Specifications
Chapter 7 Managing Directory Access 101
Learning About the Active Directory Plug-in
You can configure Mac OS X to access basic user account information in an Active
Directory domain of a Windows 2000 or Windows 2003 server. What makes this
possible is an Active Directory plug-in for Directory Access. This Active Directory plug-in
is listed on the Services pane of Directory Access.
You do not need to make any schema modifications to the Active Directory domain to
get basic user account information. You may need to change the default Access Control
List (ACL) of specific attributes so that computer accounts will have the ability to read
the properties. The Active Directory plug-in generates all attributes required for
Mac OS X authentication from standard attributes in Active Directory user accounts.
The plug-in also supports Active Directory authentication policies, including password
changes, expiration, and forced change.
The Active Directory plug-in dynamically generates a unique user ID and a primary
group ID based on the user account’s Globally Unique ID (GUID) in the Active Directory
domain. The generated user ID and primary group ID are always the same for each user
account even if the account is used to log in to different Mac OS X computers.
Alternatively, you can force the Active Directory plug-in to map the user ID to an Active
Directory attribute that you specify.
When someone logs in to Mac OS X with an Active Directory user account, the Active
Directory plug-in creates a home directory on the startup volume of the Mac OS X
computer. The plug-in also tells Mac OS X to mount the user's Windows home directory
(as specified in the Active Directory user account) to mount on the desktop as a share
point. Using the Finder, the user can copy files between the Windows home directory
in the Network globe and the Mac OS X home directory.
Each time a user logs in to Mac OS X with an Active Directory user name and password,
the Active Directory plug-in can cache the authentication credentials on the Mac OS X
computer. The user can log in again on the same computer when the computer is not
connected to the network. You can enable or disable caching of credentials.
If the Active Directory schema has been extended to include Mac OS X record types
(object classes) and attributes, the Active Directory plug-in automatically detects and
accesses them. For example, the Active Directory schema could be modified using
Windows administration tools to include Mac OS X Server managed client attributes.
This schema modification would enable the Active Directory plug-in to support
managed client settings made in the Preferences module of Workgroup Manager.
Mac OS X clients assume full read access to attributes that are added to the directory.
Therefore, it may be necessary to modify the ACL of those attributes to allow Computer
accounts to read these added attributes.
LL2352.Book Page 101 Friday, August 22, 2003 3:12 PM