Advanced User Configuration

The Workgroup Manager tool affords a variety of advanced user configuration options that you may find useful. For example, you may not want a user to be able to log in remotely via the command line. Or, if they do have remote terminal access, you can dictate what type of shell they use.

This discussion assumes you've already created additional user accounts on your server. If you haven't, refer to the instructions for creating a basic user account in Chapter 2, "Server Tools."

To configure the shell type:

1.	Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (Figure 4.21). Figure 4.21. Open Workgroup Manager, and authenticate as an administrator.
2.	Click the Accounts icon in the Toolbar and the User icon in the account types tab. User information is displayed (Figure 4.22). Figure 4.22. Click the Accounts button and the User tab in Workgroup Manager.
3.	Click the directory authentication icon , and select the appropriate directory database from the pop-up menu (Figure 4.23). Figure 4.23. Select the appropriate directory database from the selection pop-up menu.
4.	Select the user or users you wish to configure from the user list (Figure 4.24). Figure 4.24. Choose a user from the selected database.
5.	In the user settings frame, click the Advanced tab .
6.	Click the Login Shell pop-up menu, and then choose a default shell (Figure 4.25). Figure 4.25. Choose an option from the Login Shell pop-up menu. The login shell permits users to use the Terminal to access the server remotely via the command line.
7.	When you've finished making changes, click the Save button . Now, any time this user attempts to launch a command-line interface (generally, using the Terminal application), they will be presented with the shell type defined by this setting.

Tip

You can define a custom shell type or script file by selecting Custom from the Login Shell pop-up menu.

Does Susan Need to See a Shell?

A shell is Unix geek speak for a specific type of command-line environment. Believe it or not, there is more than one way to input cryptic strings of characters into the command line. Basically, the reason for all these different shell types boils down to user preference. For instance, the default shell for Mac OS X 10.3 is the bash shell, which is common among Linux systems. Prior to Mac OS X 10.3, the default shell was tsch, which is common among BSD Unix systems.

You can't really see a shell; you just know that when you type in commands, they belong to a particular shell type. Most users will be content with the bash shell, which is the default shell when you're creating users.

Configuring password types

Mac OS X Server 10.3 provides a variety of different password types for different services. The default password type for most users is Open Directory, because it provides the greatest security. (See Chapter 3, "Open Directory," for more information.) Occasionally, though, you may wish to change a user's password from one type to another. The most common reason for doing so is backward compatibility when you have older Mac OS clients (such as System 8.1) that need to connect to your Mac OS X Server.

The password types are as follows:

Open Directory passwords are the default type for Mac OS X Server 10.3. Open Directory provides single sign-on using Kerberos authentication. This service also provides authentication through a wide variety of other protocols including APOP, SMB-NT, DHX, CRAM-MD5, SMB-LAN Manager, and Web-DAV.

Shadow passwords are the default type for Mac OS X Client. If you as an administrator wish to use shadow passwords and not take advantage of the Open Directory password structure, you can do so.

Crypt passwords are the default type for Mac OS X version 10.1 and earlier. This type of password should only be used for backward compatibility.

To configure the password type:

1.	In Workgroup Manager, navigate to configure the user's Advanced account attributes (Figure 4.26). Figure 4.26. Navigate to the Advanced tab in Workgroup Manager.
2.	Depending on whether the user account is in a local or a shared directory, select one of the following options from the User Password Type pop-up menu: If the user account is in a local directory, your choices include Open Directory and Shadow Password (Figure 4.27). Figure 4.27. The User Password Type pop-up menu includes these options for a local user account... If the user account is in a shared directory, your choices include Open Directory and "Crypt password" (Figure 4.28). Figure 4.28. ...and these options for a network user account.
3.	Enter and verify a password, and click OK (Figure 4.29). Figure 4.29. Enter a new password.
4.	When you've finished making changes, click the Save button . Remember to test authentication from a client computer to verify the new password.

Tip

When you're changing the password type, you'll be prompted to enter a new user password. However, it can be the same as the old password.

Adding comments to a user account

As an organizational aide, Mac OS X Server lets you add a comment to any user account. This comment is primarily used for administrators to add notes or information about a particular user. However, you can also use comments as part of your search criteria to find a specific account among a large list of users. (User searches are covered in the task "To search user accounts.")

To add a comment to a user account:

In Workgroup Manager, navigate to configure the user's Advanced account attributes (Figure 4.30).

Figure 4.30. Navigate to the Advanced tab in Workgroup Manager.

Double-click in the Comment field, and enter your comment (Figure 4.31).

Figure 4.31. Double-click in the Comment field, and enter your comment.

When you've finished making changes, click the Save button .

Tip

You can change a comment at any point by entering new text.

Adding keywords to a user account

As yet another organizational aide, Mac OS X Server lets you add keywords to any user account. A keyword provides an additional bit of information to quickly find specific accounts among a large list of users. Keywords help further define users through categories you create, such as Temporary worker, or your personal rating system for each user's computer experience and knowledge.

Say, for example, that you had 50 users. You could rate them with the following keywords: Novice, Intermediate, Expert, Certified, Mac OS X, Mac OS 9, Windows, and/or Unix. You could take that even further by entering application(s) they know well. You could also enter certifications they've received, such as Apple's ACHDS and ACTC. These keywords could be combined to allow you to search accounts for users who were trained or knowledgeable in a specific field. (User searches are covered in the task "To search user accounts.") Initially, no keywords are configured.

To add a keyword to a user account:

1.	In Workgroup Manager, navigate to configure the user's Advanced account attributes (Figure 4.32). Figure 4.32. Navigate to the Advanced tab in Workgroup Manager.
2.	Click the Edit button . The "Manage available keywords" dialog drops down (Figure 4.33). Figure 4.33. The "Manage available keywords" dialog drops down.
3.	Enter your keyword in the lower field, and click the Add button to add that keyword to the list. To delete a keyword, select the word and then click the Delete button .
4.	When you've finished managing the keyword list, click the OK button .
5.	Click the Add button next to the Keywords field. The Select dialog drops down (Figure 4.34). Figure 4.34. The Select dialog appears.
6.	Select the keywords you want to add to the user account, and then click the OK button .
7.	When you've finished making changes, click the Save button .

Tips

You can always add more keywords at any time, or delete them by clicking the Delete button .
Keywords are case sensitive. In other words, the keyword Temporary is different than the keyword temporary.
You can select multiple items in the Select dialog by holding down the Command or Shift key on your keyboard while you make your selections.

Searching user accounts

Because Mac OS X Server has the potential to host thousands of user accounts, you may find it difficult to locate a specific account in the user list. Workgroup Manager lets you sort through the user list using a variety of search criteria, including Name, User ID, Comments, and Keywords. (For more about adding comments and keywords, see the previous tasks.)

To search user accounts:

1.	Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (Figure 4.35). Figure 4.35. Open the Workgroup Manager tool, and authenticate as an administrator.
2.	Click the Accounts icon in the Toolbar and the User icon in the account types tab (Figure 4.36). Figure 4.36. Click the Accounts button and the User tab in Workgroup Manager.
3.	Click the directory authentication icon , and select the appropriate directory database from the pop-up menu (Figure 4.37). Figure 4.37. Select the appropriate directory database from the selection pop-up menu.
4.	Click the Spyglass icon above the user list, and select the search category you wish to use from the pop-up menu (Figure 4.38). Figure 4.38. Select the search category you wish to use from the pop-up menu.
5.	Enter your search criteria in the field above the user list. As you type, the list is automatically pared down to reveal the user accounts that fit your search criteria (Figure 4.39). Figure 4.39. Entering a keyword search filters the user list.
6.	To bring your list back to its full length, delete the search criteria.