Specifications
Chapter 9 Maintaining Open Directory Services 187
Setting a Binding Policy for an Open Directory Server
Using Server Admin, you can congure an Open Directory master to permit or require
trusted binding between the LDAP directory and the computers that access it. Replicas
of an Open Directory master inherit the master’s binding policy.
Trusted LDAP binding is mutually authenticated. The computer proves its identity by
using an LDAP directory administrator’s name and password to authenticate to the
LDAP directory. The LDAP directory proves its authenticity by means of an authenticated
computer record created in the directory when you set up trusted binding.
Clients can’t be congured to use trusted LDAP binding and a DHCP-supplied LDAP
server (also known as DHCP option 95). Trusted LDAP binding is inherently a static
binding, but DHCP-supplied LDAP is a dynamic binding.
Note: To use trusted LDAP binding, clients need v10.4 or later of Mac OS X or Mac OS X
Server. Clients using v10.3 or earlier can’t set up trusted binding.
To set the binding policy for an Open Directory master:
1 Open Server Admin and connect to the Open Directory master server.
2 Click the triangle at the left of the server.
The list of services appears.
3 From the expanded Servers list, select Open Directory.
4 Click Settings, then click Policies.
5 Click Binding, then set the directory binding options you want:
To  permit trusted binding, select “Enable authenticated directory binding.”
To  require trusted binding, also select “Require authenticated binding between
directory and clients.”
6 Click Save.
Important: If you choose “Encrypt all packets (requires SSL or Kerberos)” and “Enable
authenticated directory binding,”make sure your users are using one or the other for
binding and not both.
Setting a Security Policy for an Open Directory Server
Using Server Admin, you can congure a security policy for access to the LDAP
directory of an Open Directory master.
Replicas of the Open Directory master inherit the master’s security policy.