OS X Server is still a piece of crap

I've written about OS X Server in the past and somehow I keep getting roped into dealing with these machines. The concept of OS X Server is great; a small business server that anyone can setup. The implementation, however, is quite lacking. Apple took open source software, like Apache, BIND, Open Directory and Jabberd and slapped a GUI on it for configuring. In doing so, they either glossed over or forgot to implement many of the settings available in these products. My latest run ins with OS X Server have to do with Jabberd, Open Directory and Apache.

Let's start with Apache. First off, I needed Server Side Includes to be turned on. I didn't see a switch to do this, so I hacked on the actual config files. Second, I had to allow .htaccess files to override some of the default settings. Some may see this as a security risk, but this server is dedicated to one task, so again I had to hack on the config files. If the GUI is touched, my changes go away.

Next, Jabberd. The issue here seems to be that Jabberd is buggy and the version of Jabberd included with Leopard server isn't up-to-date. There is no easy way to replace it with a newer version short of waiting for Apple. If I wanted to install everything by hand, I would have used Linux in the first place and not OS X Server. Apple either needs to respond faster with updates or provide ways to more easily replace major components. In this case, an OS X Server consultant came to me with an issue where he was trying to use a wildcard certificate for the iChat server (Jabberd) and couldn't get it to work. Server Admin said everything was fine, but when I dove into the logs, I saw that there was an issue where Jabberd didn't like the chained SSL Certificate (which is pretty standard, in my opinion).

Lastly, Open Directory. This one is actually a huge security issue. While setting up an iCal server, I needed to secure it before it went into production. I managed to use LDAP Browser/Editor to anonymously bind to the server despite checking all the boxes to prevent anonymous binding. After talking with a friend at Apple who get an answer from someone in the know, this is a known issue. If you secure Open Directory properly, it breaks other things. In my case, it doesn't matter because our use of Open Directory will be limited. So, I have to hack on Open Directory to change a string somewhere. Furthermore, the root password's SHA1 hash can be browsed by anyone! Why is this bad? Well, if you use a bad root password, someone doesn't have to keep running a script trying to get into your server (which you could block); a hacker just needs to copy the SHA1 hash and then run a tool that generates SHA1 hashes from common words and presto! (I found a few tools doing a quick search.) You might argue that this isn't bad because you could run an attack and try lots of passwords, however, smarter servers/firewalls will block users after a certain number of tries and then possibly increase the time allowed between tries thereby making a brute force attempt much more time consuming than doing it "offline".

People could argue that the Open Directory issue is there for anyone using OpenLDAP (which Open Directory is), but Apple conceals so much from the user, that it is Apple's responsibility to secure these machines as a large majority of people using them don't have a clue about security. I work with one good IT person and he wasn't aware of the open services on his server; he just turned stuff on to get it to work. I had to help him lock everything down with the firewall.

One thing I really like about OS X Server is that you can use SuperDuper! to back it up and restore it. Other than that, OS X Server should be treated like Linux and ignore the GUI admin tools.

Value of a lifetime warranty?

Several months ago, a friend told me that a little known fact is that most residential faucets come with a lifetime warranty (OK, maybe not little known, but until I started ReceiptWallet, I could never find manuals/warranties). I put in our kitchen faucet when we moved in about 4 years ago. I noticed that it was chipping and it annoyed me. So I took pictures (my friend said that Delta faucet would accept digital pictures instead of sending the whole thing back) and Delta sent me replacement parts. Yeah! I probably would have eventually bought a new faucet as I would have expected them to want it back, so I saved myself a bunch of money.

While it was great that they sent me the parts (not a new faucet), taking apart the old faucet and putting in the new parts took me almost 2 hours and a lot of effort. I don't expect that most people would take advantage of the warranty for this reason alone. With a lifetime warranty, I'd expect the faucet's finish to last more than 4 years. I'm sure I'll be asking for more replacement parts in the future. Now that I know how to disassemble it, it shouldn't be all that difficult.

Hamstrung by lack of RAM

Lately I've noticed that my machine is quite slow and appears to lock up for seconds at a time causing me to pound the keyboard. It is a 2 year old first generation MacBook Pro so that could explain a lot. However, I installed iStat Menus and turned on the CPU and memory items. It turns out that my processor isn't maxed out all that often (usually only during compiles). When memory usage tops 50%, things start to slow down. As long as I keep memory usage below this, I seem to be OK. This indicates to me that once the OS starts paging to disk, all hell breaks loose. Of course, this is obvious as hard drives are much slower in RAM, but I always like to have lots of stuff open and never paid much attention to RAM usage; with virtual memory, it is easy to loose sight of RAM.

Is there anything I can do about this? Nope. My machine has 2 GB of RAM and that's all it can handle. Once Apple releases new MacBook Pros, I'll be ordering one immediately and loading it up with at least 4 GB of RAM (the new machines can handle 4 GB of RAM; hopefully newer ones can go higher). This also brings up something interesting; Apple's RAM prices are no longer completely outrageous. The current price for loading in 4 GB of RAM in a MacBook Pro is $200 whereas The Chip Merchant sells it for about $100. While it is double, it is significantly less than it was in the past.

Memory leaks, oh my!

Even though I've been using Xcode for something like 5 years, I learn something new about it and its related tools all the time. This week I started playing with Instruments and the Leaks tool in particular. I was horrified at the number of memory leaks I found in ReceiptWallet. While they weren't large, I'm ashamed that I had any (there were maybe a dozen or so). It also showed me that some of the system libraries I'm using (in particular TWAIN and Image Capture) also seem to have memory leaks. I feel much better that I squashed the leaks. They probably won't affect users, but having memory leaks is just bad.