Radmind Macintosh Lab Administrator Documentation


RadMacLab is short for Radmind Macintosh Administrator, or Radmind Mac Address Lab Administrator, or some version of that. I haven't really put a whole lot of thought into the name, so take it however you like it. It was developed to give Radmind the ability to identify machines via their mac addresses, to set machine IP information, and to name machines individually. This was all functionality that existed with Assimilator, and functionality that many lab administrators want back.

There are two components to the system. The server component, which uses PHP and mysql running on Apache, and the client component which consists of two shell scripts, both of which are written in PHP, but could easily be written in another shell scripting language such as perl, tcsh, sh, etc...

This system requires that you have created your SSL certificates for Radmind by yourself. It does NOT automate or assist in creating SSL certificates. It DOES require that you run radmind with "-w 2", authenticating both client and server. If you need more documentation on this, please consult the TLS cookbook in the radmind documentation section. For the purposes of this documentation, it is assumed you have created your certificates and have them working prior to using this system.

Setting Up The Server - Overview

The "server" is really just a collection of php files, which should have been included in the package you downloaded. There are two components to the server files. There is the "admin" section and the "requests" section. The admin section consists of all the files necessary for administering the database of machine information, which should generally only be accessed by administrators. The "requests" section are the files that each client computer needs to have access to.

In this distribution, the "requests" section is located inside the "admin" section, but is does not have to be that way. I have implemented a very simple authentication method that should prevent unauthorized users from getting access to the administration section, but it is not foolproof or secure. Use it at your own risk. It is my suggestion that you use a htaccess setup in your admin section (and NOT the requests) section to give a little better security.

Simple Admin Page Authentication

My method for securing the administration section from prying eyes is to use a simple username/password checking system that is hard coded right into the index.php page. If the user enters the correct username/password, a SESSION variable in PHP is set, which all subsequent pages will look for before displaying any info. If any subsequent pages are accessed without having the session variable set, they will say something along the lines of "Not Authorized". To remove this authentication, remove the line include ('includes/auth_check.php'); from every php page. The intial username and password I have hard coded in are "admin" and "radmin".

Place your files in the correct place, as discussed above. On a Mac OS X machine, this will generally be in /Library/WebServer/Documents somewhere. The files should not need to have their permissions set as long as your www user can read them.

Establish your mysql database. I've included a file in this distribution called radmaclab.sql which is a sql dump that should set up the correct tables for your database. I suggest you use phpMyAdmin to handle your mysql editing needs. Create a user and password for this table if you want to and make a note of it.

You'll need to edit the file includes/func_vars_inc.php to reflect the database name, username and password you just created. It should be pretty self explanatory.

Setting Up the Client Scripts

There are six client scripts and their usage is detailed below.


This script should be run before radmind runs on a client machine. It figures out the mac address of the client machine, and gets the certificate from the RadMacLab server by using the mac address as a query string argument. It will save the cert to the proper place for radmind. You will need to edit the $radhost line to reflect the requests/ folder on your RadMacLab server.


This script should be run after radmind has completed. This script downloads the certificate again by calling get_cert.php.sh, and additionally will set the network info and machine name. You will need to edit the $radhost variable in this file as well. If you have installed ncutil to an alternative location on your client machines, you will want to change the path for that in this script as well.


This script is used by the applescript that sets the default printer. You can also use it for debug purposes to check what radmaclab wants for the default printer on a computer.


This is an uncompiled applescript that should be run after set_printers.php.sh to set the default printer for the computer. You will probably need to compile this script with script editor on your mac to make it work correctly. You will also need to call it /usr/bin/osascript from the command line. I use the following lines in my loginHook to set the printer every time. /usr/local/bin/php /Library/Management/set_printers.php.sh /usr/bin/osascript /Library/Management/printer.osa Note that I do not call this script (printer.osa) after I have set the printer on a radmind cleanup because if you do a major update, sometimes things can be rather funky when running lots of new stuff.


This script combines running radmind and the after_radmind script, as I use in my labs. It has only basic error checking, seeing if it can connect to the radmind server with ktcheck. If not, it will attempt to display an error message and wait for some user to restart the machine. I normally run the get_cert script first, outside of iHook, then run run_radmind.php.sh as the --script argument on launching iHook. I'm going to assume that most people using this setup will be familiar with iHook and radmind and should be able to figure it out. This script also repairs the disk permissions and adds the flag for my login script to run.


This script is a modified version of the one distributed by Mike Bombich, maker of carbon copy cloner. Unlike the other scripts, it uses sh as it's scripting language, not php. It does several things. First, it checks for the flag to see if it should replace the student user's home directory. It does this if necessary. Then it runs another script (not included here) to fix the byhost entries in the logging in users's perferences if necessary. After that, it sets the printers using set_printers.php.sh. After that, it runs the printer.osa script which is the compiled version of printer_source.osa. The final step is to launch keyaccess, which it does by calling /etc/ktcl.

Entering info in RadMacLab

There are three main sections in RadMacLab: Machines, Network, and Builds. I'll describe them in the order you should probably add information to them.


This is where your certificates are stored. The fields should be fairly self-explanatory. The Build name field is the name that RadMacLab uses to identify to administrators the name of the build. For general purposes, it should be the same as the CN of the SSL certificate you've created for that particular build. The comments field is for whatever comment information you may want to store. The certificate field is for the actual SSL certificate that you've created. I just opened mine in BBEdit and copy and pasted the into the text field, which does not seem to mess them up.


Because we don't want to mess with setting all the necessary things for network every time a machine is added, this section was established. One setting should be established for each subnet. For instance, 192.168.1.X and 192.168.2.X would have a different setting. If you only use DHCP on your network, you can safely ignore this section. You will set the final octet of the IP address for each machine in the machine section. Each setting here corresponds directly to the settings in the network pane of the system preferences on a client computer.


This is the real meat of the admin utility. The MAC address is the mac address of the computer. It should be in lower case and contain no colons or spaces. The network mode should be manual or DHCP, depending on how you want your machines to operate. If you have set them to operate in Manual mode, you must select the first part of the IP from the drop-down menu, and complete the final octet. Machine name is what the machine will be named, both the appletalk name and the host name. The room number and location descriptions are simply physical description fields for your reference so you can find the machine in the future. The initial build is what build/certificate the machine should get the FIRST time radmind runs, and the "after initial build" is what the machine should get from the second time radmind runs and onward. This is done in case you have computers that you may want to run the apple user setup wizard the first time, and then after that not manage the users folder. You would need to set up a separate command file and such in your radmind setup to arrange this. You also select what printers and what default printer get used in this section.


This is where you set up and configure your printers. The client end of things uses the lpadmin tool to add printers, and gets the arguments for the tool from this area. The command line tool that is used to set the printers is lpadmin, and to edit this, you basically need to do the lpadmin commands by hand here. You enter everything EXCEPT lpadmin and the name of the printer, which helps to prevent security problems. It's important to note that the name of your pinter should be without spaces or other illegal characters, because the final command that gets executed on the client will use that as part of the arguments. The portion of the lpadmin command you'd enter in radmaclab might look like this:

-E -v "pap://Service%20Bureau/SB_BlackWhite_A_Queue/LaserWriter" -P "/Library/Printers/PPDs/Contents/Resources/en.lproj/HP LaserJet 5100 Series.gz"

This command is for appletalk, as demonstrated by the pap:// in the URI. The -E option specifies that encryption should be forced. The basic syntax for a clomplete lpadmin command is this:

lpadmin -p Printer_name_here -E -v "uri://of.device.here/prinername/whatever/" -P "/Path/to/PPD/On/client.ppd"

I suggest highly that you test this out on a client machine beforehand, as I've found lpadmin can be kind of picky about printer names even if they appear valid. If you need any more help, see the man pages for lpadmin, they're quite good.


You'll want to make sure that you have ncutil and php installed on each client computer, and that they are part of your standard radmind image. You won't need php if you choose to make some other client scripts, but the scripts I've written require this.

You can find ncutil here: http://deaddog.duch.udel.edu/~frey/darwin/ncutil/
OSX PHP CLI: http://www.somebodydial911.com/geek/cli/

OS X 10.3 includes a command line binary of php already enabled, and should work just fine for your uses. I have not fully tested it yet, however.

Further Help

If you need more help, find some bugs, or need anything else, please do not hesitate to email me! I will help you as much as I can. Contact me at: justin_heideman@mcad.edu.

Copyright 2003 Justin Heideman & the Minneapolis College of Art & Design. Radmind is a product of the Research Systems Unix Group at the University of Michigan. This software distribution is in no way endorsed by the RSUG or the University of Michigan. Don't ask them for support.

SourceForge.net Logo