrateur a ajouté l’utilisateur sans créer de répertoire de départ pour
cet utilisateur. Il existe différentes façons de créer un répertoire de départ, par exemple
via l’ajout du répertoire de départ à l’application Gestionnaire de groupe de travail ou
l’utilisation de la ligne de commande createhomedir pour créer le répertoire.
Voici une description complète des directives de configuration Apache prises en charge
par le module mod_rendezvous_apple.
Directive RegisterDefaultSite
• Syntaxe : RegisterMachine [port | main]
• Par défaut : pas d’enregistrement si la directive est absente. Le port prend par
défaut la valeur 80.
• Contexte : server config
• Compatibilité : Apache 1.3.x ; Mac OS X et Mac OS X Server uniquement
• Module : mod_rendezvous_apple
Cette directive contrôle la façon dont le nom de l’ordinateur est enregistré sur le site
par défaut avec Rendezvous.Chapitre 6 Utilisation d’applications open-source 59
La directive RegisterDefaultSite entraîne l’enregistrement du site Web par défaut sous
le nom de l’ordinateur, comme indiqué dans le volet Partage de Préférences Système.
Un numéro de port peut être spécifié, ou le mot-clé “main” ; dans le deuxième cas, le
numéro de port du “serveur principal” est utilisé (en dehors de tout hôte virtuel). Sous
Mac OS X Server, n’indiquez pas “main”, car tous les sites visibles depuis l’extérieur sont
des hôtes virtuels et le serveur principal est utilisé exclusivement pour l’état. Si
l’argument est omis, le port 80 est utilisé.
Si la directive est absente, le nom de l’ordinateur n’est pas enregistré.
Détails relatifs à Rendezvous : cette directive entraîne l’appel de la fonction
d’enregistrement, avec une chaîne vide comme nom (Rendezvous utilise ainsi le nom
de l’ordinateur), “_http._tcp” comme type de service (indiquant un serveur Web) et une
chaîne vide en tant que paramètre TXT (indiquant le site Web par défaut).
Directive RegisterUserSite
• Syntaxe : RegisterUserSite nom_utilisateur | all-users | customized users [
formatNomEnregistrement [port | main]
• Par défaut : pas d’enregistrement si la directive est absente ; le nom
d’enregistrement est par défaut le nom long. Le port prend par défaut la valeur 80
et l’hôte la valeur “local”
• Contexte : server config
• Compatibilité : Apache 1.3.x ; Mac OS X et Mac OS X Server uniquement
• Module : mod_rendezvous_apple
Cette directive RegisterUserSite entraîne l’enregistrement du site Web par défaut des
utilisateurs spécifiés.
Le premier argument obligatoire est soit le nom d’un utilisateur, soit le mot-clé “allusers” ou “customized-users”. Le mot-clé “all-users” entraîne la prise en considération
de tous les utilisateurs du répertoire hosts pour l’enregistrement. Celui-ci a lieu si
l’utilisateur n’est pas un utilisateur système (ID utilisateur > 100), avec un répertoire
de site Web activé comme spécifié dans la directive UserDir, et uniquement si ce
répertoire est accessible par l’hôte local. Un montage peut s’avérer nécessaire si le
répertoire de départ de l’utilisateur est distant ; si le répertoire de départ n’est pas
disponible, le site utilisateur n’est pas enregistré. Le mot-clé “customized-users” limite
l’enregistrement aux utilisateurs dont le fichier index.html présent dans le répertoire
de leur site Web est différent de celui dans le modèle utilisateur standard. Autrement
dit, il tente dans la mesure du possible de limiter l’enregistrement aux utilisateurs ayant
personnalisé leurs sites Web.60 Chapitre 6 Utilisation d’applications open-source
Le deuxième argument facultatif détermine la forme du nom sous lequel le site
utilisateur est enregistré. Celui-ci peut prendre la forme d’une chaîne de format,
semblable à la directive LogFormat. Certaines directives de la chaîne de format
sont remplacées par des valeurs :
%l - nom long de l’utilisateur, tel que Joe User
%n - nom abrégé de l’utilisateur, tel que juser
%u - ID de l’utilisateur, tel que 1234
%t - titre HTML du fichier d’index de l’utilisateur (déterminé par la directive
DirectoryIndex ; il s’agit par défaut de index.html) dans le dossier du site par défaut
de l’utilisateur (déterminé par la directive UserDir ; il s’agit de Sites par défaut).
Pour le partage Web personnel Mac OS X, le titre par défaut d’une page Web
non personnalisée est “Mac OS X Personal Web Sharing”.
%c - nom de l’ordinateur, tel qu’il est défini dans le panneau Sharing Preference
La valeur par défaut est %l, c’est-à-dire le nom long. Le deuxième argument doit être
indiqué si le troisième argument facultatif est souhaité.
Le troisième argument facultatif peut être utilisé pour spécifier un numéro de port sous
lequel le service HTTP doit être enregistré, ou le mot-clé “main” ; dans ce dernier cas, le
numéro de port du “serveur principal” est utilisé (en dehors de tout hôte virtuel). Dans
le cas de Mac OS X Server, ne spécifiez pas “main” pour le port, car tous les sites visibles
depuis l’extérieur sont des hôtes virtuels et le serveur principal est utilisé exclusivement
pour l’état. Si l’argument port est omis, le port 80 est utilisé.
Si la directive est absente, aucun enregistrement de site utilisateur n’est effectué. Cette
directive n’est pas traitée si le module mod_userdir n’est pas chargé. Les directives
UserDir et DirectoryIndex doivent précéder la directive RegisterUserSite dans le fichier
de configuration Apache.
Détails relatifs à Rendezvous : cette directive entraîne l’appel de la fonction
d’enregistrement, avec une chaîne telle que “Joe User” comme nom, “_http_tcp”
comme type de service (indiquant un serveur Web), une valeur telle que “path=/~juser/
” en tant que paramètre TXT (lequel, après expansion par mod_userdir, indique le site
Web par défaut de l’utilisateur), ainsi que le port approprié.
Directive RegisterResource
• Syntaxe : RegisterResource chemin [port | main]
• Par défaut : pas d’enregistrement si la directive est absente. Le port prend par
défaut la valeur 80
• Contexte : server config
• Compatibilité : Apache 1.3.x ; Mac OS X et Mac OS X Server uniquement
• Module : mod_rendezvous_appleChapitre 6 Utilisation d’applications open-source 61
La directive RegisterResource entraîne l’enregistrement du chemin de ressource
spécifié sous le nom indiqué.
Le troisième argument facultatif peut être utilisé pour spécifier un numéro de port,
ou le mot-clé “main” ; dans ce dernier cas, le numéro de port du “serveur principal” est
utilisé (en dehors de tout hôte virtuel). Sous Mac OS X Server, n’indiquez pas “main”, car
tous les sites visibles depuis l’extérieur sont des hôtes virtuels et le serveur principal est
utilisé exclusivement pour l’état. Si le troisième argument est omis, le port 80 est utilisé.
Détails relatifs à Rendezvous : cette directive entraîne l’appel de la fonction
d’enregistrement, avec le nom spécifié, “_http._tcp” comme type de service (indiquant
un serveur Web), “path=/specifiedpath” comme paramètre TXT, ainsi que le port
approprié.
Utilisation d’Apache Axis
Vous pouvez utiliser Apache Axis en écrivant des applications Web qui utilisent les
bibliothèques Axis, puis en déployant les applications dans Tomcat ou JBoss.
Contrairement à JBoss et Tomcat, Axis n’est généralement pas utilisé en tant que
serveur d’applications.
Mac OS X Server version 10.3 inclut une version préinstallée d’Apache Axis (1.1), qui
opère conjointement avec la version Tomcat 4.1.24-LE préinstallée. Apache Axis est une
mise en œuvre du protocole SOAP (Simple Object Access Protocol). Vous en saurez plus
sur SOAP à l’adresse http://www.w3.org/TR/SOAP/. Vous trouverez davantage
d’informations sur Axis à l’adresse http://ws.apache.org/axis/.
Les bibliothèques Axis se trouvent dans le répertoire /System/Library/Axis. Par défaut,
Apple installe un exemple d’application Web Axis dans Tomcat. L’application Web
connue sous le nom d’axis se trouve dans le répertoire /Library/Tomcat/webapps/axis.
Une fois que vous avez activé Tomcat via la section Serveur d’applications d’Admin
Serveur, vous pouvez valider la version préinstallée d’Apache Axis en explorant l’URL :
http://exemple.com:9006/axis/
Remplacez “exemple.com” dans l’URL ci-dessus par votre nom d’hôte. Notez le port
Tomcat non standard.
La première fois que vous expérimentez la version préinstallée d’Axis en explorant l’URL
http://exemple.com:9006/axis/ et en sélectionnant le lien “Validate the local
installation’s configuration”, vous devez vous attendre à voir s’afficher les messages
d’erreur suivants :
• Avertissement : could not find class javax.mail.internet.MimeMessage from file
mail.jar Attachments will not work
Voir http://java.sun.com/products/javamail/62 Chapitre 6 Utilisation d’applications open-source
• Avertissement : could not find class org.apache.xml.security.Init from file xmlsec.jar
XML Security is not supported
Voir http://xml.apache.org/security/
Suivez les instructions des messages d’erreur si vous avez besoin de ces composants
facultatifs.
Consultez le guide de l’utilisateur Axis sur le site Web Apache Axis pour en savoir plus
sur l’utilisation d’Axis dans vos applications Web.
Expérimentation avec Apache 2
La version 10.3 de Mac OS X Server inclut Apache 2 à des fins d’évaluation, en plus
de la version opérationnelle Apache 1.3. Par défaut, Apache 2 est désactivé et toutes
les opérations Server Admin fonctionnent correctement avec Apache 1.
Si vous souhaitez expérimenter Apache 2, tenez compte des éléments suivants :
• Il est installé dans un emplacement distinct du système de fichiers : /opt/apache2.
• Il n’est pas connecté à Server Admin.
• Il fournit les pages Web à partir de /opt/apache2/htdocs.
• Sa configuration se trouve dans le fichier /opt/apache2/conf/httpd.conf. Apple a
modifié ce fichier en le configurant pour exécuter les processus httpd sous
l’utilisateur et le groupe “www”. Si vous activez WebDAV avec Apache 2, bien que
vos clients WebDAV utilisant la version 10.1 de Mac OS X ou Mac OS X Server peuvent
monter les volumes WebDAV Apache2, ils ne peuvent pas y accéder en écriture, mais
uniquement en lecture. Les clients WebDAV qui utilisent la version 10.2 ne
rencontreront pas ce problème.
• Il est contrôlé par sa propre version du script apachectl ; ainsi, pour le démarrer,
tapez “sudo /opt/apache2/bin/apachectl start”.
• Bien qu’il soit possible d’exécuter les deux versions d’Apache, vous devez être
vigilant. Assurez-vous que les deux versions ne tentent pas d’écouter sur le même
port. Les deux sont configurées pour écouter sur le port 80 ; par conséquent, vous
pouvez soit éditer le fichier /opt/apache2/conf/httpd.conf afin de modifier la
directive Listen, soit utiliser la section Web d’Admin Serveur pour affecter au port
de tous vos hôtes virtuels une valeur différente de 80. Notez également que si la
mémoire cache de performances Web est activée, il se peut que ce soit le processus
qui écoute sur le port 80.Chapitre 6 Utilisation d’applications open-source 63
JBoss
JBoss est un serveur d’applications open-source conçu pour les applications J2EE ;
il s’exécute sous Java 1.4.1. JBoss est un serveur d’applications Java complet et très
répandu. Il offre une pile technologique J2EE (Java 2Platform Enterprise Edition)
complète, avec des fonctionnalités telles que :
• Un conteneur EJB (Enterprise JavaBean)
• JMX (Java Management Extensions)
• JCA (Java Connector Architecture)
Par défaut, JBoss utilise Tomcat comme conteneur Web, mais vous pouvez utiliser
d’autres conteneurs Web si vous le souhaitez, tels que Jetty.
Vous pouvez utiliser la section Serveur d’applications d’Admin Server et les outils de
ligne de commande de l’application Terminal pour administrer JBoss. Admin Serveur
s’intègre au processus Watchdog afin de s’assurer de la disponibilité permanente de
JBoss une fois ce dernier démarré. Vous pouvez utiliser Admin Serveur pour démarrer
l’une des configurations JBoss disponibles, arrêter JBoss, puis afficher les fichiers
d’historique.
Deux outils Web, destinés à être utilisés avec JBoss, sont également inclus avec
Mac OS X Server, l’un pour la gestion et la configuration du serveur JBoss, l’autre
pour le déploiement des applications existantes. Les deux outils se trouvent dans le
répertoire /Library/JBoss/Application.
Pour plus d’informations sur JBoss, J2EE et les outils, consultez les guides suivants :
• Le guide d’administration du serveur d’applications Java, qui explique comment
déployer et gérer les applications J2EE à l’aide de JBoss dans Mac OS X Server.
• Le guide des applications d’entreprise Java, qui explique comment développer des
applications J2EE.
Ces deux guides sont disponibles dans les publications destinées aux développeurs Apple.
Des informations complémentaires sur ces technologies Java sont disponibles en ligne.
• Pour JBoss, consultez le site www.jboss.org/.
• Pour J2EE, consultez le site java.sun.com/j2ee/.
Pour ouvrir l’outil de gestion JBoss :
m Dans Server Admin, cliquez sur Serveur d’applications dans la liste correspondant
au serveur souhaité.
Pour démarrer ou arrêter JBoss :
1 Dans Server Admin, cliquez sur Serveur d’applications dans la liste correspondant
au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.64 Chapitre 6 Utilisation d’applications open-source
3 Sélectionnez l’une des options JBoss. Ne sélectionnez pas Tomcat uniquement.
4 Cliquez sur Démarrer le service ou sur Arrêter le service.
JBoss est préconfiguré pour utiliser une configuration locale.
JBoss étant activé, vous pouvez utiliser l’outil de gestion pour configurer votre serveur.
Pour plus d’informations sur la configuration de JBoss et l’utilisation des outils de ligne
de commande correspondants, consultez le guide d’administration du serveur
d’applications Java, qui explique comment déployer et gérer les applications J2EE à
l’aide de JBoss dans Mac OS X Server. Ce guide est disponible avec les publications
Apple destinées aux développeurs.
Pour modifier la configuration JBoss utilisée :
1 Dans Server Admin, cliquez sur Serveur d’applications dans la liste correspondant
au serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Effectuez l’une des opérations suivantes :
• Cliquez sur Charger la configuration distante et tapez l’emplacement d’un serveur
NetBoot JBoss.
• Cliquez sur Utiliser la configuration locale et choisissez une configuration dans
le menu contextuel.
Pour administrer JBoss :
1 Dans Admin Serveur, cliquez sur Serveur d’applications.
2 Cliquez sur Réglages dans la barre des boutons.
3 Cliquez sur Gérer JBoss.
Remarque : l’outil de gestion de JBoss doit être en cours d’exécution. Vous pouvez
utiliser l’application Terminal pour le définir en tant qu’élément de démarrage.
4 Apportez les modifications souhaitées dans la console de gestion.
Sauvegarde et restauration des configurations JBoss
Vous pouvez utiliser la section Serveur d’applications d’Admin Serveur pour
sauvegarder et restaurer les configurations JBoss.
Pour sauvegarder ou restaurer une configuration JBoss :
1 Dans Admin Serveur, cliquez sur Serveur d’applications dans la liste correspondant
au serveur souhaité.
2 Cliquez sur Réglages dans la barre de boutons située au bas de la fenêtre.
3 Cliquez sur Sauvegarde en haut de la fenêtre.
4 Cliquez sur Sauvegarder ou sur Restaurer et accédez à l’emplacement dans lequel vous
souhaitez stocker (ou avez stocké) les configurations.
La configuration en cours est sauvegardée.Chapitre 6 Utilisation d’applications open-source 65
Tomcat
Tomcat est le conteneur de servlet open-source utilisé comme mise en œuvre de
référence officielle des technologies Java Servlet et JavaServer Pages. Les spécifications
Java Servlet et JavaServer Pages sont développées par Sun via le processus Java
Community Process.
La version de production actuelle est Tomcat 4.1.x et met en œuvre les spécifications
Java Servlet 2.3 et JavaServer Pages 1.2. Vous trouverez davantage d’informations en
consultant les sources suivantes :
• Pour les spécifications Java Servlet, consultez java.sun.com/products/servlets
• Pour les spécifications Java ServerPages, consultez java.sun.com/products/jsp
Dans Mac OS X Server 10.3, vous pouvez administrer Tomcat via la section Serveur
d’applications d’Admin Serveur. Une fois Tomcat démarré, son cycle de vie est géré par
Admin Serveur, ce qui permet de garantir que Tomcat démarre automatiquement après
une panne de courant ou après un arrêt du serveur pour une raison quelconque.
Pour plus d’informations sur Tomcat et la documentation relative à ce logiciel,
consultez le site http://jakarta.apache.org/tomcat/.
Pour plus d’informations sur les servlets Java que vous pouvez utiliser sur votre serveur,
consultez les sites suivants :
• http://java.sun.com/products/servlet/
• http://java.sun.com/products/jsp/
Pour utiliser Tomcat, vous devez d’abord l’activer. Vous pouvez utiliser Admin Serveur
ou l’outil de ligne de commande pour démarrer Tomcat.
Pour démarrer Tomcat via Admin Serveur :
1 Dans Server Admin, cliquez sur Serveur d’applications dans la liste correspondant au
serveur souhaité.
2 Cliquez sur Réglages dans la barre des boutons.
3 Cliquez sur Tomcat uniquement.
4 Cliquez sur Démarrer le service.
Pour démarrer Tomcat dans le Terminal :
1 Ouvrez l’application Terminal.
2 Tapez les commandes suivantes :
cd /Library/Tomcat/bin
./catalina.sh start
Pour vérifier que Tomcat est en cours d’exécution, utilisez un navigateur pour accéder
au port 9006 de votre site Web en tapant l’URL de votre site, suivie de :9006. Si Tomcat
est en cours d’exécution, cette URL affiche la page d’accueil de Tomcat.66 Chapitre 6 Utilisation d’applications open-source
MySQL
MySQL offre une solution de gestion de base de données relationnelle pour votre
serveur Web. Grâce à ce logiciel open-source, vous pouvez lier les données provenant
de bases de données ou de tables différentes et fournir les informations sur votre site
Web.
L’application Gestionnaire MySQL simplifie la configuration de la base de données
MySQL sur Mac OS X Server. Vous pouvez utiliser Gestionnaire MySQL pour initialiser
la base de données MySQL et pour démarrer et arrêter le service MySQL.
MySQL est préinstallé sur Mac OS X Server, avec les différents fichiers aux
emplacements appropriés. Il est recommandé, le moment venu, d’effectuer la mise à
niveau de MySQL. Vous pouvez installer la nouvelle version dans /usr/local/mysql, mais
le Gestionnaire MySQL n’aura pas connaissance de la nouvelle version de MySQL et
continuera de contrôler la version préinstallée. Si vous installez une version plus
récente de MySQL, utilisez le Gestionnaire MySQL pour arrêter la version préinstallée,
puis démarrez la nouvelle version via le fichier de configuration.
Installation de MySQL
Mac OS X Server version 10.3 inclut la version la plus récente de MySQL, à savoir la
version 4.0.14. Dans la mesure où il est préinstallé, vous ne le trouverez pas dans le
répertoire /usr/local/mysql. En effet, ses différents composants sont répartis dans le
système de fichiers, selon les conventions UNIX standard, avec les fichiers exécutables
dans les répertoires /usr/sbin et /usr/bin, les pages “man” dans /usr/share/man et les
autres éléments dans /usr/share/mysql. Lors de son installation, la base de données
MySQL se trouve dans le répertoire /var/mysql.
Une nouvelle version de MySQL sera publiée ultérieurement sur http://
www.mysql.com. Vous pourrez alors télécharger la source et la construire vous-même
(si les paquets développeur sont installés), ou télécharger la distribution binaire
appropriée et l’installer vous-même, en suivant les instructions fournies sur ce site Web.
Par défaut, ces installations résident dans le répertoire /usr/local/mysql/. Par
conséquent, si vous installez votre version de MySQL, vous disposerez de deux versions
de MySQL sur votre système. Cela n’est pas un problème dès lors que vous ne tentez
pas d’exécuter les deux versions. Prenez simplement soin de faire précéder du chemin
complet les commandes destinées à la nouvelle version (commençant par /usr/local/
mysql), ou assurez-vous que la variable de chemin de votre shell est configurée pour
rechercher d’abord dans votre répertoire local.
L’application Gestionnaire MySQL fonctionne uniquement avec la version préinstallée
de MySQL ; elle ne fonctionne pas si MySQL est installé ailleurs. Les chemins des
différents composants préinstallés de MySQL sont stockés dans le fichier plist suivant :
/Applications/Server/MySQL Manager.app/Contents/Resources/tool_strings.Chapitre 6 Utilisation d’applications open-source 67
Si vous procédez à une mise à jour à partir de Mac OS X Server 10.x et que
vous utilisez MySQL
Mac OS X Server version 10.3 contient une nouvelle version de MySQL. Les versions
antérieures du serveur contiennent MySQL 3.23.x ; la version installée actuellement est
la version 4.0.14, c’est-à-dire la version de production la plus récente. Cette version est
celle qui est recommandée par mysql.com.
Vos bases de données MySQL 3.23.x doivent fonctionner correctement avec la nouvelle
version de MySQL, mais il est judicieux de les sauvegarder avant la mise à jour.
Lors de l’utilisation de MySQL 4.0.14, vous pouvez utiliser plusieurs commandes avec
vos anciennes bases de données pour supprimer la dépendance par rapport au format
de table ISAM, lequel est devenu obsolète.
• Utilisez mysql_fix_privilege_tables pour activer les nouvelles fonctionnalités
d’autorisation de sécurité.
• Utilisez mysql_convert_table_format (si toutes les tables existantes sont au format
ISAM ou MyISAM) ou utilisez ALTER TABLE nom_table TYPE+MyISAM sur toutes les
tables ISAM pour ne plus utiliser le format de table ISAM obsolète.
Consultez les instructions fournies sur le site Web MySQL à l’adresse www.mysql.com/
doc/en/Upgrading-from-3.23.html avant d’utiliser ces commandes.
Pour plus d’informations sur MySQL, consultez le site www.mysql.com.7
69
7 Installation et affichage des
modules Web
Familiarisez-vous avec les modules qui offrent les
fonctionnalités et contrôles essentiels du service Web.
Le serveur Web Apache inclut une série de modules qui contrôlent le fonctionnement
du serveur. En outre, Mac OS X Server offre certains modules avec des fonctions
spécialisées pour le Macintosh.
Modules Apache
Les modules s’intègrent au logiciel du serveur Web Apache et ajoutent des
fonctionnalités à votre site Web. Apache est fourni avec certains modules standards.
Vous pouvez également acquérir des modules chez des fournisseurs de logiciels ou
encore les télécharger à partir d’Internet. Vous trouverez des informations sur les
modules Apache disponibles sur le site Web www.apache.org/docs/mod.
Pour utiliser les modules Apache :
• Pour afficher la liste des modules Web installés sur votre serveur, dans Server Admin,
cliquez sur Web dans la liste correspondant au serveur souhaité, cliquez sur Réglages
dans la barre de boutons, puis cliquez sur Modules.
• Pour activer un module, cochez la case Activé en regard de son nom, puis cliquez sur
Enregistrer. Le service Web redémarre automatiquement.
• Pour installer un module, suivez les instructions qui l’accompagnent. Le serveur Web
charge les modules à partir du répertoire /usr/libexec/httpd/.
Modules spécifiques à Macintosh
Le service Web dans Mac OS X Server installe certains modules spécifiques à Macintosh.
Ces modules sont décrits dans le chapitre présent.70 Chapitre 7 Installation et affichage des modules Web
mod_macbinary_apple
Ce module assemble sous forme de paquet les fichiers au format MacBinary, ce qui
permet aux fichiers Macintosh d’être téléchargés directement à partir de votre site
Web. Un utilisateur peut télécharger un fichier MacBinary à l’aide d’un navigateur Web
standard en ajoutant “.bin” à l’URL utilisée pour accéder au fichier.
mod_sherlock_apple
Ce module permet à Apache d’effectuer des recherches par pertinence sur le site Web
à l’aide de Sherlock. Une fois que vous avez indexé votre site à l’aide du Finder, vous
pouvez proposer un champ de recherche pour permettre aux utilisateurs d’effectuer
des recherches sur votre site Web.
m
Pour indexer le contenu d’un dossier, cliquez sur Lire les informations dans le menu
Fichier.
Remarque : vous devez être connecté en tant qu’utilisateur “root” pour que l’index soit
copié dans le répertoire Web afin de pouvoir être consulté par un navigateur.
Les clients doivent ajouter “.sherlock” à l’adresse URL de votre site Web pour accéder à
une page leur permettant d’effectuer des recherches sur votre site. Par exemple, http://
www.exemple.com/.sherlock.
mod_auth_apple
Ce module permet à un site Web d’authentifier les utilisateurs en les recherchant dans
les domaines du service de répertoire faisant partie de la stratégie de recherche du
serveur. Lorsque l’authentification est activée, les visiteurs d’un site Web sont invités à
fournir un nom d’utilisateur et un mot de passe pour accéder aux informations
disponibles sur ce site.
mod_hfs_apple
Pour ce module, les utilisateurs doivent taper les URL des volumes HFS en respectant la
casse (minuscules ou majuscules). Ce module procure davantage de sécurité aux
volumes non sensibles à la casse. S’il existe une restriction pour un volume, les
utilisateurs reçoivent un message les informant que l’URL est introuvable.
mod_digest_apple
Le nouveau module mod_digest_apple permet l’authentification Digest pour un
royaume WebDAV.
mod_rendezvous_apple
Le nouveau module mod_rendezvous_apple permet aux administrateurs de contrôler
la façon dont les sites Web sont enregistrés via Rendezvous. Pour plus d’informations,
consultez la section “Activation de l’enregistrement Apache via Rendezvous” à la
page 58.Chapitre 7 Installation et affichage des modules Web 71
Modules Open-Source
Mac OS X Server comprennent les modules open-source suivants :Tomcat, PHP
: Hypertext Preprocessor et mod_perl.
Tomcat
Le module Tomcat, qui utilise des scripts de type Java, constitue la mise en œuvre de
référence officielle de deux technologies complémentaires développées dans le cadre
du programme “Java Community Process”. Pour plus d’informations sur Tomcat,
consultez la section “Tomcat” à la page 65.
Pour utiliser Tomcat, vous devez d’abord l’activer. Pour démarrer Tomcat, utilisez la
section Serveur d’applications d’Admin Serveur. Pour obtenir des instructions,
consultez la section “Tomcat” à la page 65.
PHP : Hypertext Preprocessor
PHP permet de gérer le contenu Web dynamique à l’aide d’un langage de script côté
serveur intégré à HTML, semblable au langage C. Les développeurs Web intègrent du
code PHP dans le code HTML, permettant aux programmeurs d’intégrer une logique
dynamique directement dans un script en HTML plutôt que d’écrire un programme
générant du langage HTML.
PHP fournit la capacité CGI et gère un grand nombre de bases de données.
Contrairement au script Java client, le code PHP est exécuté sur le serveur. PHP est
également utilisé pour implanté WebMail sur Mac OS X Server. Pour plus d’informations
sur ce module, consultez le site www.php.net.
mod_perl
Ce module intègre l’interpréteur Perl complet au serveur Web, ce qui permet aux scripts
CGI Perl de s’exécuter sans modification. Grâce à cette intégration, les codes
fonctionnent plus rapidement et consomment moins de ressources système. Pour plus
d’informations sur ce module, consultez le site perl.apache.org.8
73
8 Résolution de problèmes
Si vous rencontrez un problème avec le service Web ou
l’un de ses composants, consultez les astuces et
stratégies proposées dans ce chapitre.
Il est possible que vous rencontriez de temps en temps un problème lors de la
configuration ou de la gestion des services Web. Certaines situations pouvant entraîner
des problèmes pour l’administration du service Web ou pour les connexions clientes
sont décrites dans ce chapitre.
Les utilisateurs ne parviennent pas à se connecter à un
site Web sur votre serveur
Essayez les stratégies suivantes pour découvrir le problème :
• Assurez-vous que le service Web est activé et que le site est en ligne.
• Examinez la fenêtre Vue d’ensemble du service Web pour vérifier que le serveur
fonctionne.
• Vérifiez l’accès à Apache et les historiques d’erreur. Si vous n’êtes pas certain de la
signification des messages, vous trouverez des explications sur le site Web à l’adresse
www.apache.org.
• Assurez-vous que les utilisateurs saisissent l’URL appropriée pour se connecter au
serveur Web.
• Assurez-vous que le dossier correct est sélectionné comme dossier Web par défaut.
Assurez-vous que le fichier HTML correct est sélectionné comme page par défaut.
• Si votre site Web est limité à des utilisateurs spécifiques, assurez-vous que ces
utilisateurs disposent d’autorisations d’accès pour votre site Web.
• Assurez-vous que les ordinateurs des utilisateurs sont correctement configurés pour
TCP/IP. Si les réglages TCP/IP sont corrects, utilisez un utilitaire de test “ping” pour
vérifier vos connexions réseau.
• Vérifiez s’il ne s’agit pas d’un problème DNS. Essayez d’utiliser l’adresse IP du serveur
au lieu de son nom DNS pour vous connecter.
• Assurez-vous que l’entrée de votre serveur DNS est correcte en ce qui concerne
l’adresse IP et le nom de domaine du site Web.74 Chapitre 8 Résolution de problèmes
Un module Web ne fonctionne pas comme prévu
• Examinez l’historique des erreurs dans Server Admin afin de déterminer pourquoi le
module ne fonctionne pas correctement.
• Si ce module était fourni avec le serveur Web, consultez la documentation d’Apache
sur ce module et assurez-vous que le fonctionnement de ce dernier est conforme à
vos attentes.
• Si vous avez installé ce module, consultez la documentation fournie avec le module
Web afin de vous assurer qu’il est correctement installé et compatible avec votre
logiciel de serveur.
Pour plus d’informations sur les modules Apache pris en charge pour Mac OS X Server,
consultez le chapitre 7, “Installation et affichage des modules Web”, à la page 69 et le
site Web Apache à l’adresse www.apache.org/docs/mod/.
Un script CGI ne fonctionne pas
• Vérifiez les autorisations du fichier CGI pour vous assurer qu’il s’agit d’un script CGI
exécutable par www. Si ce n’est pas le cas, le script CGI ne peut fonctionner sur votre
serveur, même si vous avez activé l’exécution de scripts CGI dans Server Admin.9
75
9 Où trouver des informations
supplémentaires
Pour obtenir des informations sur les fichiers de
configuration et d’autres aspects du service Web Apache,
consultez les ouvrages suivants :
• Apache : The Definitive Guide, 3ème édition, de Ben Laurie et Peter Laurie (édité par
O’Reilly & Associates, 2002)
• Programmation CGI avec Perl, 2ème édition, de Scott Guelick, Shishir Gundavaram et
Gunther Birznieks (O’Reilly & Associates, 2000)
• Java Enterprise in a Nutshell, 2ème edition, de William Crawfod, Jim Farley et David
Flanagan (O’Reilly & Associates, 2002)
• Gestion et utilisation de MySQL, 2ème édition, de George Reese, Randy Jay Yarger, Tim
King et Hugh E. Williams (O’Reilly & Associates, 2002)
• Web Performance Tuning, 2ème édition, de Patrick Killelea (O’Reilly & Associates, 2002)
• Web Security, Privacy & Commerce, 2ème édition, de Simson Garfinkel et Gene
Spafford (O’Reilly & Associates, 2001)
• Writing Apache Modules with Perl and C, de Lincoln Stein et Doug MacEachern (édité
par O’Reilly & Associates, 1999)
• Pour plus d’informations sur Apache, consultez le site Web d’Apache :
www.apache.org
• Pour une liste complète des méthodes utilisées par les clients WebDAV, consultez
les documents RFC 2518. Les documents RFC donnent un aperçu d’un protocole
ou service qui peut s’avérer utile pour les administrateurs débutants ainsi que des
informations techniques plus détaillées pour les experts. Vous pouvez rechercher
les documents RFC par numéro sur le site Web :
http://www.faqs.org/rfcs/ (en anglais) 77
Glossaire
Glossaire
adresse IP Adresse numérique unique qui identifie un ordinateur sur Internet.
Apache Serveur HTTP open-source intégré à Mac OS X Server. Vous trouverez des
informations détaillées sur Apache à l’adresse www.apache.org.
CGI (Common Gateway Interface) Script ou programme permettant d’ajouter des
fonctions dynamiques à un site Web. Un script CGI transmet les informations entre un
site Web et une application offrant un service au site. Par exemple, si un utilisateur
remplit un formulaire sur le site, un script CGI peut envoyer le message à une
application qui traite les données et renvoie une réponse à l’utilisateur.
HTML (Hypertext Markup Language) Ensemble de symboles ou de codes insérés dans
un fichier à afficher par un navigateur Web. Le balisage indique au navigateur Web
comment afficher les mots et images d’une page Web pour l’utilisateur.
HTTP (Hypertext Transfer Protocol) Protocole client/serveur pour le Web. Le protocole
HTTP offre un moyen pour un navigateur Web d’accéder à un serveur Web et de
demander des documents multimédia créés en HTML.
IP (Internet Protocol) Également appelé IPv4. Méthode utilisée conjointement avec
le protocole TCP (Transmission Control Protocol) pour envoyer des données d’un
ordinateur à un autre via un réseau local ou Internet. Le protocole IP envoie les paquets
de données, tandis que le protocole TCP se charge du suivi de ces paquets.
JavaScript Langage de script utilisé pour ajouter une certaine interactivité aux pages
Web.
