Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
111112113114115116117118119120
Keeping the Primary Administrators Passwords in Sync
Having dierent passwords for the primary local administrator account and the LDAP
administrator account (user ID 501) can be confusing. Therefore, keep the passwords
the same.
On an Open Directory server upgraded from Mac OS X Server v10.3, the primary
administrator account normally exists in the server’s local directory domain and in its
LDAP directory. This account was copied from the local directory domain to the LDAP
directory when the Open Directory master was created with Mac OS X Server v10.3.
Initially, both copies of this account have user ID 501, the same name, and the same
password. Each account is an administrator of its directory domain, and both are server
administrators.
When you connect to the server in Workgroup Manager using the account’s common
name and password, you are authenticated to the local directory domain and the
LDAP directory domain.
If you change either password, you are no longer authenticated for both directory
domains. For example, if you use the local administrator’s password when you
connect to the server in Workgroup Manager, you can make changes only in the local
directory domain. To make changes in the LDAP directory, you must click the lock and
authenticate using the LDAP administrators password.
Note: An Open Directory server created with Mac OS X Server v10.5 or later has
dierent administrator accounts for its local and LDAP directories. They have dierent
names and user IDs, so their passwords can be dierent without causing confusion.
Enabling LDAP Bind Authentication for a User
You can enable the use of LDAP bind authentication for a user account stored in an
LDAP directory domain. When you use this password validation technique, you rely on
the LDAP server that contains the user account to authenticate the users password.
Important: If your computer name contains a hyphen, you might not be able to join or
bind to a directory domain such as LDAP or Active Directory. To establish binding, use
a computer name that does not contain a hyphen.
To enable LDAP bind user authentication:
1 Make sure the Mac OS X computer that needs to authenticate the user account has
a connection to the LDAP directory where the user account resides and that the
computer’s search policy includes the LDAP directory connection.
For information about conguring LDAP server connections and the search policy, see
“Using Advanced LDAP Service Settings on page 133.
11 6 Chapter 6 Managing User Authentication Using Workgroup Manager