Mac OS X Server Open Directory Administration Version 10.
KKApple Inc. © 2009 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to make sure that the information in this manual is correct. Apple Inc.
Contents 11 12 13 14 15 15 15 16 Preface: About This Guide 17 17 18 19 19 21 22 23 23 25 26 26 27 28 28 28 30 Chapter 1: Directory Services with Open Directory 31 31 31 32 33 34 Chapter 2: Open Directory Search Policies What’s in This Guide Using Onscreen Help Documentation Map Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information Benefits of Using Directory Services Directory Services and Directory Domains A Historical Perspective Data Conso
36 36 Custom Search Policies Search Policies for Authentication and Contacts 37 37 38 38 39 39 40 40 41 42 43 43 44 45 45 46 47 47 47 47 48 49 50 Chapter 3: Open Directory Authentication 52 53 54 54 55 55 58 59 60 61 61 62 63 63 64 4 About Password Types Authentication and Authorization About Open Directory Passwords About Shadow Passwords About Crypt Passwords Providing Secure Authentication for Windows Users Offline Attacks on Passwords Determining Which Authentication Option to Use About Passwor
64 65 66 66 67 68 69 69 69 71 72 73 74 74 75 76 76 Open Directory Master and Replica Compatibility Mixing Active Directory and Open Directory Master and Replica Services Integrating with Existing Directory Domains Integrating with Cross-domain Authorization Integrating with a Magic Triangle Integrating with Augment Records Integrating Without Schema Changes Integrating With Schema Changes Avoiding Kerberos Conflicts with Multiple Directories Improving Performance and Redundancy Open Directory Security Serv
102 Joining a Server to a Kerberos Realm 103 Magic Triangle General Setup Overview 104 105 105 106 107 107 109 109 110 110 112 113 114 115 116 116 117 117 Chapter 6: Managing User Authentication Using Workgroup Manager Composing a Password Changing a User’s Password Resetting the Passwords of Multiple Users Changing a User’s Password Type Changing the Password Type to Open Directory Changing the Password Type to Crypt Password Changing the Password Type to Shadow Password Enabling Single Sign-On Kerberos
131 132 132 133 133 134 134 135 137 140 141 143 143 145 146 149 150 151 152 152 153 153 154 155 155 155 157 157 158 158 160 163 164 165 166 167 168 169 169 170 171 172 172 Protecting Computers from a Malicious DHCP Server Using Advanced Directory Services Settings Enabling or Disabling Active Directory Service Enabling or Disabling LDAP Directory Services Using Advanced LDAP Service Settings Accessing LDAP Directories in Mail and Address Book Showing or Hiding Configurations for LDAP Servers Configuring Ac
174 Specifying NIS Settings 175 Specifying BSD Configuration File Settings 176 Setting Up Data in BSD Configuration Files 177 177 178 178 179 180 180 180 181 181 182 182 183 183 184 184 185 186 186 187 187 189 189 190 190 192 192 192 195 196 197 199 199 199 200 201 204 205 206 8 Chapter 9: Maintaining Open Directory Services Controlling Access to Open Directory Servers and Services Controlling Access to a Server’s Login Window Controlling Access to SSH Service Configuring Open Directory Service Access
207 Using kadmin to Kerberize a Service 207 Kerberizing Services with an Active Directory Server 208 Using Directory Service Tools 208 Operating on Directory Service Domains 208 Manipulating a Single Named Group Record 209 Adding or Removing LDAP Server Configurations 209 Configuring the Active Directory Connector 210 210 210 211 211 211 211 212 212 212 212 212 213 213 213 213 214 214 216 216 217 218 218 219 Chapter 10: Solving Open Directory Problems Solving Open Directory Master and Replica Problems If
260 Mappings for Computers 262 Mappings for ComputerLists 263 Mappings for Config 265 Mappings for People 266 Mappings for PresetComputerLists 267 Mappings for PresetGroups 268 Mappings for PresetUsers 270 Mappings for Printers 272 Mappings for AutoServerSetup 272 Mappings for Locations 273 Standard Open Directory Record Types and Attributes 273 Standard Attributes in User Records 278 Format of MailAttribute in User Records 281 Standard Attributes in Group Records 282 Standard Attributes in Computer Records
Preface About This Guide This guide describes the directory and authentication services you can set up using Mac OS X Server. It also explains how to configure Mac OS X Server and Mac OS X client computers for directory services. Mac OS X Server’s Open Directory provides directory and authentication services for mixed networks of Mac OS X, Windows, and UNIX computers.
For services that don’t accept Kerberos authentication, the integrated Secure Authentication and Service Layer (SASL) service negotiates the strongest possible authentication mechanism. In addition, directory and authentication replication maximizes availability and scalability. By creating replicas of Open Directory servers, you can easily maintain failover servers and remote servers for fast client interaction on distributed networks.
ÂÂ Chapter 9, “Maintaining Open Directory Services,” tells you how to monitor Open Directory services, view and edit directory data with the Inspector, archive an Open Directory master, and perform other directory maintenance. ÂÂ Chapter 10, “Solving Open Directory Problems,” describes common problems and provides information on what to do if you encounter problems while working with Open Directory.
Documentation Map Mac OS X Server has a suite of guides that cover management of individual services. Each service may depend on other services for maximum utility. The documentation map below shows some related guides that you may need in order to fully configure Open Directory services to your specifications. You can get these guides in PDF format from the Mac OS X Server Resources website at www.apple.com/server/macosx/resources/.
Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen: ÂÂ Show bookmarks to see the guide’s outline, and click a bookmark to jump to the corresponding section. ÂÂ Search for a word or phrase to see a list of places where it appears in the guide. Click a listed place to see the page where it occurs. ÂÂ Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser.
Getting Additional Information For more information, consult these resources: ÂÂ Read Me documents—get important updates and special information. Look for them on the server discs. ÂÂ Mac OS X Server website (www.apple.com/server/macosx/)—enter the gateway to extensive product and technology information. ÂÂ Mac OS X Server Support website (www.apple.com/support/macosxserver/)—access hundreds of articles from Apple’s support organization. ÂÂ Apple Discussions website (discussions.apple.
Directory Services with Open Directory 1 Use this chapter to learn about directory domains, how they are used, and how they are organized. Benefits of Using Directory Services A directory service provides a central repository for information about computer users and resources in an organization. Storing administrative data in a central repository has many benefits: ÂÂ It reduces data entry effort. ÂÂ It certifies that network services and clients have consistent information about users and resources.
With centralized directory service and file service set up to host network home folders, wherever a user logs in, the user gets the same home folder, personal desktop, and individual preferences. The user always has access to personal networked files and can easily locate and use authorized network resources.
Other application and system software processes can also use the user account information stored in directory domains. When someone attempts to log in to a Mac OS X computer, the login process uses Open Directory services to validate the user name and password: Directory domain Workgroup Manager Open Directory A Historical Perspective Like Mac OS X, Open Directory has a UNIX heritage.
If you’re experienced with UNIX, you probably know about the files in the /etc directory—group, hosts, hosts.equiv, master.passwd, and so forth. For example, a UNIX process that needs a user’s password consults the /etc/master.passwd file. The /etc/master.passwd file contains a record for each user account. A UNIX process that needs group information consults the /etc/group file.
However, a directory domain stores much more data to support functions that are unique to Mac OS X, such as support for managing Mac OS X client computers. Data Distribution A characteristic of UNIX configuration files is that the administrative data they contain is available only to the computer they are stored on. Each computer has its own UNIX configuration files.
Uses of Directory Data Open Directory makes it possible to consolidate and maintain network information easily in a directory domain, but this information has value only if application and system software processes running on network computers access the information.
ÂÂ Managed network views: The administrator can set up custom views that users see when they select the Network icon in the sidebar of a Finder window. Because these managed network views are stored in a directory domain, they’re available when a user logs in.
For an object class, a directory domain can contain multiple entries, and each entry can contain multiple attributes. Some attributes have a single value, while others have multiple values. For example, the inetOrgPerson object class defines entries that contain user attributes. The inetOrgPerson class is a standard LDAP class defined by RFC 2798. Other standard LDAP object classes and attributes are defined by RFC 2307. Open Directory’s default object classes and attributes are based on these RFCs.
About the Structure of LDAP Entries In an LDAP directory, entries are arranged in a hierarchical treelike structure. In some LDAP directories, this structure is based on geographic and organizational boundaries. More commonly, the structure is based on Internet domain names.
Local and Shared Directory Domains Where you store your server’s user information and other administrative data is determined by whether the data must be shared. This information can be stored in the server’s local directory domain or in a shared directory domain. About the Local Directory Domain Every Mac OS X computer has a local directory domain. A local directory domain’s administrative data is visible only to applications and system software running on the computer where the domain resides.
About Shared Directory Domains Although Open Directory on any Mac OS X computer can store administrative data in the computer’s local directory domain, the real power of Open Directory is that it lets multiple Mac OS X computers share administrative data by storing the data in shared directory domains. When a computer is configured to use a shared domain, administrative data in the shared domain is also visible to applications and system software running on that computer.
Shared Data in Existing Directory Domains Some organizations—such as universities and worldwide corporations—maintain user information and other administrative data in directory domains on UNIX or Windows servers. Open Directory can search these non-Apple domains and shared Open Directory domains of Mac OS X Server systems, as shown in the illustration below.
The same user account that can be used for logging in from a Windows workstation can also be used for logging in from a Mac OS X computer. Therefore, someone who uses both platforms can have the same home folder, mail account, and print quotas on both platforms. Users can change their passwords while logging in to the Windows domain. User accounts are stored in the server’s LDAP directory with group, computer, and other information.
When setting up Mac OS X Server as a PDC, make sure your network doesn’t have another PDC with the same domain name. The network can have multiple Open Directory masters, but it can have only one PDC. Open Directory as a Backup Domain Controller (BDC) Setting a Mac OS X server as a backup domain controller (BDC) provides failover and backup for the PDC. The PDC and BDC share Windows client requests for domain login and other directory and authentication services.
Open Directory Search Policies 2 Use this chapter to learn how to use search policies with domains and to understand automatic, custom, and localonly search policies. Each Mac OS X computer has a search policy, also commonly referred to as a search path, that specifies which directory domains Open Directory can access, such as the computer’s local directory domain and a particular shared directory. The search policy also specifies the order in which Open Directory accesses directory domains.
The following illustration shows two computers on a network that only search their own local directory domain for administrative data. Local directory domain Local directory domain English class computer Science class computer Search Policy 1 Two-Level Search Policies If one server on the network hosts a shared directory, all computers on the network can include the shared directory in their search policies.
Each class (English, math, science) has its own computer. The students in each class are defined as users in the local domain of that class’s computer. All three of these local domains have the same shared domain, in which all instructors are defined. Instructors, as members of the shared domain, can log in to all class computers. The students in each local domain can log in to only the computer where their local account resides.
Here’s a scenario in which more than one shared directory might be used: Search Policy 1 Math directory domain 2 3 English directory domain School directory domain Science directory domain Each class (English, math, science) has a server that hosts a shared directory domain. Each classroom computer’s search policy specifies the computer’s local domain, the class’s shared domain, and the school’s shared domain.
A computer’s automatic search policy always begins with the computer’s local directory domain. If a Mac OS X computer is not connected to a network, the computer searches its local directory domain for user accounts and other administrative data. The automatic search policy then determines whether the computer is configured to connect to a shared local directory domain.
Important: If you configure Mac OS X to use an automatic authentication search policy and a DHCP-supplied LDAP server or a DHCP-supplied local directory domain, you increase the risk of an attacker gaining control of your computer. The risk is higher if your computer is configured to connect to a wireless network. For more information, see “Protecting Computers from a Malicious DHCP Server” on page 131.
Open Directory Authentication 3 Use this chapter to learn how to use Open Directory authentication, shadow and crypt passwords, Kerberos, LDAP bind, and single sign-on. Open Directory offers several options for authenticating users whose accounts are stored in directory domains on Mac OS X Server, including Kerberos and the traditional authentication methods that network services require.
Authentication and Authorization Services such as the login window and Apple Filing Protocol (AFP) service request user authentication from Open Directory. Authentication is part of the process by which a service determines whether it should grant a user access to a resource. Usually this process also requires authorization. Authentication proves a user’s identity, and authorization determines what the authenticated user is permitted to do.
User accounts in the following directory domains can have Open Directory passwords: ÂÂ The LDAP directory of Mac OS X Server ÂÂ The local directory domain of Mac OS X Server Note: Open Directory passwords can’t be used to log in to Mac OS X v10.1 or earlier. Users who log in using the login window of Mac OS X v10.1 or earlier must be configured to use crypt passwords. The password type doesn’t matter for other services. For example, a user of Mac OS X v10.
Providing Secure Authentication for Windows Users Mac OS X Server also offers the same types of secure passwords for Windows users: ÂÂ Open Directory passwords are required for domain login from a Windows workstation to a Mac OS X Server PDC and can be used to authenticate for Windows file service. This type of password can be validated using many authentication methods, including NTLMv2, NTLMv1, and LAN Manager. Open Directory passwords are stored in a secure database, not in user accounts.
Shadow passwords and Open Directory passwords are far less susceptible to offline attack because they are not stored in user records. Shadow passwords are stored in separate files that can be read only by someone who knows the password of the root user account (also known as the system administrator). Open Directory passwords are stored securely in the Kerberos KDC and in the Open Directory Password Server database.
Password type Authentication authority Open Directory Open Directory Password Server Either or both: and Kerberos1 ÂÂ ;ApplePasswordServer; ÂÂ ;Kerberosv5; Shadow password Password file for each user, readable only by the root user account Either: Encoded password in user record Either: Crypt password Attribute in user record 2 ;ShadowHash; ÂÂ ;ShadowHash; ÂÂ ÂÂ ÂÂ ;basic; no attribute at all User accounts from Mac OS X Server v10.
The password policy for a mobile user account applies when the account is used while disconnected from the network and while connected to the network. A mobile user account’s password policy is cached for use while offline. For more information about mobile user accounts, see User Management. Password policies do not affect administrator accounts. Administrators are exempt from password policies because they can change the policies at will.
Kerberos permits a client and a server to identify each other much more securely than typical challenge-response password authentication methods. Kerberos also provides a single sign-on environment where users authenticate only once a day, week, or other period of time, thereby easing authentication frequency. Mac OS X Server offers integrated Kerberos support that virtually anyone can deploy. In fact, Kerberos deployment is so automatic that users and administrators may not realize it’s deployed.
ÂÂ You needed a suite of Kerberized applications (server and client software). Some of the basics were available but porting them and adapting them to work with your environment was difficult. ÂÂ Not all network protocols used for client-server authentication are Kerberos-enabled. Some network protocols still require traditional challenge-response authentication methods and there is no standard way to integrate Kerberos with these legacy network authentication methods.
Kerberos was designed to solve network security problems. It never transmits the user’s password across the network, nor does it save the password in the user’s computer memory or on disk. Therefore, even if the Kerberos credentials are cracked or compromised, the attacker does not learn the original password, so he or she can potentially compromise only a small portion of the network. In addition to superior password management, Kerberos is also mutually authenticated.
Multiplatform Authentication Kerberos is available on every major platform, including Mac OS X, Windows, Linux, and other UNIX variants. Centralized Authentication Kerberos provides a central authentication authority for the network. All Kerberosenabled services and clients use this central authority. Administrators can centrally audit and control authentication policies and operations.
To configure new and upgraded services to use Kerberos: 1 Open Server Admin and connect to the upgraded server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select Open Directory. 4 Click Settings, then click General. 5 Click Kerberize Services, then enter the name and password of an LDAP directory administrator account. Services that were already configured to use Kerberos are not affected.
About the Kerberos Authentication Process There are several phases to Kerberos authentication. In the first phase, the client obtains credentials to be used to request access to Kerberized services. In the second phase, the client requests authentication for a specific service. In the final phase, the client presents those credentials to the service. The following illustration summarizes these activities.
Time is very important with Kerberos. If the client and the KDC are out of sync by more than a few minutes, the client fails to achieve authentication with the KDC. The date, time, and time zone information must be correct on the KDC server and clients, and the server and clients should all use the same network time service to keep their clocks in sync. For more information about Kerberos, go to the MIT Kerberos website at web.mit.edu/kerberos/www/index.html.
Open Directory supports many authentication methods because each service that requires authentication uses some methods but not others. For example, AFP service uses one set of authentication methods, web services use another set of methods, mail service uses another set, and so on. Some authentication methods are more secure than others. The more secure methods use stronger algorithms to encode the information they transmit between client and server.
Disabling Open Directory Authentication Methods To make Open Directory password storage on the server more secure, you can selectively disable authentication methods. For example, if no clients are going to use Windows services, you can disable the NTLMv1, NTLMv2, and LAN Manager authentication methods to prevent storing passwords on the server using these methods.
Disabling Shadow Password Authentication Methods You can selectively disable authentication methods to make passwords stored in shadow password files more secure. For example, if a user doesn’t use mail service or web services, you can disable the WebDAV-Digest and APOP methods for the user. Then someone who gains access to the shadow password files on a server can’t recover the user’s password.
Contents of the Open Directory Password Server Database Open Directory Password Server maintains an authentication database separate from the directory domain. Open Directory tightly restricts access to the authentication database. Open Directory Password Server stores the following information in its authentication database for each user account that has a password type of Open Directory: ÂÂ The user’s password ID, a 128-bit value assigned when the password is created.
Open Directory Planning and Management Tools 4 Use this chapter to assess directory domain needs, estimate directory and authentication requirements, identify servers for hosting shared domains, improve performance and redundancy, deal with duplication in a multibuilding campus, and make Open Directory services secure. Keeping information in shared directory domains gives you more control over your network, gives more users access to the information, and makes it easier to maintain the information.
With this arrangement, each user has two accounts, one for logging in to a computer and one for accessing services of Mac OS X Server, as illustrated in the following figure. Log in to Mac OS X Local directory domain Connect to Mac OS X Server for file service Local directory domain When the user attempts to access the file service, the file server accesses the shared directory domain to verify the user account.
In many organizations, a single shared directory domain is adequate. It can handle hundreds of thousands of users and thousands of computers sharing the same resources, such as printer queues, share points for home directories, share points for applications, and share points for documents. Replicating the shared directory domain can increase the capacity or performance of the directory system by configuring multiple servers to handle the directory system load for the network.
You also configure Mac OS X Server to handle cross-domain authorization if a Kerberos realm exists. If you have an existing Active Directory server, you can connect an Open Directory server to it and you can easily add users from the Active Directory server into your Open Directory server. These users are referred to as augment users. For more information about augment records, see “Integrating with Augment Records” on page 68. For more information about adding augments to user records, see User Management.
The Open Directory server can provide LDAP and authentication services to more client computers, because not all computers need these services at the same time. Each computer connects to the LDAP directory for up to two minutes, and connections to the Open Directory Password Server are even more brief. Determining what the fraction is—the percentage of computers that will make connections at the same time—can be difficult.
Replicating Open Directory Services Mac OS X Server supports replication of the LDAP directory service, the Open Directory Password Server, and the Kerberos KDC. By replicating your directory and authentication services you can: ÂÂ Move directory information closer to a population of users in a geographically distributed network, improving performance of directory and authentication services to these users.
Replica version Mac OS X Server v10.5 or later master Mac OS X Server v10.4 master Mac OS X Server v10.5 or later replica Yes No Mac OS X Server v10.4 replica No Yes Replica Sets A replica set is an automatic configuration that requires each service that Open Directory manages (LDAP, Password Server, and Kerberos) to look for and use the same replica server. This helps ensure that client computers choose the same replica server when using Open Directory services and helps prevent slow login.
A single Open Directory master server can have up to 32 replicas and each of those replicas can have up to 32 replicas, which gives you 1,056 replicas of a single Open Directory master server. This creates a two-tier hierarchy of replica servers. The first tier of replicas, which are the direct members of the Open Directory master, are called relays if they have replicas, because they relay the data to the second tier of replicas.
Load Balancing in Small, Medium, and Large Environments Do not use service load-balancing software from third parties with Open Directory servers. Load-balancing software can cause unpredictable problems for Open Directory computers. It can interfere with the automatic load balancing and failover behavior of Open Directory in Mac OS X and Mac OS X Server. Mac OS X computers seek the nearest available Open Directory server—master or replica.
Using an Open Directory Master, Replica, or Relay with NAT If your network has an Open Directory server on the private network side of a network address translation (NAT) router (or gateway), including the NAT router of Mac OS X Server, only computers on the private network side of the NAT router can connect to the Open Directory server’s LDAP directory domain.
Mixing Active Directory and Open Directory Master and Replica Services There are some special considerations when introducing Open Directory Servers into an Active Directory environment. If precautions are not taken, mixed results will occur on client and server functionality. Also, avoid mixing Authenticated Directory Binding and Active Directory on the same client or server. Authenticated binding makes use of Kerberos as does Active Directory.
Or ÂÂ Active Directory Domain = ads.company.com ÂÂ Active Directory Kerberos realm = ADS.COMPANY.COM ÂÂ Open Directory Server master = server1.od.company.com ÂÂ Open Directory Kerberos realm = OD.COMPANY.COM In both examples, a new DNS domain zone must be created, and forward and reverse DNS entries must exist for the servers so that if an IP address is used for the Open Directory server, it gets the expected name. For example, IP address server1.od.company.com = 10.1.1.1, so a lookup of 10.1.1.
Using cross-domain authorization keeps you from needing to create different user names and passwords for your subordinate directory domain server. You can use the same user names and passwords from the corporate directory domain along with the PAC information to authorize user access. Cross-domain authorization is an ideal configuration if you are not permitted to directly edit groups in the corporate directory domain.
The Active Directory server manages authentication requests while the Open Directory server manages preference and policy settings of client computers. All services of your Open Directory servers can be Kerberized through the Kerberos realm of the Active Directory server. Client computers are connected to the Active Directory and Open Directory servers.
Integrating Without Schema Changes Mac OS X and Mac OS X Server integrate with most LDAP-based directories without needing to change the schema of your directory server. However, some record types might not be recognized or maintained by your server’s directory schema. When you integrate Mac OS X computers with your directory server, you might want to add a new record type or object class to the directory schema to better manage and support Mac OS X client computers.
Mac OS X Server must belong to the same Kerberos realm as its client users. The realm has only one authoritative Kerberos server, which is responsible for all Kerberos authentication in the realm. The Kerberos server can only authenticate clients and servers in its realm. The Kerberos server can’t authenticate clients or services that are part of a different realm. Only user accounts in the chosen Kerberos realm will have single sign-on abilities.
If you must use an Open Directory server to manage users in another server’s directory domain, make sure the other directory domain is not part of the Open Directory server’s authentication search policy. To further avoid a Kerberos configuration file conflict, don’t use an Open Directory server to provide services that access a different Kerberos server’s directory domain.
Open Directory Security With Mac OS X Server, a server with a shared LDAP directory domain also provides Open Directory authentication. It is important to protect the authentication data stored by Open Directory. This authentication data includes the Open Directory Password Server database and the Kerberos database, which must also be protected.
ÂÂ Equip the Open Directory master computer with an uninterruptible power supply. In summary, the most secure and best practice is to: ÂÂ Dedicate each server that is an Open Directory master or replica to provide only Open Directory services. ÂÂ Set up a firewall on these servers to provide only the following: directory access, authentication, and administration protocols (LDAP, Password Server, Kerberos, and Workgroup Manager.
Tools for Managing Open Directory Services The Server Admin, Directory Utility, and Workgroup Manager applications provide a graphical interface for managing Open Directory services in Mac OS X Server. In addition, you can manage Open Directory services from the command line by using Terminal. These applications are included with Mac OS X Server and can be installed on another computer with Mac OS X v10.6 or later, making that computer an administrator computer.
For basic information about using Server Admin, see the Server Administration chapter in Getting Started. This chapter explains the following: ÂÂ Opening and authenticating in Server Admin ÂÂ Working with servers ÂÂ Administering services ÂÂ Controlling access to services ÂÂ Using SSL for remote server administration ÂÂ Customizing the Server Admin environment Server Admin is in /Applications/Server/.
Workgroup Manager Workgroup Manager provides comprehensive management of Mac OS X Server clients. You use Workgroup Manager to: ÂÂ Set up and manage user accounts, group accounts, and computer groups. For more information about managing user authentication, see Chapter 6, “Managing User Authentication Using Workgroup Manager.” For more information about other user, group, and computer management topics, see User Management. ÂÂ Manage share points for file services and user home folders.
Setting Up Open Directory Services 5 Use this chapter to learn how to set up Open Directory services, including configurations, roles, master and replica LDAP service options, and single sign-on Kerberos authentication. Setup Overview Open Directory services—directory services and authentication services—are an essential part of a network’s infrastructure. These services have a significant effect on other network services and on users.
Step 5: Set up a Primary Domain Controller (PDC). To set up a server to provide directory and authentication services for Windows and Mac OS X platforms, see “Setting Up a Primary Domain Controller (PDC)” on page 84. Step 6: Set up an Open Directory replica. To set up servers to provide failover directory and authentication services or remote directory and authentication services for fast client interaction on distributed networks, see “Setting Up an Open Directory Replica” on page 87.
Users whose information can be managed most easily on a server should be defined in the shared LDAP directory of a Mac OS X Server that is an Open Directory master. Some of these users can be defined in directory domains on other servers, such as an Active Directory domain on a Windows server. These concepts are discussed in Chapter 1, “Directory Services with Open Directory.” ÂÂ Assess whether you need more than one shared domain. If so, decide which users will be defined in each shared domain.
Setting Up a Standalone Directory Service Using Server Admin, you can set up Mac OS X Server to use only the server’s local directory domain. The server does not provide directory information to other computers or get directory information from an existing system. (The local directory domain can’t be shared.
ÂÂ If your server is an Open Directory replica, select “Decommission replica and set up standalone directory,” click Continue, enter the root password for the Open Directory master, enter the domain administrators login credentials, and then click Continue. 7 Confirm the configuration setting, then click Continue. 8 If you are sure that users and services no longer need access to the directory data stored in the shared directory domain that the server has been hosting or is connected to, click Done.
To configure a server to be an Open Directory master: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select Open Directory. 4 Click Settings, then click General. If the Role option is set to Open Directory Replica and you want to make a new Open Directory master, you must change the server role to Standalone. For more information, see “Setting Up a Standalone Directory Service” on page 80.
ÂÂ Search Base: This field is set to a search base suffix for the new LDAP directory, derived from the domain portion of the server’s DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAP directory’s default search base suffix is used. 9 Confirm settings, then click Continue. 10 Confirm that the Open Directory master is functioning by clicking Overview (near the top of the Server Admin window, with Open Directory selected in the Servers list).
Setting Up a Primary Domain Controller (PDC) Using Server Admin, you can set up Mac OS X Server as a Windows PDC. The PDC hosts a Windows domain and provides authentication services to other domain members, including authentication for domain login on Windows workstations. If no domain member server is available, the PDC server can provide Windows file and print services and it can host user profiles and home folders for users who have user accounts on the PDC.
ÂÂ Domain: Enter the name of the Windows domain that the server will host. The domain name cannot exceed 15 characters and cannot be “workgroup.” 9 Click Save. 10 Enter the name and password of an LDAP directory administrator account, then click OK. After setting up a PDC, you can change access restrictions, logging detail level, code page, domain browsing, or WINS registration. Then if Windows services aren’t running, you can start them. For more information, see Network Services Administration.
Setting Up Windows XP for Domain Login You can enable domain login on a Windows XP computer by joining it to the Windows domain of a Mac OS X Server PDC. Joining the Windows domain requires the name and password of an LDAP directory administrator account. You can delegate this task to someone with a local administrator account on the Windows computer. In this case, you may want to create a temporary LDAP directory administrator account with limited privileges. For more information, see User Management.
Setting Up an Open Directory Replica Using Server Admin, you can set up Mac OS X Server to be a replica of an Open Directory master so it can provide the same directory information and authentication information to other systems as the master. The replica server hosts a read-only copy of the master’s LDAP directory domain. The replica server also hosts a read/write copy of the Open Directory Password Server and the Kerberos Key Distribution Center (KDC).
To configure a server to host a replica of an Open Directory master: 1 Make sure the master, the prospective replica, and every firewall between them is configured to permit SSH communications (port 22). You can enable SSH for Mac OS X Server in Server Admin. Select the server in the Servers list, click Settings, click General, then select the Remote Login (SSH) option. Make sure that SSH access is not restricted to certain users or groups (using SACLs) on the prospective master.
After you set up an Open Directory replica, other computers will connect to it as needed. Computers with v10.3 or v10.4 of Mac OS X or Mac OS X Server maintain a list of Open Directory replicas. If one of these computers can’t contact the Open Directory master for directory and authentication services, the computer connects to the nearest replica of the master.
Setting Up a Server as a Backup Domain Controller (BDC) Using Server Admin, you can set up Mac OS X Server as a Windows backup domain controller (BDC). The BDC provides automatic failover and backup of Windows domain login and other Windows client requests for authentication and directory services. The BDC server can provide other Windows services (SMB services), including file, print, browsing, and Windows Internet Name Service (WINS).
After setting up a BDC, you might want to change access restrictions, logging detail level, code page, domain browsing, or WINS registration. Then if Windows services aren’t running, you can start them. For more information, see Network Services Administration. Setting Up Open Directory Failover If an Open Directory master or its replicas become unavailable, client computers that use v10.3–v10.6 of Mac OS X or Mac OS X Server find an available replica and connect to it.
Setting Up a Connection to a Directory Server Using Server Admin, you can set up Mac OS X Server to get user records and other directory information from another server’s shared directory domain. The other server also provides authentication for its directory information. Mac OS X Server still gets directory information from its own local directory domain and provides authentication for this local directory information.
Open Directory Password Server in Mac OS X Server v10.4 or later supports NTLMv2 authentication, but Password Server in Mac OS X Server v10.3 or earlier does not support NTLMv2. Similarly, if you configure Mac OS X Server v10.4 or later to access a directory domain of Mac OS X Server v10.2 or earlier, users defined in the older directory domain cannot be authenticated with the MS-CHAPv2 method. This method might be required to securely authenticate users for the VPN service of Mac OS X Server v10.
ÂÂ Computer Name: Enter the name you want Windows users to see when they connect to the server. This is the server’s NetBIOS name. The name should contain no more than 15 characters, no special characters, and no punctuation. If practical, make the server name match its unqualified DNS host name. For example, if your DNS server has an entry for your server as “server.example.com,” give your server the name “server.” ÂÂ Domain: Enter the name of the Windows domain that the server will join.
8 Click Done. 9 If you want to configure advanced settings for your Active Directory connection, click Open Directory Utility. For more information about advanced connections to an Active Directory server, see “Configuring Access to an Active Directory Domain” on page 160. Begin at step 4. 10 Open System Preferences and click Accounts. 11 In the lower left corner of System Preferences, click the lock and authenticate when prompted. 12 Click Login Options. 13 Click Directory Services.
24 Click OK. 25 From the Servers list, select SMB. 26 Click Settings, then click General. 27 Verify that the server is now a member of the Active Directory domain. You can change the server’s optional description, which appears in the Network Places window on Windows computers. After setting up an Active Directory domain member, you might want to change access restrictions, logging detail level, code page, domain browsing, or WINS registration.
When Open Directory is started for the first time, Kerberos uses DNS to generate configuration settings. If your DNS server is not available when Kerberos is initially started, its configurations are invalid and it will not work properly. After Kerberos is running and has generated its configuration file, it no longer completely depends on DNS and changes to DNS will not affect Kerberos. The individual services of Mac OS X Server do not require configuration for single sign-on or Kerberos.
The server can also support single sign-on Kerberos authentication for Kerberized services of other servers on the network. The other servers must be set up to join the Open Directory Kerberos realm. For more information, see “Delegating Authority to Join an Open Directory Kerberos Realm” on page 100, and “Joining a Server to a Kerberos Realm” on page 102. Important: An Open Directory master requires DNS to be properly configured so it can provide Kerberos and single sign-on authentication.
5 Use Network Utility (in /Applications/Utilities/) to do a DNS lookup of the Open Directory master’s DNS name and a reverse lookup of the IP address. If the server’s DNS name or IP address doesn’t resolve correctly: ÂÂ In the Network pane of System Preferences, look at the TCP/IP settings for the server’s primary network interface (usually built-in Ethernet). Make sure the first DNS server listed is the one that resolves the Open Directory server’s name.
Delegating Authority to Join an Open Directory Kerberos Realm Using Server Admin, you can delegate the authority to join a server to an Open Directory master server for single sign-on Kerberos authentication. You can delegate authority to user accounts. The accounts you delegate authority to must have a password type of Open Directory and must reside in the LDAP directory of the Open Directory master server. The dependent server you are delegating authority for must use Mac OS X Server v10.3 or later.
If any item in the array of preference categories has a small arrow next to its icon, the item has managed preference settings. To remove managed preferences from an item, click the item, select Not Managed, and click Apply Now. If the item has multiple panes, select Not Managed in each pane, then click Apply Now. 6 To delegate Kerberos authority to user accounts, create the accounts: a Make sure you are working in the LDAP directory of the Open Directory master server.
Joining a Server to a Kerberos Realm Using Server Admin, a Kerberos administrator or a user whose account has the properly delegated authority can join Mac OS X Server to a Kerberos realm. The server can join only one Kerberos realm. It can be an Open Directory Kerberos realm, an Active Directory Kerberos realm, or an existing realm based on MIT Kerberos. To join an Open Directory Kerberos realm, you need a Kerberos administrator account or a user account with delegated Kerberos authority.
Magic Triangle General Setup Overview Here is a summary of the general tasks you perform to set up a magic triangle with an Active Directory and Open Directory server. For detailed information about each step, see the pages indicated. Step 1: Check the Active Directory configuration. Make sure your Active Directory server and its DNA service is properly configured and running. Step 2: Turn on Open Directory service. Use Server Admin to turn the Open Directory service on.
Managing User Authentication Using Workgroup Manager 6 Use this chapter to learn how to reset user passwords, change password types, set password policies, select authentication methods, and perform other tasks using Workgroup Manger. Workgroup Manager provides a centralized method of managing Mac OS X computers to control access to software and removable media, and to provide a consistent environment for different users. You also use Workgroup Manager to manage user authentication.
Composing a Password The password associated with a user’s account must be entered by the user when he or she authenticates for login or other services. The password is case sensitive (except for SMB-LAN Manager passwords) and is masked on the screen as it is entered.
To open a directory domain, click the small globe icon above the list of users and choose from the pop-up menu. If the user’s password type is Open Directory, you must authenticate as an administrator whose password type is Open Directory. 3 Select the account whose password needs to be changed. 4 Enter a password in the Basic pane, then click Save. 5 Tell the user the new password so he or she can log in.
If you change the password of accounts whose password type is Open Directory and the accounts reside in the LDAP directory of an Open Directory replica or master, the change becomes synchronized with the master and its replicas. Mac OS X Server synchronizes changes to Open Directory passwords among a master and its replicas.
Note: To set a user account’s password type to Open Directory, you must have administrator rights for Open Directory authentication in the directory domain that contains the user account. This means you must authenticate as a directory domain administrator whose password type is Open Directory. For more information, see “Assigning Administrator Rights for Open Directory Authentication” on page 115.
Changing the Password Type to Crypt Password If necessary, you can use Workgroup Manager to specify a crypt password for a user’s account. You can only use crypt passwords for a user account in a shared directory domain. The user account can be part of an LDAP directory domain or a legacy shared NetInfo domain (only available when connected to a Mac OS X Server v10.4, v10.3, or v10.2).
Click the lock and authenticate as a directory domain administrator, then select the user in the list. 2 Click Advanced. 3 From the User Password Type pop-up menu, choose Shadow Password. Note: You can only assign local user accounts to use shadow passwords. 4 When prompted, enter and verify a password, then click Ok. A long password is truncated for some authentication methods. Up to 128 characters of the password are used for NTLMv2 and NTLM, and the first 14 characters are used for LAN Manager.
Administrator accounts are exempt from password policies. Each user can have an individual password policy that overrides global password policy settings. For more information, see “Setting Password Policies for Individual Users” on page 112. Kerberos and Open Directory Password Server maintain password policies separately. Mac OS X Server synchronizes the Kerberos password policy rules with Open Directory Password Server password policy rules.
Setting Password Policies for Individual Users Using Workgroup Manager, you can set password policies for user accounts whose password type is Open Directory or Shadow Password. The password policy for a user overrides the global password policy defined in the Authentication Settings pane of Open Directory service in Server Admin. The password policy for a mobile user account applies when the account is used while the mobile computer is disconnected from the network.
From the command line: mm To change the global password policy of user accounts: $ pwpolicy -a authenticator -setpolicy -u user "option=value..." For example, to require that an authenticator’s password be a minimum of 12 characters and have no more than 3 failed login attempts, enter the following in a Terminal window, where authenticator is the authenticator’s name and user is the user’s name.
To enable or disable authentication methods for a Shadow Password user: 1 In Workgroup Manager, open the account you want to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the local directory domain where the user’s account resides. Click the lock and authenticate as a directory domain administrator, then select the user in the list.
To enable or disable authentication methods for Open Directory passwords: 1 Open Server Admin and connect to an Open Directory master server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select Open Directory. 4 Click Settings, then click Policies. 5 Click Authentication, select the authentication methods you want enabled, and deselect the authentication methods you want disabled. 6 Click Save.
Keeping the Primary Administrator’s Passwords in Sync Having different passwords for the primary local administrator account and the LDAP administrator account (user ID 501) can be confusing. Therefore, keep the passwords the same. On an Open Directory server upgraded from Mac OS X Server v10.3, the primary administrator account normally exists in the server’s local directory domain and in its LDAP directory.
If you configure an LDAP connection that doesn’t map the password and authentication authority attributes, bind authentication occurs automatically. For more information, see “Configuring LDAP Searches and Mappings” on page 146. 2 If you configure the connection to permit clear text passwords, also configure it to use SSL to protect the clear text password while it is in transit.
Although existing crypt passwords can continue to be used after importing or upgrading, you can change user accounts to have Open Directory or shadow passwords. You can change individual user accounts or multiple user accounts by using Workgroup Manager. Changing a user account’s password type resets the password. For more information, see “Changing the Password Type to Open Directory” on page 107 and “Changing the Password Type to Shadow Password” on page 109.
Managing Directory Clients Using Accounts Preferences 7 Use this chapter to learn how to access, configure, and manage computers using Accounts preferences. After you configure your directory server, you can connect client computers using Accounts preferences. You can use Accounts preferences to connect to remote computers and change their settings, simplifying computer management.
Mac OS X v10.6 computers can connect to an Open Directory, Active Directory, or LDAP directory server. If you don’t know which server to connect to, ask your network administrator. Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen. Automated Client Configuration If your Mac OS X v10.
6 When the UpgradeUser tool is complete, click Continue. 7 When the message appears explaining the services that were set up and requesting that you log out, click Log Out. When you log in you can begin using the new services. Adding an Active Directory Server Connection When connecting to an Active Directory server, you must know the server name or IP address and the Active Directory administrator user name and password. To add an Active Directory Server: 1 Open System Preferences and click Accounts.
If you see an Edit button, your computer has at least one connection to a directory server. 4 Click the Add (+) button. 5 From the “Add a new directory of type” pop-up menu, choose Open Directory. 6 In the “Server Name or IP Address” field, enter the server name or IP address. 7 (Conditional) Before you select the “Encrypt using SSL” checkbox, ask your Open directory administrator if SSL is needed.
Editing a Directory Server Connection You can use Account preferences to edit directory servers you are connected to. To edit a Directory server connection: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Edit. 4 From the list of directory servers, select the directory server you want to edit. 5 Click the Edit (/) button. 6 Change the directory server settings.
Managing the Root User Account You can use Directory Utility (located in Accounts preferences) to manage the root user account by enabling or disabling the root user. If you enabled the root user account, you can also use Directory Utility to change the root account password.
Changing the Root User Account Password You can use Directory Utility (located in Accounts preferences) to change the root account password. When changing the root password, use a complex password that contains alphanumeric and special characters, to prevent the password from being compromised. WARNING: The root account is an unrestricted administrator account used to perform changes to critical system files.
Advanced Directory Client Settings 8 Use this chapter to set up and manage how a computer with Mac OS X or Mac OS X Server accesses directory services. After you configure your directory server, you can customize the advanced settings of Directory Utility to work with your computer and software applications.
Setting Up Directory Utility on a Remote Server You can use Directory Utility on your computer to set up and manage how Mac OS X Server on a remote server accesses directory services. To configure directory access on a remote server: 1 Open System Preferences on your computer and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Join or Edit.
The authentication and contacts search policies can have one of the following settings: ÂÂ Automatic: Starts with the local directory domain and can include an LDAP directory supplied by DHCP and directory domains that the computer is connected to. This is the default setting for Mac OS X v10.2 or later and offers the most flexibility for mobile computers. ÂÂ Local directory: Includes only the local directory domain.
To have a search policy defined automatically: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Join or Edit. 4 Click Open Directory Utility. 5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
6 Click Search Policy and choose a search policy. ÂÂ Authentication: Shows the search policy used for authentication and most other administrative data. ÂÂ Contacts: Shows the search policy used for contact information in applications such as Address Book. 7 From the Search pop-up menu, choose “Custom path.” 8 Add directory domains as needed by clicking Add, selecting directories, and clicking Add again. 9 Change the order of the listed directory domains as needed by dragging them up or down the list.
6 Click Search Policy and choose a search policy: ÂÂ Authentication: Shows the search policy used for authentication and most other administrative data. ÂÂ Contacts: Shows the search policy used for contact information in applications such as Address Book. 7 From the Search pop-up menu, choose “Local directory,” then click Apply.
Using Advanced Directory Services Settings Directory Utility lists the directory services that Mac OS X can access. The list includes directory services that give Mac OS X access to user information and other administrative data stored in directory domains. You can enable or disable access to each directory service. If you disable a service in Directory Utility, Mac OS X no longer accesses that directory service.
Enabling or Disabling LDAP Directory Services You can use Directory Utility to enable or disable access to directory services that use LDAPv2 and LDAPv3. A single Directory Utility plug-in named LDAPv3 provides access to both LDAP2 and LDAPv3. The directory services provided by Mac OS X Server use LDAPv3, as do many other servers. LDAPv3 is an open standard common in mixed networks of Macintosh, UNIX, and Windows systems. Some servers use the older version, LDAPv2, to provide directory service.
ÂÂ “Changing the Connection Settings for an LDAP Directory” on page 143 ÂÂ “Changing the Security Policy for an LDAP Connection” on page 145 ÂÂ “Configuring LDAP Searches and Mappings” on page 146 ÂÂ “Setting Up Trusted Binding for an LDAP Directory” on page 149 ÂÂ “Stopping Trusted Binding with an LDAP Directory” on page 150 ÂÂ “Changing the Open/Close Timeout for an LDAP Connection” on page 151 ÂÂ “Changing the Query Timeout for an LDAP Connection” on page 152 ÂÂ “Changing the Rebind-Try Delay Time for an
7 In the list of services, select LDAPv3 and click the Edit (/) button. 8 Click the Show Options control or the Hide Options control, whichever is present. Configuring Access to an LDAP Directory Using Directory Utility, you can specify how Mac OS X accesses an LDAPv3 directory if you know the DNS name or IP address of the LDAP directory server.
9 Select the options for accessing the directory: ÂÂ Select “Encrypt using SSL” if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAP directory. Before you select this, ask your Open Directory administrator to determine if SSL is needed. ÂÂ Select “Use for authentication” if this directory contains user accounts that someone will use to log in or authenticate to services.
For more information about adding a computer to a computer group, see the computer groups chapter of User Management. 12 If the dialog expands to display connection options, select “Use authentication when selecting” and enter the distinguished name and password of a user account in the directory. The options for an authenticated connection appear if the LDAP server supports an authenticated connection but not trusted binding.
ÂÂ Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server ÂÂ RFC 2307, for most directories hosted by UNIX servers ÂÂ Custom, for directories that don’t use any of the above mappings The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica.
ÂÂ If you choose Custom, you must set up mappings between Mac OS X record types and attributes and the classes and attributes of the LDAP directory you’re connecting to. For more information, see “Configuring LDAP Searches and Mappings” on page 146. 12 Before you select the “Encrypt using SSL” checkbox, check with your Open Directory administrator to determine if SSL is needed.
Changing a Configuration for Accessing an LDAP Directory You can use Directory Utility to change the settings of an LDAP directory configuration. The configuration settings specify how Open Directory accesses an LDAPv3 or LDAPv2 directory. If the LDAP configuration was provided by DHCP, it can’t be changed, so this type of configuration is dimmed in the LDAP configurations list. To edit a configuration for accessing an LDAP directory: 1 Open System Preferences and click Accounts.
10 To change the following default settings for this LDAP configuration, click Edit to display the options for the selected LDAP configuration, make changes, and click OK when you finish editing the LDAP configuration options: ÂÂ Click Connection to set timeout options, specify a custom port, ignore server referrals, or force use of the LDAPv2 (read-only) protocol. For more information, see “Changing the Connection Settings for an LDAP Directory” on page 143.
ÂÂ LDAP Mapping: Choose a template from the pop-up menu, then enter the search base suffix for the LDAP directory and click OK. If you chose a template, you must enter a search base suffix or the computer can’t find information in the LDAP directory. Typically, the search base suffix is derived from the server’s DNS name. For example, for a server whose DNS name is ods.example.com the search base suffix is “dc=ods,dc=example,dc=com.
Deleting a Configuration for Accessing an LDAP Directory You can use Directory Utility to delete a configuration that specifies how the computer accesses an LDAPv3 or LDAPv2 directory. If the LDAP configuration was provided by DHCP, it can’t be changed, so this configuration option is dimmed in the LDAP configurations list. To delete a configuration for accessing an LDAP directory: 1 Open System Preferences and click Accounts.
To change the connection settings for accessing an LDAP directory: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Edit. 4 Click Open Directory Utility. 5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6 Click Services. 7 In the list of services, select LDAPv3 and click the Edit (/) button.
Changing the Security Policy for an LDAP Connection Using Directory Utility, you can configure a stricter security policy for an LDAPv3 connection than the security policy of the LDAP directory. For example, if the LDAP directory’s security policy permits clear-text passwords, you can set an LDAPv3 connection to not permit clear-text passwords. Setting a stricter security policy protects your computer from a malicious hacker trying to use a rogue LDAP server to gain control of your computer.
If any of the last four options are selected but disabled, the LDAP directory requires them. If any of these options are unselected and disabled, the LDAP server doesn’t support them. For more information about setting these options for a Mac OS X Server LDAP directory, see “Setting a Security Policy for an Open Directory Server” on page 187.
ÂÂ The mapping of Mac OS X data types, or attributes, to LDAP attributes for each record type ÂÂ The LDAP search base and search scope that determine where Mac OS X looks for a Mac OS X record type in an LDAP directory When mapping Mac OS X user attributes to a read/write LDAP directory domain (an LDAP domain that is not read-only), the LDAP attribute mapped to RealName must not be the same as the first attribute in a list of LDAP attributes mapped to RecordName.
ÂÂ To add record types, click Add (below the Record Types and Attributes list); then, in the sheet that appears, select Record Types, select record types from the list, and click OK. ÂÂ To change the search base and search scope of a record type, select it in the Record Types and Attributes list, and then edit the “Search base” field.
Templates saved in the default location are listed in pop-up menus of LDAP mapping templates the next time you open Directory Utility.
7 In the list of services, select LDAPv3 and click the Edit (/) button. 8 If the list of server configurations is hidden, click Show Options. 9 Select the server configuration you want and click Edit. 10 Click Bind, then enter the following credentials and click OK. Enter the name of the computer and the name and password of an LDAP directory domain administrator. The computer name can’t be in use by another computer for trusted binding or other network services.
10 Click Unbind, then enter the following credentials and click OK. Enter the name and password of an LDAP directory administrator (not a local computer administrator). If trusted binding hasn’t been set up on this computer, the Unbind button does not appear. If you see an alert saying the computer can’t contact the LDAP server, click OK if you want to forcibly stop trusted binding. If you forcibly stop trusted binding, this computer still has a computer record in the LDAP directory.
Changing the Query Timeout for an LDAP Connection Using Directory Utility, you can specify how long Open Directory waits before cancelling a query sent to the LDAP directory. To set the query timeout for an LDAP connection: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Edit. 4 Click Open Directory Utility.
Changing the Idle Timeout for an LDAP Connection Using Directory Utility, you can specify how long an LDAP connection remains idle before Open Directory closes the connection. You can adjust this setting to reduce the number of open connections on the LDAP server. To set a timeout interval for an idle LDAP connection: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
9 In the list, select a server configuration and click Edit. 10 Click Connection and select “Ignore server referrals.” Authenticating an LDAP Connection Using Directory Utility, you can set up an authenticated connection to an LDAP directory. This authentication is one-way. The computer proves its identity to an LDAP directory but the LDAP directory doesn’t prove its authenticity to the computer. For mutual authentication, see “Setting Up Trusted Binding for an LDAP Directory” on page 149.
Changing the Password Used for Authenticating an LDAP Connection Using Directory Utility, you can update an authenticated LDAP connection to use a password that has been changed on the LDAP server. (All computers having an authenticated connection to an LDAP server must be updated if the password used to authenticate the LDAP connection is changed on the server.) To change the password for an LDAP connection: 1 Open System Preferences and click Accounts.
To enable creating user records in an LDAP directory with RFC 2307 mappings: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Edit. 4 Click Open Directory Utility. 5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6 Click Services. 7 In the list of services, select LDAPv3 and click the Edit (/) button.
Preparing a Read-Only LDAP Directory for Mac OS X If you want a Mac OS X computer to get administrative data from a read-only LDAP directory, the data must exist in the format required by Mac OS X. You might need to add, change, or reorganize data in the read-only LDAP directory. Because Mac OS X cannot write data to a read-only directory, you must use other tools to make the changes. The tools must reside on the server that hosts the read-only LDAP directory.
Using Advanced Active Directory Service Settings You can configure a server with Mac OS X Server or a computer with Mac OS X to access an Active Directory domain on a Windows 2000 or Windows 2003 server.
Mac OS X v10.6 supports packet encryption and packet signing options for all Windows Active Directory domains. This functionality is on by default as “allow.” You can change the default setting to disabled or required by using the dsconfigad command-line tool. The packet encryption and packet signing options ensures all data to and from the Active Directory Domain for record lookups is protected.
If the Active Directory schema has been extended to include Mac OS X record types (object classes) and attributes, the Active Directory connector detects and accesses them. For example, the Active Directory schema could be changed using Windows administration tools to include Mac OS X managed client attributes. This schema change enables the Active Directory connector to support managed client settings made using Mac OS X Server’s Workgroup Manager application.
Important: If your computer name contains a hyphen you might not be able to join or bind to a Directory Domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen. To configure access to an Active Directory domain: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Join or Edit. 4 Click Open Directory Utility.
ÂÂ “Changing the Active Directory Groups That Can Administer the Computer” on page 169 ÂÂ “Controlling Authentication from All Domains in the Active Directory Forest” on page 170 11 Click Bind, use the following to authenticate as a user who has rights to bind a computer to the Active Directory domain, select the search policies you want Active Directory added to (see below), and click OK: ÂÂ Username and Password: You might be able to authenticate by entering the name and password of your Active Directo
Setting Up Mobile User Accounts in Active Directory You can enable or disable mobile Active Directory user accounts on a computer that is configured to use Directory Utility’s Active Directory connector. Users with mobile accounts can log in using their Active Directory credentials when the computer is not connected to the Active Directory server.
Setting Up Home Folders for Active Directory User Accounts On a computer that’s configured to use the Directory Utility Active Directory connector you can enable or disable network home folders or local home folders for Active Directory user accounts. With network home folders, a user’s Windows network home folder is mounted as the Mac OS X home folder when the user logs in.
12 To use the Mac OS X attribute for the home folder location, deselect “Use UNC path from Active Directory to derive network home location.” To use the Mac OS X attribute, the Active Directory schema must be extended to include it. 13 Click OK. If you change the name of a user account in the Active Directory domain, the server creates a home folder (and subfolders) for the user account the next time it is used for logging in to a Mac OS X computer.
Mapping the UID to an Active Directory Attribute On a computer that’s configured to use Directory Utility’s Active Directory connector, you can specify an Active Directory attribute that you want mapped to Mac OS X’s unique user ID (UID) attribute.
Mapping the Primary Group ID to an Active Directory Attribute On a computer that’s configured to use Directory Utility’s Active Directory connector, you can specify an Active Directory attribute that you want mapped to Mac OS X’s primary group ID (GID) attribute in user accounts.
Mapping the Group ID in Group Accounts to an Active Directory Attribute On a computer that’s configured to use Directory Utility’s Active Directory connector, you can specify an Active Directory attribute that you want mapped to Mac OS X’s group ID (GID) attribute in group accounts.
Specifying a Preferred Active Directory Server On a computer that’s configured to use Directory Utility’s Active Directory connector, you can specify the DNS name of the server whose Active Directory domain you want the computer to access by default. If the server becomes unavailable in the future, the Active Directory connector reverts to another nearby server in the forest. If this option is deselected, the Active Directory connector determines the closest Active Directory domain in the forest.
To add or remove Active Directory group accounts whose members have administrator privileges: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3 Click Login Options, then click Edit. 4 Click Open Directory Utility. 5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6 Click Services.
7 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 8 In the list of services, select Active Directory and click the Edit (/) button. 9 If the advanced options are hidden, click Show Advanced Options. 10 Click Administrative. 11 Select “Allow authentication from any domain in the forest.
5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6 Click Services. 7 In the list of services, select Active Directory and click the Edit (/) button. 8 Click Unbind, authenticate as a user who has rights to terminate a connection to the Active Directory domain, and click OK. If you see an alert saying the credentials weren’t accepted or the computer can’t contact Active Directory, click Force Unbind to forcibly break the connection.
ÂÂ Automatic mounting of the Windows home folder ÂÂ Mobile user accounts with cached authentication credentials ÂÂ Discovery of all domains in an Active Directory forest ÂÂ Support for Active Directory replication and failover For more information, see “About Active Directory Access” on page 158. To create an Active Directory server configuration: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
The Active Directory mapping template for an LDAPv3 configuration maps some Mac OS X record types and attributes to object classes and attributes that are not part of a standard Active Directory schema. You can change the mappings defined by the template, or you can extend the Active Directory schema. Alternatively, you might be able to access your Active Directory domain through the Active Directory connector instead of LDAPv3.
Specifying BSD Configuration File Settings Historically, UNIX computers have stored administrative data in configuration files such as /etc/master.passwd, /etc/group, and /etc/hosts. Mac OS X is based on a BSD version of UNIX, but normally gets administrative data from directory systems. Mac OS X Server supports a fixed set of BSD configuration files. You can’t specify which configuration files to use, nor can you map their contents to Mac OS X record types and attributes. In Mac OS X v10.
Setting Up Data in BSD Configuration Files If you want a Mac OS X computer to get administrative data from BSD configuration files, the data must exist in the files and must be in the format required by Mac OS X. You might need to add, change, or reorganize data in the files. Workgroup Manager cannot make changes to data in BSD configuration files, so you must make the necessary modifications by using a text editor or other tools.
Maintaining Open Directory Services 9 Use this chapter to learn how to monitor Open Directory services, view and edit raw data from Open Directory domains, and back up Open Directory files.
Controlling Access to a Server’s Login Window You can use Server Admin to control which users can log in to Mac OS X Server using the login window. Users with server administrator privileges can always log in to the server. To control who can use the login window on a server: 1 Open Server Admin and connect to the server. 2 Click Setting, then click Access. 3 Click Services. 4 Select “For selected services below” and select Login Window in the list on the left.
5 Select “Allow only users and groups below” and edit the list of users and groups that you want to have SSH access to the server: ÂÂ Add users or groups that can open SSH connections by clicking the Add (+) button and dragging users or groups from the User & Groups window to the list. ÂÂ Remove users or groups from the list by selecting one or more and clicking the Remove (–) button. 6 Click Save.
7 Set the users permission: ÂÂ To grant administrator access, choose Administrator from the Permission pop-up menu next to the user name. ÂÂ To grant monitoring access, choose Monitor from the Permission pop-up menu next to the user name. 8 Click Save. Monitoring Open Directory You can view Open Directory status and logs, and you can inspect Open Directory authentication logs for suspicious activities.
3 From the expanded Servers list, select Open Directory. 4 Click Settings, then click General, to see a list of replicas and the status of each one. The status for a new replica indicates whether it was created successfully. Thereafter, the status indicates whether the most recent replication attempt was successful. Viewing Open Directory Status and Logs You can use Server Admin to view status information and logs for Open Directory services.
To see Open Directory authentication logs: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server. The list of services appears. 3 From the expanded Servers list, select Open Directory. 4 Click Logs and choose the kdc log or a password service log from the View pop-up menu. Viewing and Editing Directory Data You can view or edit raw directory data by using the Inspector in Workgroup Manager.
5 To see other types of records, click the All Records button next to the Computer Group button, and choose a record type from the pop-up menu at the top of the list. The pop-up menu lists all standard record types that exist in the directory domain. You can also choose Native from the pop-up menu and enter the name of a native record in the box that appears below the pop-up menu. The list displays all records, including predefined records, of the record type.
Deleting Records You can use the Inspector in Workgroup Manager to delete a record. WARNING: After using the Inspector to delete user or computer records, use command-line tools to delete the corresponding Kerberos identity and Password Server slot. If you leave an orphaned Kerberos identity or Password Server slot, it can conflict with a user or computer record created later. WARNING: Deleting records can cause the server to behave erratically or stop working.
If you delete a user account in Workgroup Manager by clicking the User button (not the All Records button) on the left, selecting the user account, and clicking Delete in the Workgroup Manager toolbar (or by choosing Server > Delete Selected User), Workgroup Manager removes the user account’s Password Server slot and Kerberos identity for you.
Importing Records of Any Type Workgroup Manager can import all types of records into the LDAP directory of an Open Directory master. This includes users, groups, computer groups, computers, and all other standard Mac OS X record types. Important: If you import user or group records from a file exported by Mac OS X Server v10.3 or earlier, each imported record is assigned a globally unique ID (GUID).
Setting a Binding Policy for an Open Directory Server Using Server Admin, you can configure an Open Directory master to permit or require trusted binding between the LDAP directory and the computers that access it. Replicas of an Open Directory master inherit the master’s binding policy. Trusted LDAP binding is mutually authenticated. The computer proves its identity by using an LDAP directory administrator’s name and password to authenticate to the LDAP directory.
Note: If you change the security policy for the LDAP directory of an Open Directory master, you must disconnect and reconnect (unbind and rebind) every computer connected (bound) to this LDAP directory. Use the Accounts preferences as described in “Removing a Directory Server Connection” on page 122 and “Adding an Open Directory Server Connection” on page 121. To set the security policy for an Open Directory master: 1 Open Server Admin and connect to the Open Directory master server.
Limiting Search Results for LDAP Service Using Server Admin, you can prevent one type of denial-of-service attack on Mac OS X Server by limiting the number of search results returned by the server’s shared LDAP directory domain. Limiting the number of search results prevents a malicious user from tying up the server by sending it multiple all-inclusive LDAP search requests. To limit LDAP search results: 1 Open Server Admin and connect to the Open Directory master or an Open Directory replica server.
Setting Up SSL for LDAP Service Using Server Admin, you can enable Secure Sockets Layer (SSL) for encrypted communications between an Open Directory server’s LDAP directory domain and computers that access it. SSL uses a digital certificate to provide a certified identity for the server. You can use a self-signed certificate or a certificate obtained from a certificate authority.
To create an Open Directory service certificate: 1 Generate a private key for the server in the /usr/share/certs/ folder: If the /usr/share/certs folder does not exist, create it. $ sudo openssl genrsa -out ldapserver.key 2048 2 Generate a certificate signing request (CSR) for the certificate authority (CA) to sign: $ sudo openssl req -new -key ldapserver.key -out ldapserver.
Managing Open Directory Replication You can schedule Open Directory replication or replicate on demand, promote a replica to a master, or take a replica out of service.
4 Click Settings, then click General. 5 Click Change. This opens the Open Directory Assistant. 6 Select Promote replication to an Open Directory Master, then click Continue. 7 Enter the following Master Domain Administrator information, then click Continue. ÂÂ Short Name, Password: You must create a user account for the primary administrator of the LDAP directory. This account is not a copy of the administrator account in the server’s local directory domain.
This saves your setting and restarts the service. 19 Click Change. The Open Directory Assistant opens. 20 Choose Set up an Open Directory Replica, then click Continue. 21 Enter the following information: ÂÂ IP address or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the Open Directory master. ÂÂ Root password on Open Directory master: Enter the password of the Open Directory master system’s root user (user name system administrator).
Decommissioning an Open Directory Replica You can take an Open Directory replica server out of service by making it a standalone server or by connecting it to another system for directory and authentication services. To decommission an Open Directory replica: 1 Verify that the network connection is working between the Open Directory master and the replica you want to decommission. Port 389 or 636 must be open between master and replica while decommissioning the replica.
11 If you chose “Decommission replica and connect to another directory” from the Open Directory Assistant, click the Open Directory Utility button to configure access to one or more directory systems. For more information about configuring access to a directory service, see Chapter 8, “Advanced Directory Client Settings.” Archiving an Open Directory Master You can use Server Admin to archive a copy of an Open Directory master’s directory and authentication data.
Restoring an Open Directory Master You can use Server Admin or the slapconfig command-line tool to restore an Open Directory master’s directory and authentication data from an archive. If you use Server Admin, you can restore to a server that is an Open Directory master.
6 Enter the password that was used to encrypt the archive when it was created, then click OK. 7 When the restore operation finishes, check the slapconfig log for information about conflicts or other events that occurred while restoring. 8 Convert existing Open Directory replica servers to Open Directory standalone servers and then make them replicas of the new master. For more information, see “Setting Up a Standalone Directory Service” on page 80 and “Setting Up an Open Directory Replica” on page 87.
Managing OpenLDAP To provide directory services for mixed-platform environments, Open Directory uses OpenLDAP, the open source implementation of LDAP. A common language for directory access lets you consolidate information from different platforms and define a single name space for network resources.
These tools are included in the standard OpenLDAP distribution: Tool Used to /usr/bin/ldapadd Add entries to the LDAP directory. /usr/bin/ldapcompare Compare a directory entry’s actual attributes with known attributes. /usr/bin/ldapdelete Delete entries from the LDAP directory. /usr/bin/ldapmodify Change an entry’s attributes. /usr/bin/ldapmodrdn Change an entry’s relative distinguished name (RDN). /usr/bin/ldappasswd Set the password for an LDAP user.
If this parameter doesn’t exist in the DSLDAPv3PlugInConfig.plist file, add it near OpenClose Timeout in seconds<\key>. Searching the LDAP Server The ldapsearch tool connects to an LDAP server, authenticates, finds entries, and returns attributes of the entries found. To query the LDAP server for a user’s information: mm Enter the following command, replacing the example search base (cn=users, dc=example, dc=com) with an actual search base: $ ldapsearch -H ldap://127.0.0.
supportedextension: 1.3.18.0.2.12.44 supportedextension: 1.3.18.0.2.12.24 supportedextension: 1.3.18.0.2.12.22 supportedextension: 1.3.18.0.2.12.20 supportedextension: 1.3.18.0.2.12.28 supportedextension: 1.3.18.0.2.12.30 supportedextension: 1.3.18.0.2.12.26 supportedextension: 1.3.6.1.4.1.1466.20037 supportedextension: 1.3.18.0.2.12.35 supportedextension: 1.3.18.0.2.12.40 supportedextension: 1.3.18.0.2.12.46 supportedextension: 1.3.18.0.2.12.37 supportedcontrol: 2.16.840.1.113730.3.4.2 supportedcontrol: 1.
ibm-supportedAuditVersion: 2 ibm-sasldigestrealmname: tr17n01.aset.psu.edu If the server is an OpenLDAP server, specify + for operational attributes or specify the attributes of interest: $ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base + dn: structuralObjectClass: OpenLDAProotDSE namingContexts: dc=apple,dc=com supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.
Using LDIF Files Lightweight Directory Interchange Format (LDIF) is a file format used to represent LDAP entries in text form. LDAP tools such as ldappadd, ldapmodify, and ldapsearch read and write LDIF files. Here is an example of an LDIF file containing three entries. Multiple entries in an LDIF file are separated by blank lines.
Maintaining Kerberos A robust authentication server that uses MIT’s Kerberos Key Distribution Center (KDC) is built into Open Directory—providing strong authentication with support for secure single sign-on. That means users authenticate once, with a single user name and password pair, to access a broad range of Kerberized network services. The following tools are available for setting up your Kerberos and Apple single sign-on environment. For more information about a tool, see the related man page.
Managing Principals Mac OS X Server uses MIT’s Kerberos administration architecture for principal management. The Kerberos kadmind administration daemon is responsible for making changes to the Kerberos database. Aside from Open Directory, kadmind is largely manipulated by kadmin and kadmin.local. Generally in Mac OS X, Apple applications are responsible for telling kadmin what to do, so manual modifications are rarely needed. The configuration files for kadmin and krb5kdc are in /var/db/krb5kdc/.
Using kadmin to Kerberize a Service You can use kadmin to Kerberize additional services, depending on your specific configuration requirements. Although Mac OS X Server Kerberizes many services for you, you can use Kerberos command-line tools to Kerberize additional services with Open Directory Kerberos. A Kerberized service must know its principal name. The service type for most services is compiled into the binary.
Using Directory Service Tools The following are miscellaneous directory service tools that you can use to configure directory services and to troubleshoot problems. Operating on Directory Service Domains Use dscl, a general-purpose tool, for operating on directory domains. You can create, read, and manage directory data. If invoked without commands, dscl runs in an interactive mode, reading commands from standard input.
Parameter Description diradmin_name Name of the directory administrator diradmin_password Password of the directory administrator Group Name Real name to add or replace comment Comment or add or replace 1234 Time-to-live, in seconds, to add or replace some keyword Keyword to add groupname Group name For more information, see the dseditgroup man page. Adding or Removing LDAP Server Configurations Use dsconfigldap to add or remove LDAP server configurations in directory services.
Solving Open Directory Problems 10 Use this chapter to find solutions for common problems you might encounter while working with Open Directory. This section contains solutions to common Open Directory problems. Solving Open Directory Master and Replica Problems Use the following to help solve Open Directory master and replica problems.
If the Open Directory server’s host name still isn’t its fully qualified DNS name, restart the server. 3 Make sure the Open Directory master server’s Network preferences are configured to use the DNS server that resolves the server’s name. If the Open Directory master server provides its own DNS service, the server’s Network preferences must be configured to use itself as a DNS server. 4 After confirming the correct DNS configuration for the server, start Kerberos.
Solving Directory Connection Problems Problems accessing directory services during startup can have several causes. If a Delay Occurs During Startup If Mac OS X or Mac OS X Server experience a startup delay while a message about LDAP or directory services appears above the progress bar, the computer could be trying to access an LDAP directory that is not available on your network.
If a User Can’t Authenticate for VPN Service Users whose accounts are stored on a server with Mac OS X Server v10.2 can’t authenticate to VPN service provided by Mac OS X Server v10.3–10.6. VPN service requires the MS-CHAPv2 authentication method, which isn’t supported in Mac OS X Server v10.2. To enable affected users to log in, move their user accounts to a server with Mac OS X Server v10.3–10.6. Alternatively, upgrade the older server to Mac OS X Server v10.6 or later.
If You Can’t Log In as an Active Directory User After configuring a connection to an Active Directory domain in the Service pane of Directory Utility (located in Accounts preferences) and adding it to a custom search policy in the Authentication pane, wait 10 or 15 seconds for the change to take effect. Attempts to log in immediately with an Active Directory account will be unsuccessful.
ÂÂ For information that can help you solve problems, see the KDC log. Also see “Viewing Open Directory Status and Logs” on page 181. ÂÂ If Kerberos was not running when user records were created, imported, or updated from an earlier Mac OS X version, they might not be enabled for Kerberos authentication: ÂÂ A record isn’t enabled for Kerberos if its authentication authority attribute lacks the ;Kerberosv5; value.
If Users Can’t Change Their Passwords Users whose accounts reside in an LDAP directory not hosted by Mac OS X Server and who have a password type of crypt password cannot change their passwords after logging in from a client computer with Mac OS X v10.3. These users can change their passwords if you use Workgroup Manager’s Advanced pane to change their accounts’ User Password Type setting to Open Directory. When you make this change, you must also enter a new password.
If You Must Reset an Administrator Password Using the Mac OS X Server installation disc, you can change the password of a user account that has administrator privileges, including the system administrator (root or superuser) account. Important: Because a user with the installation disc can gain unrestricted access to your server, restrict physical access to the server hardware. To reset an administrator password: 1 Start up from Mac OS X Server Install Disc 1.
A Open Directory Service Settings To change settings for the Open Directory service, use the following parameters with the serveradmin tool. Be sure to add dirserv: to the beginning of any parameter you use.
OpenLDAP Standard Distribution Tools Two types of tools come with OpenLDAP: ÂÂ Tools that operate directly on the LDAP databases—These tools begin with slap. ÂÂ Tools that go through the LDAP protocol—These tools begin with ldap. You must run the slap tools on the computer hosting the LDAP database. When using the slap tools, shut down the LDAP service. If you don’t, your database can get out of sync. These tools are included in the standard OpenLDAP distribution.
B Use this appendix to learn Open Directory extensions to LDAP schema, mappings of Open Directory attributes to LDAP and Active Directory attributes, and the standard attributes in types of records. Knowing the Open Directory LDAP schema and the record types and attributes in Mac OS X directory domains can help you map to other directory domains and import or export user and group accounts.
ÂÂ “Mappings for Computers” on page 260 ÂÂ “Mappings for ComputerLists” on page 262 ÂÂ “Mappings for Config” on page 263 ÂÂ “Mappings for People” on page 265 ÂÂ “Mappings for PresetComputerLists” on page 266 ÂÂ “Mappings for PresetGroups” on page 267 ÂÂ “Mappings for PresetUsers” on page 268 ÂÂ “Mappings for Printers” on page 270 ÂÂ “Mappings for AutoServerSetup” on page 272 ÂÂ “Mappings for Locations” on page 272 ÂÂ “Standard Open Directory Record Types and Attributes” on page 273 ÂÂ “Standard Attributes i
Note: Apple might extend the Open Directory LDAP schema in the future; for example, to support new versions of Mac OS X and Mac OS X Server. The latest schema is available in text files on a computer with Mac OS X Server installed. The schema files are in the /etc/openldap/schema/ directory. The apple.schema file contains the latest schema extensions for Open Directory LDAP directories.
apple-user-printattribute $ apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user-picture $ apple-user-authenticationhint $ apple-user-homesoftquota $ apple-user-passwordpolicy $ apple-keyword $ apple-generateduid $ apple-imhandle $ apple-webloguri $ authAuthority $ acctFlags $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ homeDrive $ scriptPath $ profilePath $ userWorkstations $ smbHome $ rid $ primaryGroupID $ sambaSID $ sambaPrimaryGroupSID $ userCertificate $ jpegPhoto $ apple-n
apple-group-services $ apple-contactguid $ apple-ownerguid $ labeledURI $ apple-serviceslocator) ) Machine Auxiliary Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.3 NAME 'apple-machine' SUP top AUXILIARY MAY ( apple-machine-software $ apple-machine-hardware $ apple-machine-serves $ apple-machine-suffix $ apple-machine-contactperson ) ) Mount Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
Computer Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
Configuration Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.12 NAME 'apple-configuration' DESC 'configuration' SUP top STRUCTURAL MAY ( cn $ apple-config-realname $ apple-data-stamp $ apple-password-server-location $ apple-password-server-list $ apple-ldap-replica $ apple-ldap-writable-replica $ apple-keyword $ apple-kdc-authkey $ apple-kdc-configdata $ apple-xmlplist $ ttl ) ) Preset Computer List Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
Preset Computer Group Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.26 NAME 'apple-preset-computer-group' DESC 'preset computer group' SUP top STRUCTURAL MUST ( cn ) MAY ( gidNumber $ memberUID $ apple-mcxflags $ apple-mcxsettings $ apple-group-nestedgroup $ description $ jpegPhoto $ apple-keyword ) ) Preset Group Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.3.
Preset User Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
Server Assistant Configuration Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.17 NAME 'apple-serverassistant-config' SUP top STRUCTURAL MUST ( cn ) MAY ( apple-xmlplist ) ) Location Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.18 NAME 'apple-location' SUP top AUXILIARY MUST ( cn ) MAY ( apple-dns-domain $ apple-dns-nameserver ) ) Service Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
apple-computeralias $ apple-keyword $ apple-realname $ apple-xmlplist $ ttl ) ) ACL Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.21 NAME 'apple-acl' SUP top STRUCTURAL MUST ( cn $ apple-acl-entry ) ) Resource Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
Automount Object Class objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL DESC 'Automount' MUST ( automountKey $ automountInformation ) MAY description ) Attributes in Open Directory LDAP Schema This section defines the Open Directory LDAP attributes that extend the standard LDAP schema. Time-to-Live Attribute attributetype ( 1.3.6.1.4.1.250.1.60 NAME 'ttl' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.
apple-user-homequota Used to specify the home folder quota in kilobytes. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.8 NAME 'apple-user-homequota' DESC 'home directory quota' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) apple-user-mailattribute Stores mail-related settings as XML. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.
1.3.6.1.4.1.63.1000.1.1.1.1.16 NAME ( 'apple-mcxsettings' 'apple-mcxsettings2' ) DESC 'mcx settings' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-user-picture Stores a file system path to the picture to use for this user record when displayed in the login window. This is used when the network user is listed in the login window scrolling list (in managed networks). By default, users can change their pictures. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.
apple-user-authenticationhint Used by the login window to provide a hint if the user logs in incorrectly three times. By default each user can update their authentication hint. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.15 NAME 'apple-user-authenticationhint' DESC 'password hint' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) apple-user-homesoftquota attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.
EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) apple-imhandle attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.21 NAME ( 'apple-imhandle' ) DESC 'IM handle (service:account name)' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-webloguri attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.22 NAME ( 'apple-webloguri' ) DESC 'Weblog URI' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.
DESC 'Phone Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-emailcontacts attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.26 NAME ( 'apple-emailcontacts' ) DESC 'EMail Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-birthday attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.
NAME ( 'apple-nickname' ) DESC 'nickname' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-mapuri attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.31 NAME ( 'apple-mapuri' ) DESC 'Map URI' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-mapguid attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.32 NAME ( 'apple-mapguid' ) DESC 'map GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.
apple-namesuffix attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.35 NAME ( 'apple-namesuffix' ) DESC 'namesuffix' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-primarycomputerlist attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.36 NAME ( 'apple-primarycomputerlist' ) DESC 'primary computer list' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
apple-primarycomputerguid attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.11 NAME ( 'apple-primarycomputerguid' ) DESC 'primary computer GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) apple-group-expandednestedgroup attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.12 NAME 'apple-group-expandednestedgroup' DESC 'expanded nested group list' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
apple-group-realname Used to associate a longer, more user-friendly name with groups. This name appears in Workgroup Manager and can contain non-ASCII characters. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.5 NAME 'apple-group-realname' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) apple-group-nestedgroup attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.
# 1.3.6.1.4.1.63.1000.1.1.1.14.1000 # NAME 'apple-group-memberUid' # DESC 'group member list' # EQUALITY caseExactIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # can also use OID 1.3.6.1.4.1.63.1000.1.1.2.1000 apple-contactguid attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.9 NAME ( 'apple-contactguid' ) DESC 'contact GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Machine Attributes apple-machine-software attributetype ( 1.3.6.1.4.1.63.
apple-machine-suffix attributeType ( 1.3.6.1.4.1.63.1000.1.1.1.3.11 NAME 'apple-machine-suffix' DESC 'DIT suffix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-machine-contactperson attributeType ( 1.3.6.1.4.1.63.1000.1.1.1.3.12 NAME 'apple-machine-contactperson' DESC 'Name of contact person/owner of this machine' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypesConfig attributeType ( 1.
SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) mountType attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.8.2 NAME 'mountType' DESC 'mount VFS type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) mountOption attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.8.3 NAME 'mountOption' DESC 'mount options' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
# NAME ( 'apple-mount-name' ) # DESC 'mount name' # SUP name ) Printer Attributes apple-printer-attributes attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.9.1 NAME 'apple-printer-attributes' DESC 'printer attributes in /etc/printcap format' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-printer-lprhost attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.9.
NAME 'apple-printer-note' DESC 'printer note' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Computer Attributes apple-realname attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.10.2 NAME 'apple-realname' DESC 'real name' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-networkview attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.10.
apple-computer-list-groups attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.11.4 NAME 'apple-computer-list-groups' DESC 'groups' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) XML Plist Attribute apple-xmlplist attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.17.1 NAME 'apple-xmlplist' DESC 'XML plist data' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Service URL Attribute apple-service-url attributetype ( 1.
NAME 'apple-password-server-location' DESC 'password server location' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) apple-data-stamp attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.2 NAME 'apple-data-stamp' DESC 'data stamp' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) apple-config-realname attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.
apple-ldap-writable-replica attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.6 NAME 'apple-ldap-writable-replica' DESC 'LDAP writable replication list' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-kdc-authkey attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.7 NAME 'apple-kdc-authkey' DESC 'KDC master key RSA encrypted with realm public key' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
# EQUALITY caseExactIA5Match # SUBSTR caseExactIA5SubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) authAuthority2 #attributetype ( # 1.3.6.1.4.1.63.1000.1.1.2.16.2 # NAME ( 'authAuthority' 'authAuthority2' ) # DESC 'password server authentication authority' # EQUALITY caseExactMatch # SUBSTR caseExactSubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Location Attributes apple-dns-domain attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.18.
apple-service-url #attributetype ( # 1.3.6.1.4.1.63.1000.1.1.1.19.2 # NAME 'apple-service-url' # DESC 'URL of service' # EQUALITY caseExactIA5Match # SUBSTR caseExactIA5SubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-service-port attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.19.3 NAME 'apple-service-port' DESC 'Service port number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) apple-dnsname attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.19.
SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-neighborhoodalias attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.20.2 NAME 'apple-neighborhoodalias' DESC 'XML plist referring to another neighborhood record' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-computeralias attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.20.
# NAME 'objectClassesConfig' # DESC 'object class configuration' # EQUALITY objectIdentifierFirstComponentMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.37 ) Resource Attribute apple-resource-type attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.23.1 NAME 'apple-resource-type' DESC 'resource type' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-resource-info attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.23.
automountKey attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) automountInformation attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
Record Type Mappings for Users Open Directory name,RFC/ class LDAP object class nameOID Active Directory connector Users, inetOrgPerson ObjectCategory = Person RFC 2798 2.16.840.1.113730.3.2.2 Users, posixAccount RFC 2307 1.3.6.1.1.1.2.0 Users, shadowAccount RFC 2307 1.3.6.1.1.1.2.1 Users, apple-user Apple registered 1.3.6.1.4.1.63.1000.1.1.2.
Open Directory name,RFC/ class, special purpose LDAP attribute name OID Active Directory connector AuthenticationHint, apple-user-authenticationhint Apple extended schema Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.15 PasswordPolicyOptions, apple-user-passwordpolicy Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.18 Keywords, apple-keyword Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.19 Picture, apple-user-picture Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.
Open Directory name,RFC/ class, special purpose LDAP attribute name OID Active Directory connector PostalCode, postalCode RFC standard RFC 2256 2.5.4.17 OrganizationName, o RFC 2256 2.5.4.10 UserShell, loginShell RFC 2307 1.3.6.1.1.1.1.4 Change, shadowLastChange RFC 2307 1.3.6.1.1.1.1.5 Expire, shadowExpire RFC 2307 1.3.6.1.1.1.1.10 UniqueID, uidNumber RFC 2307 1.3.6.1.1.1.1.0 NFSHomeDirectory, homeDirectory RFC 2307 1.3.6.1.1.1.1.3 PrimaryGroupID, gidNumber RFC 2307 1.3.
Open Directory name,RFC/ class, special purpose LDAP attribute name OID Active Directory connector SMBKickoffTime, kickoffTime No mapping Samba registered, 1.3.6.1.4.1.7165.2.1.7 Apple PDC SMBHomeDrive, homeDrive Samba registered, 1.3.6.1.4.1.7165.2.1.10 1.2.840.113556.1.4.45 (Microsoft) Apple PDC SMBScriptPath, scriptPath Samba registered, 1.3.6.1.4.1.7165.2.1.11 1.2.840.113556.1.4.62 (Microsoft) Apple PDC SMBProfilePath, profilePath Samba registered, 1.3.6.1.4.1.7165.2.1.12 1.2.840.
Open Directory name,RFC/ class, special purpose LDAP attribute name OID Active Directory connector PagerNumber, pager RFC standard RFC 1274 0.9.2342.19200300.100.1.42 Department, departmentNumber RFC 2798, 2.16.840.1.113730.3.1.2 NickName, 1.2.840.113556.1.2.141 (Microsoft) 1.2.840.113556.1.2.447 (Microsoft) Microsoft Attribute JobTitle, title RFC 2256 2.5.4.12 Building, buildingName RFC 2256 2.5.4.19 Country, c RFC 2256 2.5.4.6 Street, street RFC 2256 2.5.4.
Attribute Mappings for Groups Open Directory name,RFC/ class LDAP attribute nameOID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 HomeDirectory, apple-group-homeurl Apple registered 1.3.6.1.4.1.63.1000.1.1.1.14.1 HomeLocOwner, apple-group-homeowner Apple registered 1.3.6.1.4.1.63.1000.1.1.1.14.2 MCXFlags, apple-mcxflags Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.10 MCXSettings, apple-mcxsettings Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.
Record Type Mappings for Mounts Open Directory name,RFC/ class LDAP object class nameOID Active Directory connector Mounts, mount Apple extended schema Apple registered 1.3.6.1.4.1.63.1000.1.1.2.8 Attribute Mappings for Mounts Open Directory name,RFC/ class LDAP attribute nameOID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 VFSLinkDir, mountDirectory Apple registered 1.3.6.1.4.1.63.1000.1.1.1.8.1 VFSOpts, mountOption Apple registered 1.3.6.1.4.1.63.1000.1.1.
Attribute Mappings for Computers Open Directory name,RFC/ class,special purpose LDAP attribute nameOID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 RealName, apple-realname Apple registered 1.3.6.1.4.1.63.1000.1.1.1.10.2 MCXFlags, apple-mcxflags Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.10 MCXSettings, apple-mcxsettings Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.16 Group, apple-computer-list-groups Apple registered 1.3.6.1.4.1.63.1000.1.1.1.11.
Open Directory name,RFC/ class,special purpose LDAP attribute nameOID Active Directory connector SMBLogoffTime, logoffTime 1.2.840.113556.1.4.51 (Microsoft) Samba registered, 1.3.6.1.4.1.7165.2.1.6 Apple PDC SMBKickoffTime, kickoffTime Samba registered, 1.3.6.1.4.1.7165.2.1.7 No mapping Apple PDC SMBRID, rid Samba registered, 1.3.6.1.4.1.7165.2.1.14 1.2.840.113556.1.4.153 (Microsoft) Apple PDC SMBGroupID, primaryGroupID Samba registered, 1.3.6.1.4.1.7165.2.1.15 1.2.840.113556.1.4.
Attribute Mappings for ComputerLists Open Directory name,RFC/ class LDAP attribute nameOID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 MCXFlags, apple-mcxflags Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.10 MCXSettings, apple-mcxsettings Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.16 Computers, apple-computers Apple registered 1.3.6.1.4.1.63.1000.1.1.1.11.3 Group, apple-computer-list-groups Apple registered 1.3.6.1.4.1.63.1000.1.1.1.11.
Attribute Mappings for Config Open Directory name, RFC/class, special purpose LDAP attribute nameOID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 RealName, apple-config-realname Apple registered 1.3.6.1.4.1.63.1000.1.1.1.12.3 DataStamp, apple-data-stamp Apple registered 1.3.6.1.4.1.63.1000.1.1.1.12.2 KDCAuthKey, apple-kdc-authkey Apple registered, 1.3.6.1.4.1.63.1000.1.1.1.12.7 1.2.840.113556.1.2.
Mappings for People The following tables specify how the LDAPv3 plug-in in Directory Utility (located in Accounts preferences) maps the Open Directory People record type and attributes to LDAP object classes. The tables also specify how the Active Directory connector in Directory Utility maps and generates Active Directory object categories and attributes from Open Directory record types and attributes.
Open Directory name,RFC/ class LDAP attribute nameOID Active Directory connector JobTitle, title RFC standard RFC 2256 2.5.4.12 PhoneNumber, telephoneNumber RFC 2256 2.5.4.20 AddressLine1, street RFC 2256 2.5.4.9 Street, street RFC 2256 2.5.4.9 PostalAddress, postalAddress RFC 2256 2.5.4.16 City, locality RFC 2256 2.5.4.7 State, st RFC 2256 2.5.4.8 Country, c RFC 2256 2.5.4.6 PostalCode, postalCode RFC 2256 2.5.4.17 OrganizationName, o RFC 2256 2.5.4.
Record Type Mappings for PresetComputerLists Open Directory name,RFC/ class LDAP object class nameOID Active Directory connector PresetComputerLists, apple-preset-computer-list Apple extended schema Apple registered 1.3.6.1.4.1.63.1000.1.1.2.13 Attribute Mappings for PresetComputerLists Open Directory name,RFC/ class LDAP attribute nameOID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 MCXFlags, apple-mcxflags Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.
Attribute Mappings for PresetGroups Open Directory name,RFC/ class LDAP attribute nameOID Active Directory connector HomeDirectory, apple-group-homeurl Apple extended schema Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.6 HomeLocOwner, apple-group-homeowner Apple registered 1.3.6.1.4.1.63.1000.1.1.1.14.2 MCXFlags, apple-mcxflags Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.10 MCXSettings, apple-mcxsettings Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.
Attribute Mappings for PresetUsers Open Directory name, RFC/class LDAP attribute name OID Active Directory connector HomeDirectory, apple-user-homeurl N/A Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.6 HomeDirectoryQuota, apple-user-homequota Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.8 HomeDirectorySoftQuota, apple-user-homesoftquota Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.17 MailAttribute, apple-user-mailattribute Apple registered 1.3.6.1.4.1.63.1000.1.1.1.1.
Open Directory name, RFC/class LDAP attribute name OID Active Directory connector Password, userPassword N/A RFC 2256 2.5.4.35 GroupMembership, memberUid RFC 2307 1.3.6.1.1.1.1.12 PrimaryGroupID, gidNumber RFC 2307 1.3.6.1.1.1.1.1 NFSHomeDirectory, homeDirectory RFC 2307 1.3.6.1.1.1.1.3 UserShell, loginShell RFC 2307 1.3.6.1.1.1.1.4 Change, shadowLastChange RFC 2307 1.3.6.1.1.1.1.5 Expire, shadowExpire RFC 2307 1.3.6.1.1.1.1.
Attribute Mappings for Printers Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 RealName, Not premapped 1.2.840.113556.1.4.300 (Microsoft) PrinterLPRHost, apple-printer-lprhost N/A Apple registered, 1.3.6.1.4.1.63.1000.1.1.1.9.2 RFC 2256 legacy support PrinterLPRQueue, apple-printer-lprqueue Apple registered, 1.3.6.1.4.1.63.1000.1.1.1.9.
Mappings for AutoServerSetup The following tables specify how the LDAPv3 plug-in in Directory Utility (located in Accounts preferences) maps the Open Directory AutoServerSetup record type and attributes to LDAP object classes. The tables also specify how the Active Directory connector in Directory Utility maps and generates Active Directory object categories and attributes from Open Directory record types and attributes.
Attribute Mappings for Locations Open Directory name, RFC/class LDAP attribute name OID Active Directory connector RecordName, cn RFC standard RFC 2256 2.5.4.3 DNSDomain, apple-dns-domain Apple registered 1.3.6.1.4.1.63.1000.1.1.1.18.1 DNSNameServer, apple-dns-nameserver Apple registered 1.3.6.1.4.1.63.1000.1.1.1.18.
Mac OS X user attribute Format First value: ASCII characters A–Z, A list of names associated with a a–z, 0–9, _,user. The first is the user’s short Second value: UTF-8 text name, which is also the name of the user’s home folder. RecordName: Important: All attributes used for authentication must map to RecordName. RealName: Example values Dave David Mac DMacSmith Nonzero length, 1 to 16 values. Maximum 255 bytes (85 triple-byte to 255 single-byte characters) per instance.
Mac OS X user attribute Format Example values HomeDirectory: UTF-8 XML text afp:// server/sharept usershomedir The location of an AFP-based home folder. In the following example, Tom King’s home folder is K-M/Tom King, which resides beneath the Users share point directory: afp:// example.com/Users K-M/Tom King HomeDirectoryQuota: The disk quota for the user’s home folder.
Mac OS X user attribute Format Example values UserShell: Path name /bin/tcsh The location of the default shell for command-line interactions with the server. /bin/sh None. This value prevents users with accounts in the directory domain from accessing the server remotely through a command line. Nonzero length. Change: Number Not used by Mac OS X, but corresponds to part of standard LDAP schema. Expire: Number Not used by Mac OS X, but corresponds to part of standard LDAP schema.
Mac OS X user attribute Format Example values FirstName: Used by Address Book and other applications that use the Contacts search policy. LastName: Used by Address Book and other applications that use the Contacts search policy. EMailAddress: Any legal RFC 822 email address user@example.com A mail address that mail should be forwarded to when a user has no MailAttribute defined. Used by Address Book, Mail, and other applications that use the Contacts search policy.
Format of MailAttribute in User Records User record MailAttribute field Format 278 Sample values AttributeVersion A required case-insensitive value kAttributeVersionAppleMail 1.0 1.0.” MailAccountState A required case-insensitive keyword describing the state of the user’s mail. It must be set to one of these values: “Off,” “Enabled,” or “Forward.
User record MailAttribute field Format Sample values NotificationState kNotificationStateNotificationOff An optional keyword describing whether to notify the user whenever new mail arrives. If provided, it must be set to “NotificationOff,” “NotificationLastIP,” or “NotificationStaticIP.” If this field is missing, “NotificationOff” is assumed. NotificationStaticIPValue An optional IP address, in bracketed, dotted decimal format ([xxx.xxx.xxx.xxx]).
User Data That Mac OS X Server Uses The following table describes how your Mac OS X Server uses data from user records in directory domains. Consult this table to determine the attributes or data types that your server’s services expect to find in user records of directory domains. In the far-left column, “All services” include AFP, SMB, FTP, HTTP, NFS, WebDAV, POP, IMAP, Workgroup Manager, Server Admin, the Mac OS X login window.
Standard Attributes in Group Records The following table describes the standard attributes found in Open Directory group records. Use this information when working in Workgroup Manager’s Inspector pane or when mapping group attributes with Directory Utility (located in Accounts preferences). Mac OS X group attribute Format Example values RecordName: ASCII characters A–Z, a–z, 0–9, _ Science Name associated with a group Science_Dept Science.
Mac OS X group attribute Format HomeLocOwner: ASCII characters A–Z, a–z, 0–9, _,- The short name of the user that owns the group’s home folder MCXFlags: Example values UTF-8 XML plist, single value If present, MCXSettings is loaded; if absent, MCXSettings isn’t loaded; required for a managed user MCXSettings: UTF-8 XML plist, multivalued The preferences for a workgroup (a managed group) Standard Attributes in Computer Records The following table describes the standard attributes found in Open Dire
Mac OS X computer attribute Format MCXFlags: UTF-8 XML plist, single value Example values Used only in the “guest” computer record; if present, MCXSettings is loaded; if absent, MCXSettings isn’t loaded; required for a managed computer. MCXSettings: UTF-8 XML plist, multivalued Used only in the “guest” computer record; a managed computer’s preferences. Standard Attributes in Computer Group Records The following table describes the standard attributes found in Open Directory computer group records.
Standard Attributes in Mount Records The following table describes the standard attributes found in Open Directory mount records. Use this information when working in Workgroup Manager’s Inspector pane or when mapping mount record attributes with Directory Utility (located in Accounts preferences).
Standard Attributes in Config Records The following table describes the standard attributes found in the following Open Directory config records: ÂÂ The mcx_cache record always has the RecordName of mcx_cache. It also uses RealName and DataStamp to determine whether the cache should be updated or whether the server settings should be ignored. If you want managed clients, you must have an mcx_cache config record. ÂÂ The passwordserver record has the PasswordServerLocation attribute.
A access ACLs 38, 72, 73, 179, 183 Active Directory domains 160, 172 administrator 73, 179 directory domain uses 22 directory service 132, 133 file 22 folder 22 group 178 login 177, 178 replicas 87 server 27, 178 SSH 178 user 158, 177, 178, 212 See also LDAP, permissions access control entries. See ACEs access control lists.
mount 253, 284 neighborhood 253 passwords 253 printer 233, 253 replication 253 resource 253 schema 253 service 253 standard 273, 278, 280, 281, 282, 283, 284, 285 TTL 231 UNIX shell 165 user 134, 231, 253, 273, 280 XML plist 253 augment object class 231 augment records 68 authentication Active Directory 170 administrator 84, 86, 90, 115 attributes 41, 184, 234, 253 bind 54, 116, 137 cached 39 clients 46, 49 credential-based 38, 45 definition 38 directory domains 22, 59 file services
client computers 120, 121 command-line tools 159 connection 92, 93, 94 cross-domain authorization 66 directory domain integration 65, 66, 67, 68 directory domain overview 56 directory services 126, 127 failover 91 Kerberos 47, 96, 97, 98, 102 LDAP 134, 135, 137, 140, 141, 143, 199, 209 local directory domain 80 Open Directory master 81, 83 Open Directory Password Server 81 Open Directory replica 87, 89 overview 77, 78 planning for 57 replica sets 61 server 93, 94, 272 trusted binding 149
exporting users 117 See also importing F failover BDC 30, 90 load balancing 63 PDC 30 setup 91 file services authentication 50 share points 22 SMB 28, 50 files access control 22 BSD 23, 175, 176 property list (plist) 211 UNIX configuration 19, 21, 23 finding users and groups 26, 27 See also searching Firewall service 72 firewalls, limitations of 45 folders, access control 22 See also files, home folders G GID (group ID) 66, 159, 167, 168 global password policy 110 globally unique ident
connection settings 92, 143, 150, 152, 153 definition 23 deleting configuration 143 DHCP 35, 89 directory schemas 69 disabling 133 distribution tools 199, 219 duplicating configuration 141 enabling 133 idle timeout 200 Kerberos 44 LDIF 204 Mac OS X 157 mail 134 management of 199 NetInfo, migrating from 29, 118 Open Directory 11 rebinding options 200 replication 60 schemas 221, 222 search policies 35 searching 25, 83, 146, 189, 201, 214 security 37, 106, 145, 155, 187, 189, 190 server
password policies 43, 112 search policies 35, 36 VPN service 64 mount attributes 253, 284 mount object class 231 Mount record type 259, 260, 284 mounting, automounting 22, 231, 253 MS-CHAPv2 authentication 50, 51, 93 N naming conventions computer name 84, 90, 116, 150 long name 240, 253 short name 185 user name 82 NAT (Network Address Translation) 64 neighborhood attributes 253 neighborhood object class 231 NetInfo domains 29, 109, 118 Network Address Translation.
replica management 58, 61, 63, 64, 81, 192, 195 restoring 197 security policy 187 setup 81, 83 status checking 180 troubleshooting 210, 211 upgrading 64 Open Directory Password Server archiving 197 authentication 29, 38, 50 database 52, 54 deleting slots 184 password policy 43 replication of 60 security 72 setup 81 troubleshooting 213 Open Directory replica access control 87 attributes 253 authentication 60 BDC 30 changing to relay 192 decommissioning of 195 failover 91 hosting 87 in
See also DHCP, LDAP pseudo-master server 66 public network 64 pwpolicy tool 111, 113, 114, 115 Q query timeout, LDAP 152 R RAID (Redundant Array of Independent Disks) 72 RDN (relative distinguished name) 25 read-only access, LDAP 157 real name. See long name realms.
ports for 72 pseudo-master 66 referrals 153 remote 79, 127, 178 removing 122 restoring 197, 198 security policy 187 setup 93, 94, 272 subordinate 66 unbinding from 171 See also Open Directory service access control lists. See SACLs service attributes 253 service object class 231 setup procedures.
record types 268, 269, 273, 278, 280 searching for 201 troubleshooting authentication 212, 213, 214, 216 Windows 28, 29, 84 See also clients, home folders, user accounts, Workgroup Manager V VPN (Virtual Private Network) 50, 64, 213 W WebDAV-Digest authentication 50, 54 Windows 2000 setup 86 Windows domain BDC 30, 90 connections 93, 94 Open Directory setup for 84, 85, 86 passwords 29, 40, 41, 42 PDC 28, 84, 85, 86 See also Active Directory, SMB Windows Vista setup 85 Windows XP setup 86 Wo
