Specifications
Chapter 4 Open Directory Planning and Management Tools 67
Using cross-domain authorization keeps you from needing to create dierent user
names and passwords for your subordinate directory domain server. You can use the
same user names and passwords from the corporate directory domain along with
the PAC information to authorize user access.
Cross-domain authorization is an ideal conguration if you are not permitted to
directly edit groups in the corporate directory domain.
You can use cross-domain authorization between an Active Directory server and a
Mac OS X v10.6 Open Directory server or between two Mac OS X v10.6 Open Directory
servers. Cross-domain authorization does not work on a Mac OS X v10.4 server.
To use PAC information, the pseudomaster server must have a Kerberos realm for
the subordinate server to join.
To create a subordinate for a directory system you must join your server to an
Active Directory or Open Directory server that has Kerberos congured and running.
Then, using Server Admin, you must promote your Open Directory server to an
Open Directory master. The subordinate server determines that it is subordinate to
an Active Directory or Open Directory server and congures itself accordingly.
You can also have a replica of your subordinate Open Directory server. To create a
replica of a subordinate directory server, join your server to the pseudomaster and
subordinate server. Then congure the server to be a replica of the subordinate server.
If you don’t join the server to both the pseudo-master and subordinate server, it is
blocked or fails to become a replica.
Integrating with a Magic Triangle
A magic triangle, also referred to as the golden triangle, is the connecting of two
directory domains where one controls the authentication and the other manages
Mac OS X settings.
Mac OS X supports the connection of an Active Directory server to an Open Directory
server or two Open Directory servers connected together. This creates a magic triangle
that is made up of three parts: the directory server providing authentication, the
second directory server, and the Mac OS X client computers.
When conguring a magic triangle, one server must be the primary server and the
other the secondary server. The secondary server must join the primary server and its
Kerberos realm. There can only be one Kerberos realm in a magic triangle.
For example, you can congure an Active Directory server as a primary server to host
the Kerberos Distribution Center (KDC) and contain user and group records. Then you
can congure an Open Directory server as a secondary server, and connect it to the
Active Directory server and its Kerberos realm.