Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
71727374757677787980
Chapter 4 Open Directory Planning and Management Tools 73
Equip the Open Directory master computer with an uninterruptible power supply. Â
In summary, the most secure and best practice is to:
Dedicate each server that is an Open Directory master or replica to provide only Â
Open Directory services.
Set up a rewall on these servers to provide only the following: directory access, Â
authentication, and administration protocols (LDAP, Password Server, Kerberos, and
Workgroup Manager.)
Physically secure each Open Directory server and all backup media used with it. Â
Replicating directory and authentication data over the network is a minimal security
risk. Password data is securely replicated using random keys negotiated during
each replication session. The authentication portion of replication trac—the Open
Directory Password Server and the Kerberos KDC—is fully encrypted.
For extra security, congure network connections between Open Directory servers to
use network switches rather than hubs. This isolates authentication replication trac
to trusted network segments.
Service Access Control Lists (SACLs)
Mac OS X uses SACLs to authorize user access to a service. SACLs are made up of
access control entries (ACEs) that determine the access privileges a user has to a
service.
You can use SACLs to allow or deny user access to an Open Directory master or replica
by setting SACLs for the login window and SSH. This restricts access to the service.
You can also use SACLs to set administrator access to Open Directory. This does not
restrict access to the service; instead, it species who can administer or monitor the
service. For more information about setting administrator SACLs, see Conguring
Open Directory Service Access Control on page 179.
SACLs provide greater control when specifying the administrators that have access to
monitor and manage the service. Only users and groups listed in an SACL have access
to its corresponding service. For example, if you want to give administrator access to
users or groups for the Open Directory service on your server, add them to the Open
Directory SACL as an ACE.