Filter
Top Products
Chapter 2 Inside Mac OS X Server 31
Using Other Directories
Open Directory lets you take advantage of information you have already set up in non-
Apple directories and in flat files:
• On other LDAPv3 servers
• On Active Directory servers
• In Berkeley Software Distribution (BSD) configuration files
• In Sun Microsystems Network Information System (NIS) files
Mac OS X Server provides full read/write and Secure Sockets Layer (SSL)
communications support for LDAPv3 directories.
Search Policies
Before a user can log in to or connect with a Mac OS X client or server, he or she must
enter a name and password associated with a user account that the computer can find.
A Mac OS X computer can find user accounts that reside in a directory listed in the
computer’s search policy. A search policy is simply a list of directories the computer
searches when it needs configuration data.
You can configure the search policy of Mac OS X computers on the computers
themselves, using the Directory Access application. You can automate Mac OS X client
directory setup by using Mac OS X Server’s built-in DHCP Option 95 support, which lets
a DHCP server send out information about the server from which a Mac OS X computer
should obtain directory data at the same time it provides an IP address to the
computer.
Authentication
You have several options for authenticating users:
• Open Directory authentication. Based on the standard Simple Authentication and
Security Layer (SASL) protocol, Open Directory authentication supports many
authentication methods, including CRAM-MD5, APOP, WebDAV, NT/LAN Manager 2,
and SHA-1. It is the preferred way to authenticate Windows users.
Open Directory authentication lets you set up password policies for individual users
or for all users whose records are stored in a particular directory, with exceptions if
required. Open Directory authentication also lets you specify password policies for
individual directory replicas.
For example, you can specify a minimum password length or require a user to
change the password the next time he or she logs in. You can also disable login for
inactive accounts or after a specified number of failed login attempts.
• Kerberos v5 authentication. Using Kerberos authentication offers the opportunity
to integrate into existing Kerberos environments. You can also set up a Key
Distribution Center (KDC) on Mac OS X Server, which offers support for password
policies you set up on the server. Using Kerberos also provides a feature known as
single signon, described in the next section.
LL2343.Book Page 31 Thursday, August 14, 2003 5:12 PM