Specifications
If the Active Directory schema has been extended to include Mac OS X record types
(object classes) and attributes, the Active Directory connector detects and accesses them.
For example, the Active Directory schema could be changed using Windows
administration tools to include Mac OS X managed client attributes. This schema
change enables the Active Directory connector to support managed client settings
made using Mac OS X Server’s Workgroup Manager application.
Mac OS X clients assume full read access to attributes that are added to the directory.
Therefore, it might be necessary to change the ACL of those attributes to permit
computer groups to read these added attributes.
The Active Directory connector discovers all domains in an Active Directory forest.
You can congure the plug-in to permit users from any domain in the forest to
authenticate on a Mac OS X computer. Alternatively, you can permit only specic
domains to be authenticated on the client.
The Active Directory connector fully supports Active Directory replication and failover.
It discovers multiple domain controllers and determines the closest one. If a domain
controller becomes unavailable, the plug-in falls back to another nearby domain
controller.
The Active Directory connector uses LDAP to access Active Directory user accounts
and Kerberos to authenticate them. The Active Directory connector does not use
Microsoft’s proprietary Active Directory Services Interface (ADSI) to get directory or
authentication services.
Conguring Access to an Active Directory Domain
Using the Active Directory connector listed in Directory Utility, you can congure
Mac OS X to access basic user account information in an Active Directory domain on
a Windows server.
The Active Directory connector generates all attributes required for Mac OS X
authentication. No changes to the Active Directory schema are required.
The Active Directory connector detects and accesses standard Mac OS X record types
and attributes (such as the attributes required for Mac OS X client management), if the
Active Directory schema has been extended to include them.
WARNING: With the advanced options of the Active Directory connector, you can
map to the Mac OS X unique user ID (UID), primary group ID (GID), and group GID
attribute to the correct attributes that have been added to the Active Directory
schema. If you change the setting of these mapping options later, users might lose
access to previously created les.
160 Chapter 8 Advanced Directory Client Settings