Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
61626364656667686970
Chapter 4 Open Directory Planning and Management Tools 65
Mixing Active Directory and Open Directory Master and
Replica Services
There are some special considerations when introducing Open Directory Servers into
an Active Directory environment. If precautions are not taken, mixed results will occur
on client and server functionality.
Also, avoid mixing Authenticated Directory Binding and Active Directory on the same
client or server. Authenticated binding makes use of Kerberos as does Active Directory.
Using both will cause unexpected behavior or nonfunctioning authentication services
unless care is taken as detailed below.
When mixing Open Directory and Active Directory, you can only use Kerberos
credentials from one system or another for single sign-on purposes. You cannot have
users exist in Active Directory and Open Directory and use both Kerberos credentials
to use single sign-on to access a server that is Kerberized.
In other words, you cannot sign into an Active Directory account and expect to use
single sign-on with a server that is part of the Open Directory Kerberos realm.
Kerberos is used in Active Directory and Open Directory environments. Kerberos
makes assumptions about determining the realm of a server when Kerberos tickets are
to be used. The following is an example of mixing an Active Directory Kerberos realm
with an Open Directory master Kerberos realm:
Active Directory Domain = company.com Â
Active Directory Kerberos realm = COMPANY.COM Â
Open Directory Server master = server1.company.com Â
Open Directory Kerberos realm = SERVER1.COMPANY.COM Â
When Kerberos attempts to obtain a ticket-granting-ticket (TGT) for using LDAP with
server1.company.com, it requests ldap/server1.company.com@COMPANY.COM unless
domain_realm entity is present in the conguration. The domain_realm for Open
Directory assumes that all company.com entities belong to SERVER1.COMPANY.COM.
This prevents all connectivity to the Active Directory domain named company.com.
If you want to mix Authenticated Directory Binding and Active Directory, your Active
Directory Domain and Open Directory realms and servers must be in a dierent
hierarchy. For example:
Active Directory Domain = company.com Â
Active Directory Kerberos realm = COMPANY.COM Â
Open Directory Server master = server1.od.company.com Â
Open Directory Server realm = “OD.COMPANY.COM” Â