Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
181182183184185186187188189190
Note: If you change the security policy for the LDAP directory of an Open Directory
master, you must disconnect and reconnect (unbind and rebind) every computer
connected (bound) to this LDAP directory. Use the Accounts preferences as described
in “Removing a Directory Server Connection on page 12 2 and Adding an Open
Directory Server Connection on page 121.
To set the security policy for an Open Directory master:
1 Open Server Admin and connect to the Open Directory master server.
2 Click the triangle at the left of the server.
The list of services appears.
3 From the expanded Servers list, select Open Directory.
4 Click Settings, then click Policies.
5 Click Binding, then set the security options you want:
 Disable clear text passwords determines whether clients can send passwords as
clear text if the passwords can’t be validated using any authentication method that
sends an encrypted password. For more information, see “Selecting Authentication
Methods for Shadow Password Users on page 11 3 and “Selecting Authentication
Methods for Open Directory Passwords on page 114 .
 Encrypt all packets (requires SSL or Kerberos) requires the LDAP server to encrypt
directory data using SSL or Kerberos before sending it to client computers.
 Digitally sign all packets (requires Kerberos) certies that directory data from the LDAP
server won’t be intercepted and modied by another computer while en route to
client computers.
 Block man-in-the-middle attacks (requires Kerberos) protects against a rogue server
posing as the LDAP server. This is best used with the “Digitally sign all packets option.
 Disable client-side caching prevents client computers from caching LDAP data locally.
 Allow users to edit their own contact information permits users to change contact
information on the LDAP server.
6 Click Save.
Important: If you choose “Encrypt all packets (requires SSL or Kerberos)” and “Enable
authenticated directory binding,” make sure your users are using one or the other for
binding and not both.
Based on the settings here, the security options can also be congured on each
client of an Open Directory master or replica. If an option is selected here, it can’t be
deselected for a client. For more information about conguring these options on a
client, see “Changing the Security Policy for an LDAP Connection on page 145.
188 Chapter 9 Maintaining Open Directory Services