Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
61626364656667686970
Chapter 4 Open Directory Planning and Management Tools 69
Integrating Without Schema Changes
Mac OS X and Mac OS X Server integrate with most LDAP-based directories without
needing to change the schema of your directory server. However, some record types
might not be recognized or maintained by your servers directory schema.
When you integrate Mac OS X computers with your directory server, you might want
to add a new record type or object class to the directory schema to better manage
and support Mac OS X client computers.
For example, by default there may not be a Picture record type in your directory
schema for Mac OS X users, but you can add it to your directory schema so Picture
records can be stored in the directory database.
If you want to add records or attributes to your directory schema, consult your
directory domain administrator for instructions.
Integrating With Schema Changes
If you are adding Mac OS X computers to a directory domain, you can make schema
changes to the directory domain server to better support Mac OS X client computers.
When you add a record type or attribute to the directory schema, investigate whether
you already have a record type or attribute that can easily map to it in the existing
schema. If you don’t have a similar record type or attribute that you can map to, you
can add the record type or attribute to your schema. This is referred to as extending
your schema.
When you extend your schema you might need to change the default Access Control
List (ACL) of specic attributes so computer accounts can read the user properties. For
example, you can congure Mac OS X to access basic user account information in an
Active Directory domain of a Windows 2000 or Windows 2003 or later server.
For more information about extending your schema, see Appendix B,Mac OS X
Directory Data.”
Avoiding Kerberos Conicts with Multiple Directories
If you set up an Open Directory master on a network that has an Active Directory
domain, your network will have two Kerberos realms: An Open Directory Kerberos
realm and an Active Directory Kerberos realm.
For practical purposes, other servers on the network can use only one Kerberos
realm. When you set up a le server, mail server, or other server that can use Kerberos
authentication, you must choose one Kerberos realm.