Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
131132133134135136137138139140
Chapter 8 Advanced Directory Client Settings 131
6 Click Search Policy and choose a search policy:
 Authentication: Shows the search policy used for authentication and most other
administrative data.
 Contacts: Shows the search policy used for contact information in applications such
as Address Book.
7 From the Search pop-up menu, choose “Local directory,” then click Apply.
Waiting for a Search Policy Change to Take Eect
After changing the search policy in the Authentication pane or the Contacts pane of
Directory Utility, wait 10 or 15 seconds for the change to take eect. Attempts to log in
using an account from a directory domain that uses the authentication search policy
are unsuccessful until changes to it take eect.
Protecting Computers from a Malicious DHCP Server
Apple recommends that you don’t use an automatic authentication search policy
with a DHCP-supplied LDAP server or a DHCP-supplied shared directory domain in an
environment where security is a major concern.
A malicious hacker with access to your network can use a sham DHCP server and a
sham LDAP directory (or shared directory domain) to control your computer by using
the root user account.
For a hacker to access your network, the hackers sham DHCP server must be part of
your local network or subnet. Therefore, if your computers are the only ones on your
local network and they get Internet access through Mac OS X Server NAT service or
a NAT router, this type of security breach is not possible. However, a wireless local
network decreases security because a hacker can join a wireless local network more
easily than a wired local network.
You can protect your Mac against malicious attacks from a sham DHCP server by
disabling use of a DHCP-supplied LDAP directory and disabling broadcast and DHCP
binding for local directory domain (or disabling the local directory domain).
If you have a mobile computer that connects to an LDAP server when the computer is
connected to a network, and you change the computer’s search policy from automatic
to custom (in the Authentication pane of Search Policy in Directory Utility), a startup
delay occurs when the computer is not connected to the network.
The delay occurs because the computer can’t connect to a specic directory domain
listed in the computer’s custom search policy. No delay is noticeable when waking a
computer that’s been disconnected from the network while sleeping.