Tag Archives: macOS

Installing Homebrew on El Capitan when SSL won’t give you a handshake

This is a tech post for tech people who like to tech out their Macs using Homebrew.

(With apologies to those who have no clue what I’m talking about.)

If you’re trying to do a clean install of Homebrew using the instructions on http://brew.sh, you’ll probably you might get this error:

curl: (35) Server aborted the SSL handshake

Apparently something is currently broken about accessing GitHub-hosted raw content via https://raw.githubusercontent.com. It’s probably nothing do with your curl version.

Here’s an alternate install command that worked for me:

/usr/bin/ruby -e "$(curl -fsSL https://github.com/Homebrew/install/raw/master/install)"

You’re welcome.

UPDATE: it’s possible I was experiencing this issue due to intermittent problems with Telstra’s network.

How to stop Photos.app opening whenever you connect a memory card

Yo Apple, Photos.app is really great and everything, but those of us who use third-party photo production software for ingestion and processing don’t want to see it EVERY TIME WE PLUG A MEMORY CARD INTO OUR MAC. (We don’t want to see it when we connect our iPhone, either. We only do that when Facebook Too Much Very Important Work has killed our phone battery.)

A user-friendly toggle to disable this for all devices would be super. Perhaps under System Preferences > CDs and DVDs?

Meanwhile, fellow photographers, here’s a terminal command that will safely disable the automatic opening of Photos.app when you least expect it. Copy and paste everything after the $ into Terminal.app and press Return:

$ defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool YES

Unlike some of the other workarounds on the Internet, this one works even when you regularly re-format your memory cards (as most of us do). And it doesn’t require you to delete Photos.app, which might potentially break something somehow. No reboot required, either.

Update (27-Nov-15): If, for some reason, you want to reverse this change and return to OS X’s default behaviour, here’s the command to run:

$ defaults -currentHost delete com.apple.ImageCapture disableHotPlug

Running SMART Notebook 11.4 on OS X Yosemite

Ironically, SMART is one of the dumbest, least likeable tech companies around, but unfortunately I’m responsible for quite a few of their interactive whiteboards.

So when they decided to force everyone to upgrade to their not-smart subscription-licensed “SMART Notebook 14” by leaving the previous version broken on OS X Yosemite, I was in a bit of a pickle.

Thankfully, a bit of determination (a.k.a. trawling through crash reports and Google results for “yosemite ruby 1.8 HALP PLZ”) was all it took to figure out that getting Notebook 11.4 working on Yosemite is as easy as copying Ruby 1.8 from a Mavericks machine over to Yosemite.

It’s in /System/Library/Frameworks/Ruby.framework/Versions/. I just tar’d the 1.8 folder up and copied it over.

You’re welcome.

PHP with FreeTDS on macOS Sierra

Need your macOS-hosted PHP code to talk to Microsoft SQL Server? Here’s the guide I couldn’t find when I needed it.

Or you could just download my macOS-ready mssql.so (compiled for PHP 5.6.30 on macOS Sierra 10.12.6) and skip to the end. (18 Aug 2017)

Previous versions are available below.

Prerequisites

Build and install autoconf

If you’re a Homebrew user, brew install autoconf is easier than the following.

$ tar zxf autoconf-latest.tar.gz 
$ cd autoconf-2.69
$ ./configure 
$ make
$ sudo make install

Build and install FreeTDS

FreeTDS is on Homebrew too: brew install freetds

Alternatively:

$ tar zxf freetds-patched.tar.gz
$ cd freetds-1.00.54
$ ./configure 
$ make
$ sudo make install

Build and install mssql.so

Don’t worry, unlike some of the Internets will tell you, there’s no need to rebuild PHP itself. Nor do you need to write an essay after .configure.

Update (18 Aug 2017): phpize doesn’t seem to work out-of-the box anymore. If it can’t find the files it needs (you’ll see grep errors), try adding a symbolic link like this: sudo ln -s /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.sdk/usr/include/php/ /usr/include/php. System Integrity Protection will need to be disabled first.

Here goes:

$ tar zxf php-5.6.30.tar.gz
$ cd php-5.6.30/ext/mssql
$ phpize
$ ./configure --with-php-config=/usr/bin/php-config --with-mssql=/usr/local/
$ make
$ sudo cp modules/mssql.so /usr/lib/php/extensions/no-debug-non-zts-20131226/

If you have trouble with the final step, System Integrity Protection is probably enabled. Disable it temporarily.

Finally, add this line to your php.ini (probably in /etc/php.ini):

extension=mssql.so

And restart Apache if necessary.

Done!

Previous versions

If you’re running an old version of macOS, you might find one of these binaries helpful:

  • mssql.so compiled for PHP 5.4.17 on OS X Mavericks 10.9 can be downloaded here. (17 Nov 2013)
  • mssql.so compiled for PHP 5.4.24 on OS X Mavericks 10.9.4 can be downloaded here. (6 Jul 2014)
  • mssql.so compiled for PHP 5.5.14 on OS X Yosemite 10.10.1 can be downloaded here. (22 Dec 2014)
  • mssql.so compiled for PHP 5.5.27 on OS X Yosemite 10.10.5 can be downloaded here. (16 Sep 2015)

Hacking Profile Manager on Mavericks

Dear Fellow OS X Server Geeks,

Just a heads up that I have updated my earlier posts about gaining access to Apple’s Profile Manager PostgreSQL database. The commands therein now work on Mavericks.

If you’ve upgraded from OS X Server 2.0 on Mountain Lion, you’ll have to open up remote access from scratch. Data is retained (flawlessly in my case), but the PostgreSQL instance has been moved and a new database (with a new name) created beside the old one.

Virtual hugs,

Me

Mail.app on Mavericks: now plays nice with Exchange

If you use Mail.app on OS X Mavericks, there’s a good chance you already know this, but if not: Apple have just updated it.

Much has been made of Gmail not working under Mail.app on Mavericks, but for those of us who use it with Exchange, it’s been a similar story (with less rage). I’m happy to report that the latency/timeout/crash problems I was experiencing with Mail.app and Exchange 2010 appear to be resolved with this update.

And there was much rejoicing!

Creating OS X Mavericks install media

It’s been a big morning for Apple punters: OS X Mavericks, new iPads, iOS 7.0.3 and a bunch of new apps.

The only downside (aside from the “later in November” ETA on the Retina iPad Mini) is the downloading involved. Mavericks is ~5.5GB, and with 4 machines to upgrade [just in my house – there are a bunch more at work], downloading through the App Store each time would be painful.

As usual, Apple haven’t made it TOO easy to download-once-install-many (you can’t just restore a DMG onto an install partition anymore), but at least there’s an install media console utility built into the Install OS X Mavericks app.

Here’s how you use it:

  1. Use the App Store to download Mavericks. It’s pretty hard to miss at the moment; go to the Updates tab if it’s not immediately obvious.
  2. After downloading, cancel the installation process that will automatically start. (I just used Cmd-Q to quit the installer, but I think there’s a proper Cancel button too.)
  3. Prepare your install media. I partitioned off 8GB on a USB hard drive. A USB stick might be your weapon of choice (8GB minimum, unless 6GB sticks exist). For the command below to work without alteration, you’ll need an empty Mac OS Extended (Journaled) partition called “Untitled”. Disk Utility makes light work of this.
  4. Open a terminal and run the command below. When it asks for a password, give your OS X user account password.
  5. Press and hold the Option key while rebooting. Select your new install media and proceed.
sudo /Applications/Install\ OS\ X\ Mavericks.app/Contents/Resources/createinstallmedia --volume /Volumes/Untitled --applicationpath /Applications/Install\ OS\ X\ Mavericks.app --nointeraction

Squid authentication via OS X Profile Manager and Active Directory

Updated on 6-Nov-13 for OS X Server 3.0 on Mavericks

My last post was about getting access to OS X Server’s Profile Manager database; this post is about doing something useful with it.

Hypothesis: given live access to data from Profile Manager and Active Directory, it should be easy to write a Squid external_acl_type helper that maps incoming IP addresses to usernames. An optional check for group membership? Trivial. Amirite?!

I was half-right. The lookups weren’t hard, but getting the helper to terminate when Squid wanted it to, and to NOT terminate prematurely, required a little trial-and-error. Turns out Squid keeps its helpers alive by sending them empty lines, so terminating on empty input isn’t such a good idea.

Anyway, here’s the code that has our iPad fleet “authenticating” with our Squid proxy server transparently. It’s been tested on Linux (Ubuntu 12.04 LTS) and OS X. Yes, Python would have been better than PHP, but I’m more fluent in PHP, and the PHP CLI interpreter is efficient enough for this purpose.

Update 23-Dec-2014: this script is now hosted on GitHub.

To use it in squid.conf (assuming you’ve pulled it down to /opt/git/extensions/squid/external_auth.php):

external_acl_type external_auth ttl=300 negative_ttl=5 children-startup=10 children-max=40 children-idle=10 ipv4 %SRC %MYPORT /opt/git/extensions/squid/external_auth.php

acl Apple_Devices external external_auth
acl Staff_Apple_Devices external external_auth staff
acl No_Filter_Devices external external_auth no_filter
acl No_Access_Devices external external_auth no_access

The “staff”, “no_filter” and “no_access” values map to $SQUID_LDAP_GROUP_DN in the configuration file – customise as needed (many groups may be defined).

Finally, use your new acls in some access rules, e.g.:

http_access allow localnet Staff_Only_Websites Staff_Apple_Devices
http_access deny localnet Staff_Only_Websites Apple_Devices

Questions? Errata? Do comment.

Under the hood: OS X Server’s Profile Manager

Updated on 6-Nov-13 for OS X Server 3.0 on Mavericks

Let’s say you’re running the MDM software Apple ship with OS X Server, Profile Manager. (You’ve chosen this because you don’t really need the fancy features of Casper and friends.)

Let’s say you’re also running other services that would benefit from live access to Profile Manager’s device metadata, e.g. a Squid proxy that implements MAC-based iOS authentication (because proper proxy authentication has been broken on iOS since forever). “An external_acl_type that could check enrolled device MAC addresses be super-awesome!” you say to yourself.

Where to start?

Turns out, Profile Manager data lives in an embedded PostgreSQL database, and opening it up for remote access is relatively straightforward.

First, you’ll need to modify /Library/Server/ProfileManager/Config/PostgreSQL_config.plist (note: this path has changed in Server 3.0) to enable access over TCP/IP (by default, postgres only listens on a UNIX socket). Edit the existing listen_addresses= entry, and add the last two lines:

<string>-c</string>
<string>listen_addresses=OSX_SERVER_LAN_IP</string>
<string>-c</string>
<string>port=5432</string>

Note: Server 3.0 creates multiple instances of PostgreSQL, one for each service that depends on it, all on different UNIX sockets. Just in case another instance opens PostgreSQL for TCP connections on localhost, I recommend binding the Profile Manager instance to a LAN-facing IP. Alternatively, you could use a non-standard port.

Then tell postgres that any host on your network is allowed to connect with an encrypted password, by adding a line like this to /Library/Server/ProfileManager/Data/PostgreSQL/pg_hba.conf (note: changed in Server 3.0):

host all all 192.168.0.0/16 md5

Almost done! Now you just need to set up a postgres user to connect as. Start by opening a psql session:

sudo -u _devicemgr psql -h /Library/Server/ProfileManager/Config/var/PostgreSQL devicemgr_v2m0

(This entire command has changed in Server 3.0; note particularly the new database name.)

Then you’ll probably want to run a couple of commands like:

CREATE USER squid WITH PASSWORD 'XXXX';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO squid;

If you want to create a more privileged user:

CREATE USER dbadmin WITH PASSWORD 'XXXX';
GRANT ALL ON ALL TABLES IN SCHEMA public TO dbadmin;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dbadmin;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dbadmin;

Reboot the server and test with pgAdmin or some other PostgreSQL admin tool.

Oh, and don’t blame me if you break your Profile Manager, or Open Directory, or your entire OS X Server.