034-2352_Cvr 9/12/03 10:29 AM Page 1 Mac OS X Server Open Directory Administration For Version 10.
LL2352.Book Page 2 Friday, August 22, 2003 3:12 PM Apple Computer, Inc. © 2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services.
LL2352.
LL2352.
LL2352.
LL2352.
LL2352.
LL2352.
About This Guide Preface LL2352.Book Page 9 Friday, August 22, 2003 3:12 PM This guide describes the directory services and authentication services that Mac OS X Server can provide to Mac OS X client computers. Here is a summary of each chapter’s contents: • Chapter 1, “Directory Service Concepts,” explains what directory domains are, how they are used, and how they are organized. It also discusses how the discovery of network services is integrated with directory services.
LL2352.Book Page 10 Friday, August 22, 2003 3:12 PM • Chapter 7, “Managing Directory Access,” explains how to use the Directory Access • • • • • application. This chapter tells you how to set up services and authentication and contacts search policies. This chapter also explains how to configure access to different directory domains: LDAP, Active Directory, NIS, BSD configuration files, and NetInfo.
LL2352.Book Page 11 Friday, August 22, 2003 3:12 PM Getting Additional Information Mac OS X Server comes with a suite of guides that explain other services and provide instructions for configuring, managing, and troubleshooting those services. Most of these documents are on the server discs in the form of PDF files. All of them are available in PDF format from www.apple.com/server/documentation. This guide Tells you how to Mac OS X Server Getting Started For Version 10.
LL2352.Book Page 12 Friday, August 22, 2003 3:12 PM For more information, consult these resources: • Read Me documents contain important updates and special information. Look for them on the server discs. • Online help, available from the Help menu in all the server applications, provides onscreen instructions for administration tasks as well as late-breaking news and web updates.
LL2352.Book Page 13 Friday, August 22, 2003 3:12 PM 1 Directory Service Concepts 1 A directory service provides a central repository for information about computer users and network resources in an organization. Storing administrative data in a central repository has many benefits: • Reduces data entry effort. • Ensures all network services and clients have consistent information about users and resources. • Simplifies administration of users and resources.
LL2352.Book Page 14 Friday, August 22, 2003 3:12 PM Apple has built an open, extensible directory services architecture, called Open Directory, into Mac OS X and Mac OS X Server.
LL2352.Book Page 15 Friday, August 22, 2003 3:12 PM Directory Services and Directory Domains A directory service acts as an intermediary between application and system software processes, which need information about users and resources, and the directory domains that store the information. In Mac OS X and Mac OS X Server, Open Directory provides directory services. Open Directory can access information in one directory domain or several directory domains.
LL2352.Book Page 16 Friday, August 22, 2003 3:12 PM Other application and system software processes can also use the user account information stored in directory domains. When someone attempts to log in to a Mac OS X computer, the login process uses Open Directory services to validate the user name and password. Directory domain Open Directory WorkGroup Manager A Historical Perspective Like Mac OS X, Open Directory has a UNIX heritage.
LL2352.Book Page 17 Friday, August 22, 2003 3:12 PM Data Consolidation For years, UNIX systems have stored administrative information in a collection of files located in the /etc directory. This scheme requires each UNIX computer to have its own set of files, and processes that are running on a UNIX computer read its files when they need administrative information. If you’re experienced with UNIX, you probably know about the files in the /etc directory—group, hosts, hosts.eq, master.passwd, and so forth.
LL2352.Book Page 18 Friday, August 22, 2003 3:12 PM Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a process needs the location of a user’s home directory, the process simply has Open Directory retrieve the information. Open Directory finds the requested information and then returns it, insulating the process from the details of how the information is stored.
LL2352.Book Page 19 Friday, August 22, 2003 3:12 PM Open Directory solves this problem by letting you store administrative data in a directory domain that can be managed by a network administrator from one location. Open Directory lets you distribute the information so that it is visible on a network to the computers that need it and the administrator who manages it.
LL2352.Book Page 20 Friday, August 22, 2003 3:12 PM • Folder and file access: After logging in successfully, a user can access files and • • • • • • 20 folders. Mac OS X uses another data item from the user record—the user ID (UID)— to determine the user’s access privileges for a file or folder that the user wants to access. When a user accesses a folder or file, the file system compares this user’s UID to the UID assigned to the folder or file.
LL2352.Book Page 21 Friday, August 22, 2003 3:12 PM Inside a Directory Domain Information in a directory domain is organized into record types, which are specific categories of records, such as users, computers, and mounts. For each record type, a directory domain may contain any number of records. Each record is a collection of attributes, and each attribute has one or more values.
LL2352.Book Page 22 Friday, August 22, 2003 3:12 PM After login, the user could choose “Connect to Server” from the Go menu and connect to Mac OS X Server for file service. In this case, Open Directory on the server searches for the user’s record in the server’s local directory domain. If the server’s local directory domain has a record for the user (and the user types the correct password), the server grants the user access to the file services.
LL2352.Book Page 23 Friday, August 22, 2003 3:12 PM Shared domains generally reside on servers because directory domains store extremely important data, such as the data for authenticating users. Access to servers is usually tightly restricted to protect the data on them. In addition, directory data must always be available. Servers often have extra hardware features that enhance their reliability, and servers can be connected to uninterruptible power sources.
LL2352.Book Page 24 Friday, August 22, 2003 3:12 PM If you wanted some users to be able to log in to any computer, you could create their user records in another shared directory domain that all computers can access.
LL2352.Book Page 25 Friday, August 22, 2003 3:12 PM The order in which Mac OS X searches directory domains is configurable. A search policy determines the order in which Mac OS X searches directory domains. The next chapter discusses search policies.
LL2352Ov Page 26 Friday, August 22, 2003 3:23 PM • Service Location Protocol (SLP), an open standard for discovering file and print services • Server Message Block (SMB), the protocol used by Microsoft Windows for file, print, and other services In fact, Open Directory can provide information about network services both from service discovery protocols and from directory domains.
LL2352.Book Page 27 Friday, August 22, 2003 3:12 PM 2 Open Directory Search Policies 2 Each computer has a search policy that specifies one or more directory domains and the sequence in which Open Directory searches them. Every Mac OS X computer has a local directory domain and can also access shared directory domains. Nothing prevents the directory domains from having interchangeable records. For example, two directory domains could have user records with the same name but other differences.
LL2352.Book Page 28 Friday, August 22, 2003 3:12 PM Local Directory Search Policy The simplest search policy consists only of a computer’s local directory. In this case, Open Directory looks for user information and other administrative data only in the local directory domain of each computer. If a server on the network hosts a shared directory, Open Directory does not look there for user information or administrative data because the shared directory is not part of the computer’s search policy.
LL2352.Book Page 29 Friday, August 22, 2003 3:12 PM Each class (English, math, science) has its own computer. The students in each class are defined as users in the local domain of that class’s computer. All three of these local domains have the same shared domain, in which all the instructors are defined. Instructors, as members of the shared domain, can log in to all the class computers. The students in each local domain can log in to only the computer where their local account resides.
LL2352.Book Page 30 Friday, August 22, 2003 3:12 PM Here’s a scenario in which more than one shared directory might be used: School directory domain Science directory domain Math directory domain Search Policy 1 2 3 English directory domain Each class (English, math, science) has a server that hosts a shared directory domain. Each classroom computer’s search policy specifies the computer’s local domain, the class’s shared domain, and the school’s shared domain.
LL2352.Book Page 31 Friday, August 22, 2003 3:12 PM Next the automatic search policy looks at the binding of shared NetInfo domains. The computer’s local domain can be bound to a shared NetInfo domain, which can in turn be bound to another shared NetInfo domain, and so on. The NetInfo binding, if any, constitutes the second part of the automatic search policy. See “About NetInfo Binding” on page 110 for additional information.
LL2352.Book Page 32 Friday, August 22, 2003 3:12 PM Custom Search Policies If you don’t want a Mac OS X computer to use the automatic search policy supplied by DHCP, you can define a custom search policy for the computer. For example, a custom search policy could specify that an Active Directory domain be consulted when a user record or other administrative data cannot be found in other directory domains.
LL2352.Book Page 33 Friday, August 22, 2003 3:12 PM 3 User Authentication With Open Directory 3 Open Directory offers a variety of options for authenticating users whose accounts are stored in directory domains on Mac OS X Server, including Kerberos and the many authentication methods that network services require.
LL2352.Book Page 34 Friday, August 22, 2003 3:12 PM You experience authentication and authorization when you use a credit card. The merchant authenticates you by comparing your signature on the sales slip to the signature on your credit card. Then the merchant submits your authorized credit card account number to the bank, which authorizes payment based on your account balance and credit limit. Open Directory authenticates user accounts, but does not authorize access to any services.
LL2352.Book Page 35 Friday, August 22, 2003 3:12 PM Open Directory Authentication When a user’s account has a password type of Open Directory, the user can be authenticated by Kerberos or the Open Directory Password Server. Neither Kerberos nor Open Directory Password Server stores the password in the user’s account. Both Kerberos and Open Directory Password Server store passwords outside the directory domain and never allow passwords to be read. Passwords can only be set and verified.
LL2352.Book Page 36 Friday, August 22, 2003 3:12 PM Open Directory Password Server Authentication Methods The Open Directory Password Server is based on a standard known as Simple Authentication and Security Layer (SASL). It is an extensible authentication scheme that allows Open Directory Password Server to support a variety of network user authentication methods required by mail service, file services, and other services of Mac OS X Server.
LL2352.Book Page 37 Friday, August 22, 2003 3:12 PM • The password is stored in recoverable (clear text) or hashed (encrypted) form. The form depends on the authentication method. A recoverable password is stored for the APOP and WebDAV authentication methods. For all other methods, the record stores a hashed (encrypted) password. If no authentication method requiring a clear text password is enabled, the Open Directory authentication database stores only hashes of passwords.
LL2352.Book Page 38 Friday, August 22, 2003 3:12 PM Here are examples of realm and principal names; note that realm names are capitalized by convention to distinguish them from DNS domain names: • Realm: MYREALM.EXAMPLE.COM • User principal: smitty@MYREALM.EXAMPLE.COM • Service principal: afpserver/somehost.example.com@MYREALM.EXAMPLE.COM Kerberos Authentication Process There are several phases to Kerberos authentication.
LL2352.Book Page 39 Friday, August 22, 2003 3:12 PM Note that the service does not need to know any password or password policy information. Once a ticket-granting ticket has been obtained, no password information needs to be provided. Time is very important with Kerberos. If the client and the KDC are out of sync by more than a few minutes, the client will fail to achieve authentication with the KDC.
LL2352.Book Page 40 Friday, August 22, 2003 3:12 PM A shadow password is stored as several hashes in a file on the same computer as the directory domain where the user account resides. Because the password is not stored in the user account, the password is not easy to capture over the network. Each user’s shadow password is stored in a different file, called a shadow password file, and these files are protected so they can be read only by the root user account.
LL2352.Book Page 41 Friday, August 22, 2003 3:12 PM Different hash functions are used to encrypt shadow and crypt passwords. For crypt passwords, the standard UNIX crypt function is used. Shadow passwords are encrypted using several hash functions, including NT and LAN Manager. Cracking Readable Passwords Because crypt passwords are stored directly in user accounts, they are potentially subject to cracking. User accounts in a shared directory domain are openly accessible on the network.
LL2352.Book Page 42 Friday, August 22, 2003 3:12 PM LDAP Bind Authentication For user accounts that reside in an LDAP directory on a non-Apple server, Open Directory attempts to use simple LDAP bind authentication. Open Directory sends the LDAP directory server the name and password supplied by the authenticating user. If the LDAP server finds a matching user record and password, authentication succeeds.
LL2352.Book Page 43 Friday, August 22, 2003 3:12 PM 4 4 Open Directory Planning Like the plumbing and wiring in a building, directory services for a network must be planned in advance, not on an ad hoc basis. Keeping information in shared directory domains gives you more control over your network, allows more users access to the information, and makes maintaining the information easier for you. But the amount of control and convenience depends on the effort you put into planning your shared domains.
LL2352.Book Page 44 Friday, August 22, 2003 3:12 PM If you want to share information among Mac OS X computers, you need to set up at least one shared directory domain.
LL2352.Book Page 45 Friday, August 22, 2003 3:12 PM If you want all computers to have access to certain administrative data, you store the data in a shared directory domain that is in all computers’ search policies. To make some data accessible only to a subset of computers, you store it in a shared directory domain that is only in the search policies of those computers.
LL2352.Book Page 46 Friday, August 22, 2003 3:12 PM The Open Directory server may actually be able to provide LDAP and authentication services to more client computers, because all the client computers will not need these services at once. Each client computer connects to the LDAP directory for up to two minutes, and connections to the Open Directory Password Server are even shorter lived.
LL2352.Book Page 47 Friday, August 22, 2003 3:12 PM Replicating Open Directory Services Mac OS X Server supports replication of the LDAP directory service, the Open Directory Password Server, and the Kerberos KDC. By replicating your directory and authentication services you can: • Move directory information closer to a population of users in a geographically distributed network, improving performance of directory and authentication services to these users.
LL2352.Book Page 48 Friday, August 22, 2003 3:12 PM Having more replicas does have a disadvantage. Replicas communicate with each other and with the master over the network. This network communication overhead increases as you add replicas. Adding too many replicas can actually add more network traffic between buildings in the form of replication updates than it removes in the form of Open Directory client communications.
LL2352.Book Page 49 Friday, August 22, 2003 3:12 PM Open Directory Security With Mac OS X Server version 10.3, a server that has a shared LDAP directory domain also provides Open Directory authentication. The authentication data stored by Open Directory is particularly sensitive. This authentication data includes the Open Directory Password Server database and the Kerberos database, which is extraordinarily sensitive.
LL2352.Book Page 50 Friday, August 22, 2003 3:12 PM Replication introduces a minimal increase in security risk. The replicated LDAP directory data has no access controls to restrict reading it, so anyone on the network can download the entire directory irrespective of replication. The password data is securely replicated using random keys negotiated during each replication session. The authentication portion of replication traffic—the Open Directory Password Server and the Kerberos KDC—is fully encrypted.
LL2352.Book Page 51 Friday, August 22, 2003 3:12 PM For basic information about using Server Admin, see the chapter on server administration in the getting started guide. Server Admin is installed in /Applications/Server/. Directory Access You use Directory Access to: • Enable or disable kinds of directory services and kinds of network service discovery on a Mac OS X computer. • Define authentication and contacts search policies for a Mac OS X computer.
LL2352.Book Page 52 Friday, August 22, 2003 3:12 PM NetInfo Manager You use NetInfo Manger to view and change records, attributes, and values in legacy NetInfo domains on computers that still use or have been upgraded from Mac OS X Server version 10.2 or earlier. You can do these same tasks by using the Inspector in Workgroup Manager. You can also use NetInfo Manager to manage a legacy NetInfo hierarchy and back up and restore a legacy NetInfo domain. NetInfo Manager is located in /Applications/Utilities/.
LL2352.Book Page 53 Friday, August 22, 2003 3:12 PM 5 Setting Up Open Directory Services 5 You can use Server Admin to set up the Open Directory role of a server, set up single signon and Kerberos authentication services, configure LDAP options, and migrate from NetInfo to LDAP. Open Directory services—directory services and authentication services—are an essential part of a network’s infrastructure. These services have a significant effect on other network services and on users.
LL2352.Book Page 54 Friday, August 22, 2003 3:12 PM Step 6: Migrate upgraded servers from NetInfo to LDAP See “Migrating a Directory Domain From Netinfo to LDAP” on page 66 and “Disabling NetInfo After Migrating to LDAP” on page 69. Step 7: Set up Directory Access on servers and client computers See Chapter 7, “Managing Directory Access.” Before You Begin Before setting up Open Directory services for the first time: • Understand the uses of directory data and assess your directory needs.
LL2352.Book Page 55 Friday, August 22, 2003 3:12 PM Managing Open Directory on a Remote Server You can install Server Admin on a computer with Mac OS X version 10.3 or later and use it to manage Open Directory on any server locally or remotely. You can also manage Open Directory remotely by using command-line tools from a Mac OS X computer or a non-Macintosh computer. For more information, see the server administration chapter of the getting started guide.
LL2352.Book Page 56 Friday, August 22, 2003 3:12 PM Setting Up an Open Directory Master Using Server Admin, you can set up Mac OS X Server to be an Open Directory master so it can provide directory information and authentication information to other systems. Mac OS X Server provides directory information by hosting a shared LDAP directory domain. In addition, the server authenticates users whose accounts are stored in the shared LDAP directory domain.
LL2352.Book Page 57 Friday, August 22, 2003 3:12 PM • You can configure DHCP service to supply the Open Directory master as an LDAP server to computers with automatic search policies. Computers with Mac OS X or Mac OS X Server version 10.2 can have automatic search policies. These computers don’t have to be configured individually to access the LDAP server. When these computers start up, they try to get the address of an LDAP server from DHCP service.
LL2352.Book Page 58 Friday, August 22, 2003 3:12 PM Important: If you change a Mac OS X Server computer that was connected to another directory system to be an Open Directory replica instead, the server remains connected to the other directory system. The server will search for user records and other information in its shared LDAP directory domain before searching in other directory systems to which it is connected.
LL2352.Book Page 59 Friday, August 22, 2003 3:12 PM You can configure Mac OS X computers to connect to an Open Directory replica instead of the Open Directory master for directory and authentication services. On each Mac OS X computer, you can use Directory Access to create an LDAPv3 configuration for accessing the replica’s LDAP directory and set up a custom search policy that includes this LDAPv3 configuration.
LL2352.Book Page 60 Friday, August 22, 2003 3:12 PM Setting Up a Connection to a Directory System Using Server Admin, you can set up Mac OS X Server to get user records and other directory information from another server’s shared directory domain. The other server also provides authentication for its directory information. Mac OS X Server will still get directory information from its own local directory domain and will provide authentication for this directory information.
LL2352.Book Page 61 Friday, August 22, 2003 3:12 PM Setting Up Single Signon and Kerberos Setting up single signon and Kerberos authentication involves these tasks: • An administrator who has authority to manage directory domains sets up a server as an Open Directory master, which hosts a Kerberos Key Distribution Center (KDC). See “Setting Up an Open Directory Master for Single Signon and Kerberos” on page 61.
LL2352.Book Page 62 Friday, August 22, 2003 3:12 PM A server that is an Open DIrectory master requires no additional configuration to support single signon and Kerberos authentication for all the Kerberized services that the server itself provides. This server can also support single signon and Kerberos authentication for Kerberized services of other servers on the network. The other servers must be set up to join the Open Directory master for single signon and Kerberos.
LL2352.Book Page 63 Friday, August 22, 2003 3:12 PM Administrator Name: Enter the name of an LDAP directory administrator on the Open Directory master server. Administrator Password: Enter the password of the administrator account you entered. Configuration Record Name: Enter the computer record name of the server for which you are delegating authority to join Kerberos. The server’s computer record name is the same as the server’s name in a computer account.
LL2352.Book Page 64 Friday, August 22, 2003 3:12 PM Setting the Replication Frequency of an Open Directory Master Using Server Admin, you can specify how frequently an Open Directory master will update its replicas with changes to directory and authentication information. The master can update the replicas whenever a change occurs in the master directory domain or on a schedule you specify.
LL2352.Book Page 65 Friday, August 22, 2003 3:12 PM Limiting Search Results for LDAP Service Using Server Admin, you can prevent one type of denial-of-service attack on Mac OS X Server by limiting the number of search results returned by the server’s shared LDAP directory domain. Limiting the number of search results prevents a malicious user from tying up the server by sending it multiple all-inclusive LDAP search requests.
LL2352.Book Page 66 Friday, August 22, 2003 3:12 PM To set up SSL communications for LDAP service: 1 Open Server Admin and in the Computers & Services list, select Open Directory for a server that is an Open Directory master or an Open Directory replica. 2 Click Settings (near the bottom of the window), then click Protocols (near the top). 3 Choose LDAP Settings from the Configure pop-up menu, then select Use SSL. 4 Enter the location and name for the SSL Certificate, SSL Key, and CA Certificate.
LL2352.Book Page 67 Friday, August 22, 2003 3:12 PM Migration to LDAP does not change how user passwords are validated except for passwords validated by Authentication Manager. Passwords that were validated by a Password Server continue to be validated by the same Password Server. If any user accounts in the NetInfo domain used Authentication Manager for password validation, the migration process converts them to have a password type of Open Directory.
LL2352.Book Page 68 Friday, August 22, 2003 3:12 PM 6 After migration finishes, set up DHCP service to provide the LDAP server’s address to client computers with automatic search policies. Computers with Mac OS X or Mac OS X Server version 10.2 can have automatic search policies. These computers don’t have to be configured individually to access the LDAP server. When these computers start up, they try to get an LDAP server’s address from DHCP service.
LL2352.Book Page 69 Friday, August 22, 2003 3:12 PM Disabling NetInfo After Migrating to LDAP If none of the client computers on your network needs NetInfo access to a directory domain that has been migrated to LDAP, you can use Server Admin to disable NetInfo. You can manually disable the NetInfo server even if you scheduled a shutdown of the NetInfo server while setting up the migration to LDAP. Important: Do not disable NetInfo prematurely.
LL2352.
LL2352.Book Page 71 Friday, August 22, 2003 3:12 PM 6 Managing User Authentication 6 The authentication services included with Mac OS X Server don’t require any setup, but you can change how each user is authenticated.
LL2352.Book Page 72 Friday, August 22, 2003 3:12 PM Composing a Password The password associated with a user’s account must be entered by the user when he or she authenticates for login or some other service. The password is case sensitive (except for SMB LAN Manager passwords) and is masked on the screen as it is entered.
LL2352.Book Page 73 Friday, August 22, 2003 3:12 PM If you change the password of an account whose password type is Open Directory and the account resides in the LDAP directory of an Open Directory replica or master, the change will eventually be synchronized with the master and all its replicas. Mac OS X Server automatically synchronizes changes to Open Directory passwords among a master and its replicas.
LL2352.Book Page 74 Friday, August 22, 2003 3:12 PM Changing the Global Password Policy Using Server Admin, you can set a global password policy for user accounts in a Mac OS X Server directory domain. The global password policy affects user accounts in the server’s local directory domain. If the server is an Open Directory master or replica, the global password policy also affects the server’s LDAP directory domain.
LL2352.Book Page 75 Friday, August 22, 2003 3:12 PM Setting Password Policies for Individual Users Using Workgroup Manager, you can set password policies for individual user accounts whose password type is Open Directory. The password policy for a user overrides the global password policy defined on the Authentication Settings pane of Open Directory service in Server Admin. Administrator accounts are always exempt from password policies.
LL2352.Book Page 76 Friday, August 22, 2003 3:12 PM Changing a User’s Password Type You can set the password type on the Advanced pane of Workgroup Manager to one of the following: • Open Directory • Shadow password • Crypt password Setting a user’s password type to Open Directory enables multiple legacy authentication methods and also enables single signon and Kerberos if the user’s account is in an LDAP directory. You can also enable a user account to use simple LDAP bind authentication.
LL2352.Book Page 77 Friday, August 22, 2003 3:12 PM To specify that a user account authenticate using Open Directory: 1 Make sure the user’s account resides in a directory domain that supports Open Directory authentication. Directory domains on Mac OS X Server version 10.3 support Open Directory authentication, as do directory domains on Mac OS X Server version 10.2 that are configured to use a Password Server. 2 In Workgroup Manager, open the account you want to work with if it is not already open.
LL2352.Book Page 78 Friday, August 22, 2003 3:12 PM Changing the Password Type to Crypt Password Using Workgroup Manager, you can specify that a crypt password be used for authenticating one or more user accounts stored in an LDAP or NetInfo directory domain. The LDAP directory domain can be on any server, but cannot be a read-only directory. The NetInfo domain can be on any Mac OS X Server. The crypt password is stored as an encrypted value, or hash, in the user account.
LL2352.Book Page 79 Friday, August 22, 2003 3:12 PM Changing the Password Type to Shadow Password Using Workgroup Manager, you can specify that a user have a shadow password stored in a secure file apart from the directory domain. Only users whose accounts reside in the local directory domain can have a shadow password. To specify that a user account authenticate using a shadow password: 1 In Workgroup Manager, open the account you want to work with if it is not already open.
LL2352.Book Page 80 Friday, August 22, 2003 3:12 PM Enabling LDAP Bind Authentication for a User You can use Workgroup Manager to enable the use of LDAP bind authentication for a user account stored in an LDAP directory domain. When you use this password validation technique, you rely on the LDAP server that contains the user account to authenticate the user’s password.
LL2352.Book Page 81 Friday, August 22, 2003 3:12 PM Exporting and Importing Users Whose Password Type Is Open Directory When you export user accounts whose password type is set to Open Directory, passwords are not exported. This protects the security of the Open Directory Password Server database. Before importing, you can use a spreadsheet application to open the file of exported users and preset their passwords, which they can change the next time they log in.
LL2352.Book Page 82 Friday, August 22, 2003 3:12 PM Migrating Passwords to Open Directory Authentication User accounts can be migrated from earlier versions of Mac OS X Server by importing the account records or upgrading the server where they reside. User accounts created with Mac OS X Server version 10.1 or earlier have no authentication authority attribute but do have crypt passwords. For compatibility with such user accounts, Mac OS X Server version 10.
LL2352.Book Page 83 Friday, August 22, 2003 3:12 PM 7 Managing Directory Access 7 You can use Directory Access to set up and manage how a computer with Mac OS X or a server with Mac OS X Server accesses directory services and discovers network services.
LL2352.Book Page 84 Friday, August 22, 2003 3:12 PM Enabling or Disabling Active Directory Service You can use Directory Access to enable or disable the use of Active Directory on a Windows server. Active Directory is the directory service of Windows 2000 and 2003 servers. To enable or disable access to Active Directory: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator.
LL2352.Book Page 85 Friday, August 22, 2003 3:12 PM Enabling or Disabling LDAP Directory Services You can use Directory Access to enable or disable access to directory services that use Lightweight Directory Access Protocol (LDAP) versions 2 and 3. A single Directory Access plug-in named LDAPv3 provides access to both LDAP versions 2 and 3. (The LDAPv2 plug-in of Mac OS X version 10.2 is not needed with Mac OS X version 10.3.) Mac OS X Server version 10.
LL2352.Book Page 86 Friday, August 22, 2003 3:12 PM Enabling or Disabling Rendezvous Service Discovery You can use Directory Access to enable or disable the discovery of some Rendezvous network services. For example, disabling Rendezvous in Directory Access prevents Rendezvous-enabled file servers from appearing in the Network globe in the Finder.
LL2352.Book Page 87 Friday, August 22, 2003 3:12 PM Configuring SMB Service Discovery You can configure how Mac OS X uses the Server Message Block (SMB) protocol to discover Windows file servers on the network. You can use the Directory Access application to specify the following: • The Windows workgroup that the computer is a member of • A Windows Internet Naming Service (WINS) server on the network To configure discovery of Windows SMB file servers: 1 In Directory Access, click Services.
LL2352.Book Page 88 Friday, August 22, 2003 3:12 PM Each search policy, authentication and contacts, can be set to Automatic, Local directory, or Custom path. • Automatic starts with the local directory domain and can include an LDAP directory supplied automatically by DHCP and NetInfo domains to which the computer is bound. An automatic search policy is the default setting for Mac OS X version 10.2 and later and offers the most flexibility for mobile computers.
LL2352.Book Page 89 Friday, August 22, 2003 3:12 PM Defining Custom Search Policies Using Directory Access, you can configure a Mac OS X computer’s authentication and contacts search policies to use a custom list of directory domains. A custom list starts with the computer’s local directory domain and you can also include Open Directory and other LDAP directory domains, an Active Directory domain, shared NetInfo domains, BSD configuration files, and an NIS domain.
LL2352.Book Page 90 Friday, August 22, 2003 3:12 PM To have a search policy use only the local directory domain: 1 In Directory Access, click the Authentication or click Contacts. Authentication shows the search policy used for authentication and most other administrative data. Contacts shows the search policy used for contact information in applications such as Address Book. 2 If the lock icon is locked, click it and type the name and password of an administrator.
LL2352.Book Page 91 Friday, August 22, 2003 3:12 PM Enabling or Disabling Use of a DHCP-Supplied LDAP Directory Using Directory Access, you can configure a Mac OS X computer to get the address of an LDAP directory server automatically when it starts up. Mac OS X requests the address of an LDAP directory server from the DHCP service that also supplies the computer’s IP address, router address, and DNS server addresses.
LL2352.Book Page 92 Friday, August 22, 2003 3:12 PM Configuring Access to an LDAP Directory You can use Directory Access to create a configuration that specifies how Mac OS X accesses a particular LDAPv3 or LDAPv2 directory. To create a configuration for accessing an LDAP directory: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator. 3 Select LDAPv3 in the list of services, then click Configure.
LL2352.Book Page 93 Friday, August 22, 2003 3:12 PM Changing a Configuration for Accessing an LDAP Directory You can use Directory Access to change the settings of an LDAP directory configuration. The configuration settings specify how Open Directory accesses a particular LDAPv3 or LDAPv2 directory. To edit a configuration for accessing an LDAP directory: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator.
LL2352.Book Page 94 Friday, August 22, 2003 3:12 PM 6 Change any of the duplicate configuration’s settings. Enable: Click a checkbox to enable or disable access to an LDAP directory server. Configuration Name: Double-click a configuration name to edit it. Server Name or IP Address: Double-click a server name or IP address to change it. LDAP Mapping: Choose a template from the pop-up menu, then enter the search base for the LDAP directory and click OK.
LL2352.Book Page 95 Friday, August 22, 2003 3:12 PM Changing the Connection Settings for an LDAP Directory You can use Directory Access to change the connection settings of a configuration that specifies how the computer accesses a particular LDAPv3 or LDAPv2 directory. To change the connection settings for accessing an LDAP directory: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator.
LL2352.Book Page 96 Friday, August 22, 2003 3:12 PM Configuring LDAP Searches and Mappings Using Directory Access, you can edit the mappings, search bases, and search scopes that specify how Mac OS X finds specific data items in an LDAP directory. You can edit these settings separately for each LDAP directory configuration listed in Directory Access. Each LDAP directory configuration specifies how Mac OS X accesses data in an LDAPv3 or LDAPv2 directory.
LL2352.Book Page 97 Friday, August 22, 2003 3:12 PM 8 Add record types and change their search bases as needed. To add record types, click the Add button below the Record Types and Attributes list. In the sheet that appears, select Record Types, select one or more record types from the list, and then click OK. To change the search base of a record type, select it in the Record Types and Attributes List. Then click the “Search base” field and edit the search base.
LL2352.Book Page 98 Friday, August 22, 2003 3:12 PM 10 Click Write to Server if you want to store the mappings in the LDAP directory so that it can supply them automatically to its clients. You must enter a search base to store the mappings, a distinguished name of an administrator (for example, cn=admin,dc=example,dc=com), and a password.
LL2352.Book Page 99 Friday, August 22, 2003 3:12 PM 8 Change “Map to __ items in list” to All and change the list on the right to the exact set of LDAP object classes to which you want the Users record type mapped. For example, you could delete shadowAccount from the list so that Users maps to only posixAccount and inetOrgPerson. Or you could map Users to account, posixAccount, and shadowAccount. To change an item on the list, double-click it. To add an item to the list, click Add.
LL2352.Book Page 100 Friday, August 22, 2003 3:12 PM Populating LDAP Directories With Data for Mac OS X After configuring access to LDAP directory domains and setting up their data mapping, you can populate them with records and data for Mac OS X.
LL2352.Book Page 101 Friday, August 22, 2003 3:12 PM Learning About the Active Directory Plug-in You can configure Mac OS X to access basic user account information in an Active Directory domain of a Windows 2000 or Windows 2003 server. What makes this possible is an Active Directory plug-in for Directory Access. This Active Directory plug-in is listed on the Services pane of Directory Access.
LL2352.Book Page 102 Friday, August 22, 2003 3:12 PM The Active Directory plug-in automatically discovers all domains in an Active Directory forest. You can configure the plug-in to allow users from any domain in the forest to authenticate on a Mac OS X computer. The multi-domain authentication can also be disabled to allow only specific domains to be authenticated on the client. The Active Directory plug-in fully supports Active Directory replication and failover.
LL2352.Book Page 103 Friday, August 22, 2003 3:12 PM 6 Click Bind, authenticate as a user who has rights to set up a connection to the Active Directory domain, and click OK. Name and Password: You may be able to authenticate by entering the name and password of your Active Directory user account, or the Active Directory domain administrator may have to provide a name and password. OU: Enter the organizational unit (OU) for the computer you’re configuring. 7 Optionally, set the advanced options.
LL2352.Book Page 104 Friday, August 22, 2003 3:12 PM In addition, you must add the Active Directory domain to a custom search policy in the Authentication or Contacts pane of Directory Access. • If you selected “Authenticate in multiple domains” in step 7, adding the Active Directory forest to a custom Authentication search policy enables this computer to authenticate users from any domain in the forest.
LL2352.Book Page 105 Friday, August 22, 2003 3:12 PM To specify a server you prefer the Active Directory plug-in to access: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator. 3 Select Active Directory in the list of services, then click Configure. 4 If the advanced options are hidden, click Show Advanced Options. 5 Select “Prefer this domain server” and enter the DNS name of the Active Directory server.
LL2352.Book Page 106 Friday, August 22, 2003 3:12 PM To specify which groups of Active Directory user accounts have administrator privileges: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator. 3 Select Active Directory in the list of services, then click Configure. 4 If the advanced options are hidden, click Show Advanced Options. 5 Select “Allow administration by” and enter the names of groups.
LL2352.Book Page 107 Friday, August 22, 2003 3:12 PM To create an Active Directory server configuration: 1 In Directory Access, click Services. 2 If the lock icon is locked, click it and type the name and password of an administrator. 3 Select LDAPv3 in the list of services, then click Configure. 4 If the list of server configurations is hidden, click Show Options. 5 Click New and enter a name for the configuration. 6 Press Tab and enter the Active Directory server’s DNS name or IP address.
LL2352.Book Page 108 Friday, August 22, 2003 3:12 PM 5 Optionally, enter the DNS name or the IP address of the server or servers where the NIS domain resides. If you don’t specify any servers, NIS uses a broadcast protocol to discover an NIS server on the subnet. 6 Create a custom search policy that includes the NIS domain. In a custom search policy, the NIS domain is listed as /BSD/domain, where domain is what you entered in step 4. For instructions, see “Defining Custom Search Policies” on page 89.
LL2352.Book Page 109 Friday, August 22, 2003 3:12 PM Setting Up Data in BSD Configuration Files If you want a Mac OS X computer to get administrative data from BSD configuration files, the data must exist in the files and must be in the format required by Mac OS X. You may need to add, modify, or reorganize data in the files. Workgroup Manager cannot make changes to data in BSD configuration files, so you must make the necessary modifications by using a text editor or other tools.
LL2352.Book Page 110 Friday, August 22, 2003 3:12 PM About NetInfo Binding When a Mac OS X computer starts up, it can bind its local directory domain to a shared NetInfo domain. The shared NetInfo domain can bind to another shared NetInfo domain. The binding process creates a hierarchy of NetInfo domains. A NetInfo hierarchy has a branched structure. Local domains at the bottom of the hierarchy bind to shared domains, which can in turn bind to other shared domains, and so on.
LL2352.Book Page 111 Friday, August 22, 2003 3:12 PM Configuring NetInfo Binding Using Directory Access, you can configure Mac OS X or Mac OS X Server to bind to a parent NetInfo domain by using the static, broadcast, or DHCP protocols in any combination. The computer attempts to bind to a parent NetInfo domain when the computer starts up. Note: If your network has no shared NetInfo domain, setting a computer to bind to a parent NetInfo domain will cause delays when the computer starts up.
LL2352.Book Page 112 Friday, August 22, 2003 3:12 PM 8 Choose New Property from the Directory menu. 9 Change new_property to “serves” and then change new_value to the name and NetInfo tag of the child’s local domain, using a “/” to separate the name and the tag. For example, you would change new_value to marketing.demo/local for the local domain of the computer named marketing.demo. 10 Choose Save Changes from the Domain menu, then click Update This Copy.
LL2352.Book Page 113 Friday, August 22, 2003 3:12 PM Setting Up Directory Access on a Remote Server You can use the Directory Access application on your computer to set up and manage how a server with Mac OS X Server accesses directory services and discovers network services. Your computer must have version 10.2 or later of Mac OS X or Mac OS X Server, and the remote server must have Mac OS X Server version 10.2.
LL2352.
LL2352.Book Page 115 Friday, August 22, 2003 3:12 PM 8 Maintenance and Problem Solving 8 You can monitor Open Directory services, view and edit raw data from Open Directory domains, and back up Open Directory files. You can also solve some common Open Directory problems.
LL2352.Book Page 116 Friday, August 22, 2003 3:12 PM To see directory services status or logs: 1 Open Server Admin and select Open Directory for a server in the Computers & Services list. 2 Click Overview to see status information. 3 Click Logs and use the Show pop-up menu to choose the log you want to see. Monitoring Open Directory Authentication You can use the password service logs, visible using Server Admin, to monitor failed login attempts for suspicious activity.
LL2352.Book Page 117 Friday, August 22, 2003 3:12 PM You can also click the All Records button, which is next to the Computers button, and choose a record type from the pop-up menu at the top of the list. The pop-up menu lists all standard record types that exist in the directory domain. You can also choose Native from the pop-up menu and type the name of a native record type into the box that appears below the pop-up menu.
LL2352.Book Page 118 Friday, August 22, 2003 3:12 PM 5 Locate RecordName in the list of attributes, and if a triangle appears next to RecordName, click the triangle to see all RecordName values. The RecordName attribute stores the user’s short name or names. 6 Double-click the RecordName value that is the short name you want to change, then type another short name and press Return. You can also click a RecordName value, and then click Edit to change the value in an editing sheet. 7 Click Save.
LL2352.Book Page 119 Friday, August 22, 2003 3:12 PM This use of slapcat saves the complete contents of the LDAP directory as a raw LDIF dump in a text file named backup.ldif. You can specify a different filename and a pathname. The file you specify contains all user records, group records, computer records, and so on. (The file does not contain passwords for user records whose password type is Open Directory. These passwords are not stored in the LDAP directory database.
LL2352.Book Page 120 Friday, August 22, 2003 3:12 PM Restoring Open Directory Files To restore an Open Directory master from backup files, you need to restore its shared LDAP directory domain, its configuration files, and its Open Directory Password Server database. You might want to restore the server’s local directory, which is a NetInfo domain, as well.
LL2352.Book Page 121 Friday, August 22, 2003 3:12 PM 8 Type the following command and press Return. mkpassdb -mergedb backup folder pathname This use of mkpassdb adds all of the passwords from the Open Directory Password Server backup folder, located at backup folder pathname, into the server’s existing Open Directory Password Server database. (The server has an existing Open Directory Password Server for its local directory domain.
LL2352.Book Page 122 Friday, August 22, 2003 3:12 PM Solving Authentication Problems You can solve some common problems with authentication services. A User’s Password Can’t Be Modified Before you can modify the password of a user whose password is authenticated by Open Directory, you must be an administrator of the directory domain in which the user’s record resides. In addition, your user account must be configured for Open Directory authentication.
LL2352.Book Page 123 Friday, August 22, 2003 3:12 PM Resetting an Administrator Password Using the Mac OS X Server installation disc, you can change the password of a user account that has administrator privileges, including the System Administrator (root or superuser) account. Important: Because a user with the installation disc can gain unrestricted access to your server, you should restrict physical access to the server hardware.
LL2352.
A Mac OS X Directory Data A Appendix LL2352.Book Page 125 Friday, August 22, 2003 3:12 PM Knowing the Open Directory LDAP schema and the record types and attributes in Mac OS X directory domains can help you map to other directory domains and import or export user and group accounts.
LL2352.Book Page 126 Friday, August 22, 2003 3:12 PM Use these specifications for reference when you: • Map object classes and attributes of non-Apple LDAP directories or Active Directory domains to Open Directory record types and attributes, as described in Chapter 7, “Managing Directory Access.” • Import or export user or group accounts to an Open Directory domain, as described in the user management guide.
LL2352.Book Page 127 Friday, August 22, 2003 3:12 PM User Object Class The apple-user object class is an auxiliary class used to store Mac OS X specific attributes which are not part of inetOrgPerson or posixAccount. This object class is used with kDSStdRecordTypeUsers records. objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
LL2352.Book Page 128 Friday, August 22, 2003 3:12 PM Machine Auxiliary Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.3 NAME 'apple-machine' SUP top AUXILIARY MAY ( apple-machine-software $ apple-machine-hardware $ apple-machine-serves $ apple-machine-suffix ) ) Mount Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.8 NAME 'mount' SUP top STRUCTURAL MUST ( cn ) MAY ( mountDirectory $ mountType $ mountOption $ mountDumpFrequency $ mountPassNo ) ) Printer Object Class objectclass ( 1.3.6.1.4.1.
LL2352.Book Page 129 Friday, August 22, 2003 3:12 PM macAddress $ apple-computer-list-groups $ apple-mcxflags $ apple-mcxsettings $ apple-xmlplist $ authAuthority $ uidNumber $ gidNumber $ apple-generateduid $ acctFlags $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ rid $ primaryGroupID ) ) ComputerList Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.
LL2352.Book Page 130 Friday, August 22, 2003 3:12 PM Preset Computer List Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.13 NAME 'apple-preset-computer-list' DESC 'preset computer list' SUP top STRUCTURAL MUST ( cn ) MAY ( apple-mcxflags $ apple-mcxsettings $ apple-keyword ) ) Preset Group Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.3.
LL2352.Book Page 131 Friday, August 22, 2003 3:12 PM apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user-passwordpolicy $ userPassword $ apple-user-picture $ apple-keyword $ loginShell $ shadowLastChange $ shadowExpire $ authAuthority $ apple-preset-user-is-admin ) ) Authentication Authority Object Class objectclass ( 1.3.6.1.4.1.63.1000.1.1.2.16 NAME 'authAuthorityObject' SUP top AUXILIARY MAY ( authAuthority ) ) Server Assistant Configuration Object Class objectclass ( 1.3.6.1.4.
LL2352.Book Page 132 Friday, August 22, 2003 3:12 PM Attributes in Open Directory LDAP Schema This section defines the Open Directory LDAP attributes that extend the standard LDAP schema. User Attributes apple-user-homeurl Used to store home directory information in the form of a URL and path. This maps to the kDS1AttrHomeDirectory attribute type in Directory Services. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.
LL2352.Book Page 133 Friday, August 22, 2003 3:12 PM apple-user-mailattribute Stores mail-related settings as XML. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.9 NAME 'apple-user-mailattribute' DESC 'mail attribute' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) apple-mcxflags Used to store managed client information. This attribute can be found in user, group, computer, and computer list records. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.
LL2352.Book Page 134 Friday, August 22, 2003 3:12 PM apple-user-picture Stores a file system path to the picture to use for this user record when displayed in login window. This is used when the network user shows in the login window scrolling list (in managed networks). Users can modify their own pictures by default. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.12 NAME 'apple-user-picture' DESC 'picture' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 135 Friday, August 22, 2003 3:12 PM apple-user-authenticationhint The apple-user-authenticationhint is used by login window to provide a hint if the user logs in incorrectly three times. By default each user can update their own authentication hint. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.15 NAME 'apple-user-authenticationhint' DESC 'password hint' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 136 Friday, August 22, 2003 3:12 PM apple-generateduid attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.20 NAME ( 'apple-generateduid' ) DESC 'generated unique ID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) apple-user-homeDirectory This is not used by the Open Directory Server, but provided as an example OID and attribute to use as an alternative to the homeDirectory attribute from RFC 2307.
LL2352.Book Page 137 Friday, August 22, 2003 3:12 PM apple-group-homeowner The apple-group-homeowner attribute determines the owner of the workgroup home directory when created in the file system. The group of the directory is the workgroup it is associated with. attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.2 NAME 'apple-group-homeowner' DESC 'group home owner settings' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 138 Friday, August 22, 2003 3:12 PM Machine Attributes apple-machine-software attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.3.8 NAME 'apple-machine-software' DESC 'installed system software' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) apple-machine-hardware attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.3.
LL2352.Book Page 139 Friday, August 22, 2003 3:12 PM Mount attributes mountDirectory attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.8.1 NAME 'mountDirectory' DESC 'mount path' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) mountType attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.8.2 NAME 'mountType' DESC 'mount VFS type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 140 Friday, August 22, 2003 3:12 PM mountPassNo attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.8.5 NAME 'mountPassNo' DESC 'mount passno' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) Printer Attributes apple-printer-attributes attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.9.
LL2352.Book Page 141 Friday, August 22, 2003 3:12 PM apple-printer-type attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.9.4 NAME 'apple-printer-type' DESC 'printer type' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-printer-note attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.9.5 NAME 'apple-printer-note' DESC 'printer note' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 142 Friday, August 22, 2003 3:12 PM apple-computer-list-groups attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.11.4 NAME 'apple-computer-list-groups' DESC 'groups' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-xmlplist attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.17.1 NAME 'apple-xmlplist' DESC 'XML plist data' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 143 Friday, August 22, 2003 3:12 PM apple-config-realname attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.3 NAME 'apple-config-realname' DESC 'config real name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) apple-password-server-list attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.4 NAME 'apple-password-server-list' DESC 'password server replication plist' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.
LL2352.Book Page 144 Friday, August 22, 2003 3:12 PM apple-kdc-authkey attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.7 NAME 'apple-kdc-authkey' DESC 'KDC master key RSA encrypted with realm public key' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-kdc-configdata attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.8 NAME 'apple-kdc-configdata' DESC 'Contents of the kdc.conf file' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
LL2352.Book Page 145 Friday, August 22, 2003 3:12 PM Location Attributes apple-dns-domain attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.18.1 NAME 'apple-dns-domain' DESC 'DNS domain' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) apple-dns-nameserver attributetype ( 1.3.6.1.4.1.63.1000.1.1.1.18.2 NAME 'apple-dns-nameserver' DESC 'DNS name server list' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
LL2352.Book Page 146 Friday, August 22, 2003 3:12 PM Record Type Mappings for Users Open Directory name, RFC/class LDAP object class name OID Active Directory plug-in Users, RFC 2798 inetOrgPerson 2.16.840.1.113730.3.2.2 ObjectCategory = Person Users, RFC 2307 posixAccount 1.3.6.1.1.1.2.0 Users, RFC 2307 shadowAccount 1.3.6.1.1.1.2.1 Users, Apple registered apple-user 1.3.6.1.4.1.63.1000.1.1.2.
LL2352.Book Page 147 Friday, August 22, 2003 3:12 PM Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory plug-in GeneratedUID, Apple registered apple-generateduid 1.3.6.1.4.1.63.1000.1.1.1.1.20 From GUID—formatted RecordName, RFC 2256 cn 2.5.4.3 Generated from cn, userPrincipal, mail, sAMAccoutName RecordName, RFC 1274 uid 0.9.2342.19200300.100.1.1 N/A EMailAddress, RFC 1274 mail 0.9.2342.19200300.100.1.3 RFC standard RealName, RFC 2256 cn 2.5.4.3 1.2.
LL2352.Book Page 148 Friday, August 22, 2003 3:12 PM 148 Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory plug-in SMBAccountFlags, Samba registered, Apple PDC acctFlags 1.3.6.1.4.1.7165.2.1.4 1.2.840.113556.1.4.302 (Microsoft) SMBPasswordLastSet, Samba registered, Apple PDC pwdLastSet 1.3.6.1.4.1.7165.2.1.3 1.2.840.113556.1.4.96 (Microsoft) SMBLogonTime, Samba registered, Apple PDC logonTime 1.3.6.1.4.1.7165.2.1.5 1.2.840.113556.1.4.
LL2352.Book Page 149 Friday, August 22, 2003 3:12 PM Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory plug-in Department, RFC 2798, departmentNumber 2.16.840.1.113730.3.1.2 1.2.840.113556.1.2.141 (Microsoft) NickName, Microsoft Attribute 1.2.840.113556.1.2.447 (Microsoft) JobTitle, RFC 2256 title 2.5.4.12 RFC standard Building, RFC 2256 buildingName 2.5.4.19 RFC standard Country, RFC 2256 c 2.5.4.6 RFC standard Street, RFC 2256 street 2.5.4.9 1.2.
LL2352.Book Page 150 Friday, August 22, 2003 3:12 PM Attribute Mappings for Groups Open Directory name, RFC/class LDAP attribute name OID Active Directory plug-in RecordName, RFC 2256 cn 2.5.4.3 RFC standard HomeDirectory, Apple registered apple-group-homeurl 1.3.6.1.4.1.63.1000.1.1.1.14.1 Apple extended schema HomeLocOwner, Apple registered apple-group-homeowner 1.3.6.1.4.1.63.1000.1.1.1.14.2 Apple extended schema MCXFlags, Apple registered apple-mcxflags 1.3.6.1.4.1.63.1000.1.1.1.1.
LL2352.Book Page 151 Friday, August 22, 2003 3:12 PM Attribute Mappings for Mounts Open Directory name, RFC/class LDAP attribute name OID Active Directory plug-in RecordName, RFC 2256 cn 2.5.4.3 RFC standard VFSLinkDir, Apple registered mountDirectory 1.3.6.1.4.1.63.1000.1.1.1.8.1 Apple extended schema VFSOpts, Apple registered mountOption 1.3.6.1.4.1.63.1000.1.1.1.8.3 Apple extended schema VFSType, Apple registered mountType 1.3.6.1.4.1.63.1000.1.1.1.8.
LL2352.Book Page 152 Friday, August 22, 2003 3:12 PM 152 Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory plug-in AuthenticationAuthority, Apple registered authAuthority 1.3.6.1.4.1.63.1000.1.1.2.16.1 Apple extended schema GeneratedUID, Apple registered apple-generateduid 1.3.6.1.4.1.63.1000.1.1.1.1.20 From GUID—formatted XMLPlist, Apple registered apple-xmlplist 1.3.6.1.4.1.63.1000.1.1.1.17.1 Apple extended schema Comment, RFC 2256 description 2.5.4.
LL2352.Book Page 153 Friday, August 22, 2003 3:12 PM Mappings for ComputerLists The following tables specify how the LDAPv3 plug-in in Directory Access maps the Open Directory ComputerLists record type and attributes to LDAP object classes. The tables also specify how the Active Directory plug-in in Directory Access maps and generates Active Directory object categories and attributes from Open Directory record types and attributes.
LL2352.Book Page 154 Friday, August 22, 2003 3:12 PM Attribute Mappings for Config Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory plug-in RecordName, RFC 2256 cn 2.5.4.3 RFC standard RealName, Apple registered apple-config-realname 1.3.6.1.4.1.63.1000.1.1.1.12.3 1.2.840.113556.1.2.13 (Microsoft) DataStamp, Apple registered apple-data-stamp 1.3.6.1.4.1.63.1000.1.1.1.12.2 Apple extended schema KDCAuthKey, Apple registered, Apple KDC apple-kdc-authkey 1.
LL2352.Book Page 155 Friday, August 22, 2003 3:12 PM Attribute Mappings for People Open Directory name, RFC/class LDAP attribute name OID Active Directory plug-in RecordName, RFC 2256 cn 2.5.4.3 RFC standard EMailAddress, RFC 1274 mail 0.9.2342.19200300.100.1.3 RFC standard RealName, RFC 2256 cn 1.2.840.113556.1.3.23 RFC standard LastName, RFC 2256 sn 2.5.4.4 RFC standard FirstName, RFC 2256 givenName 2.5.4.42 RFC standard FaxNumber, RFC 2256 fax 2.5.4.
LL2352.Book Page 156 Friday, August 22, 2003 3:12 PM Mappings for PresetComputerLists The following tables specify how the LDAPv3 plug-in in Directory Access maps the Open Directory PresetComputerLists record type and attributes to LDAP object classes. The tables also specify how the Active Directory plug-in in Directory Access maps and generates Active Directory object categories and attributes from Open Directory record types and attributes.
LL2352.Book Page 157 Friday, August 22, 2003 3:12 PM Attribute Mappings for PresetGroups Open Directory name, RFC/class LDAP attribute name OID Active Directory plug-in HomeDirectory, Apple registered apple-group-homeurl 1.3.6.1.4.1.63.1000.1.1.1.1.6 Apple extended schema HomeLocOwner, Apple registered apple-group-homeowner 1.3.6.1.4.1.63.1000.1.1.1.14.2 Apple extended schema MCXFlags, Apple registered apple-mcxflags 1.3.6.1.4.1.63.1000.1.1.1.1.
LL2352.Book Page 158 Friday, August 22, 2003 3:12 PM 158 Open Directory name, RFC/class LDAP attribute name OID Active Directory plug-in MailAttribute, Apple registered apple-user-mailattribute 1.3.6.1.4.1.63.1000.1.1.1.1.9 Apple extended schema PrintServiceUserData, Apple registered apple-user-printattribute 1.3.6.1.4.1.63.1000.1.1.1.1.13 Apple extended schema MCXFlags, Apple registered apple-mcxflags 1.3.6.1.4.1.63.1000.1.1.1.1.
LL2352.Book Page 159 Friday, August 22, 2003 3:12 PM Mappings for Printers The following tables specify how the LDAPv3 plug-in in Directory Access maps the Open Directory Printers record type and attributes to LDAP object classes. The tables also specify how the Active Directory plug-in in Directory Access maps and generates Active Directory object categories and attributes from Open Directory record types and attributes.
LL2352.Book Page 160 Friday, August 22, 2003 3:12 PM Open Directory name, RFC/class, special purpose LDAP attribute name OID Active Directory plug-in PrinterXRISupported, IETF-Draft-IPP-LDAP printer-xri-supported 1.3.18.0.2.4.1107 Generated from portName/ uNCName Printer1284DeviceID, Apple registered printer-1284-device-id 1.3.6.1.4.1.63.1000.1.1.1.9.
LL2352.Book Page 161 Friday, August 22, 2003 3:12 PM Attribute Mappings for Locations Open Directory name, RFC/class LDAP attribute name OID Active Directory plug-in RecordName, RFC 2256 cn 2.5.4.3 RFC standard DNSDomain, Apple registered apple-dns-domain 1.3.6.1.4.1.63.1000.1.1.1.18.1 Apple extended schema DNSNameServer, Apple registered apple-dns-nameserver 1.3.6.1.4.1.63.1000.1.1.1.18.
LL2352.Book Page 162 Friday, August 22, 2003 3:12 PM Mac OS X user attribute 162 Format Sample values UniqueID: SIgned 32-bit ASCII string of A unique user identifier, used for digits 0–9 access privilege management Values below 100 are typically used for system accounts. Zero is reserved for use by the system. Normally unique among entire population of users, but sometimes can be duplicated. Warning: A non-integer value is interpreted as 0, which is the UniqueID of the root user.
LL2352.Book Page 163 Friday, August 22, 2003 3:12 PM Mac OS X user attribute Format Sample values MCXSettings: A user’s managed preferences UTF-8 XML plist, multivalued AdminLimits: The privileges allowed by Workgroup Manager to a user that can administer the directory domain UTF-8 XML plist, single value Password: The user’s password UNIX crypt Picture: File path to a recognized graphic file to be used as a display picture for the user UTF-8 text Maximum 255 bytes.
LL2352.Book Page 164 Friday, August 22, 2003 3:12 PM Mac OS X user attribute Format Sample values AuthenticationAuthority: ASCII text Describes the user’s authentication methods, such as Open Directory or crypt password; not required for a user with only a crypt password; absence of this attribute signifies legacy authentication (crypt with Authentication Manager, if it is available). Values describe the user’s authentication methods. Can be multivalued (for example, basic and ShadowHash).
LL2352.
LL2352.
LL2352.Book Page 167 Friday, August 22, 2003 3:12 PM Mac OS X group attribute HomeDirectory: The location of an AFP-based home directory for the group Format Sample values Structured UTF-8 text afp://server/sharept grouphomedir In the following example, the Science group’s home directory is K-M/Science, which resides beneath the share point directory, Groups: afp://example.
LL2352.Book Page 168 Friday, August 22, 2003 3:12 PM Standard Attributes in Computer Records The following table specifies facts about the standard attributes, or data types, found in computer records of Mac OS X data services. Computer records associate the hardware address of a computer’s Ethernet interface with a name for the computer. The name is part of a computer list record (much as a user is in a group). Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services.
LL2352.Book Page 169 Friday, August 22, 2003 3:12 PM Standard Attributes in Computer List Records The following table specifies facts about the standard attributes, or data types, found in computer list records of Mac OS X data services. A computer list record identifies a group of computers (much as a group record identifies a collection of users). Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services.
LL2352XA Page 170 Friday, August 22, 2003 3:27 PM Standard Attributes in Mount Records The following table specifies facts about the standard attributes, or data types, found in mount records of Mac OS X data services. Use these facts when mapping LDAP or Active Directory domains to Mac OS X directory services.
LL2352.Book Page 171 Friday, August 22, 2003 3:12 PM Standard Attributes in Config Records The following table specifies facts about the standard attributes, or data types, found in config records of Mac OS X data services. Mac OS X Server version 10.2 and later uses the following two types of config records: • The mcx_cache record always has the RecordName of mcx_cache. It also uses RealName and DataStamp to determine whether the cache should be updated or the server settings ignored.
LL2352.
B Open Directory Password Server Authentication Methods B Appendix LL2352.Book Page 173 Friday, August 22, 2003 3:12 PM Open Directory Password Server is based on the SASL standard for supporting multiple methods of authenticating user passwords. The authentication methods supported by Open Directory Password Server include APOP, CRAM-MD5, DHX, Digest-MD5, MS-CHAPv2, SMB-NT, SMB-LAN Manager, and WebDAV-Digest.
LL2352.Book Page 174 Friday, August 22, 2003 3:12 PM Note: Disabling or enabling an authentication method may necessitate resetting passwords in user accounts. If a user can’t use additional methods after you enable them, the user or a directory domain administrator needs to reset the user’s password. Basic information about Open Directory Password Server’s authentication methods is provided on the following pages.
LL2352.Book Page 175 Friday, August 22, 2003 3:12 PM Digest-MD5 Password Validation Digest-MD5 is used by the Mac OS X login window, many email programs, and some LDAP software. This authentication method encodes passwords when they are sent over the network, and stores them in a scrambled form on the server. It offers good security during network transmission.
LL2352.Book Page 176 Friday, August 22, 2003 3:12 PM WebDAV-Digest Password Validation WebDAV-Digest handles Digest-MD5 password validation for the WebDAV protocol, which is used to authenticate access to an iDisk. You should keep WebDAV-Digest enabled so that users can mount iDisks and other WebDAV servers in the Finder. WebDAV-Digest encodes passwords when they are sent over the network, and stores them in a scrambled form on the server. It offers good security during network transmission.
C Authentication Manager C Appendix LL2352.Book Page 177 Friday, August 22, 2003 3:12 PM Mac OS X Server supports users that were configured to use the legacy Authentication Manager technology in Mac OS X Server version 10.0–10.2.
LL2352.
Glossary Glossary LL2352.Book Page 179 Friday, August 22, 2003 3:12 PM Active Directory The directory service of Microsoft Windows 2000 and 2003 servers. administrator A user with server or directory domain administration privileges. Administrators are always members of the predefined “admin” group. administrator computer A Mac OS X computer onto which you have installed the server administration applications from the Mac OS X Server Admin CD.
LL2352.Book Page 180 Friday, August 22, 2003 3:12 PM DHCP (Dynamic Host Configuration Protocol) A protocol used to distribute IP addresses to client computers. Each time a client computer starts up, the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds. The DHCP server checks for an available IP address and sends it to the client computer along with a lease period—the length of time the client computer may use the address.
LL2352.Book Page 181 Friday, August 22, 2003 3:12 PM Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time. Once a user is authenticated, it is possible to access additional services without retyping a password (this is called singlesignon) for services that have been configured to take Kerberos tickets. Mac OS X Server uses Kerberos v5.
LL2352.Book Page 182 Friday, August 22, 2003 3:12 PM owner The person who created a file or folder and who therefore has the ability to assign access privileges for other users. The owner of an item automatically has read/ write privileges for that item. An owner can also transfer ownership of an item to another user. parent A computer whose shared directory domain provides configuration information to another computer. primary group A user’s default group.
LL2352.Book Page 183 Friday, August 22, 2003 3:12 PM SMB (Server Message Block) A protocol that allows client computers to access files and network services. It can be used over TCP/IP, the Internet, and other network protocols. Windows services use SMB to provide access to servers, printers, and other network resources. SSL (Secure Sockets Layer) An Internet protocol that allows you to send encrypted, authenticated information across the Internet.
LL2352.
LL2352.
LL2352.
LL2352.
LL2352.
LL2352.
LL2352.
