Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
61626364656667686970
Or
Active Directory Domain = ads.company.com Â
Active Directory Kerberos realm = ADS.COMPANY.COM Â
Open Directory Server master = server1.od.company.com Â
Open Directory Kerberos realm = OD.COMPANY.COM Â
In both examples, a new DNS domain zone must be created, and forward and
reverse DNS entries must exist for the servers so that if an IP address is used for
the Open Directory server, it gets the expected name. For example, IP address
server1.od.company.com = 10.1.1.1, so a lookup of 10.1.1.1 should be equal to
server1.od.company.com, not server1.company.com.
Integrating with Existing Directory Domains
If your network has a directory domain, you can integrate another directory domain
server into your network. There are many reasons why you might want to have two
directory domains, such as providing better support and management of network
computers.
Integrating with Cross-domain Authorization
If your network has a directory domain, you can add another directory domain server
to your network that uses your existing directory domains database to authorize user
access. This conguration is referred to as cross-domain authorization and requires that
your servers support Kerberos.
If you use cross-domain authorization, one server will be a pseudomaster server and
the other will be a subordinate server. Users will authenticate to the pseudomaster
server using a method of authentication, so if a user authenticates, he or she will
receive a Kerberos ticket.
When the user attempts to access a service that is oered by the subordinate server,
the subordinate server accepts and validates the users Kerberos ticket, which was
given by the pseudomaster server, to authorize the user.
The Kerberos ticket has Privilege Attribute Certicate (PAC) information, which contains
the user name, user IDs (UIDs), and group membership IDs (GIDs).
The subordinate server uses this information to verify that the user is authorized to use
the service. It does so by comparing the UID or GID to the access control list (ACL) of
the service the user is requesting to access.
66 Chapter 4 Open Directory Planning and Management Tools