Specifications
102 Chapter 7 Managing Directory Access
The Active Directory plug-in automatically discovers all domains in an Active Directory
forest. You can configure the plug-in to allow users from any domain in the forest to
authenticate on a Mac OS X computer. The multi-domain authentication can also be
disabled to allow only specific domains to be authenticated on the client.
The Active Directory plug-in fully supports Active Directory replication and failover. It
discovers multiple domain controllers and determines the closest one. If a domain
controller becomes unavailable, the plug-in automatically falls back to another nearby
domain controller.
The Active Directory plug-in uses LDAP to access the Active Directory user accounts
and Kerberos to authenticate them. The Active Directory plug-in does not use
Microsoft’s proprietary Active Directory Services Interface (ADSI) to get directory or
authentication services.
Configuring Access to an Active Directory Domain
Using the Active Directory plug-in listed in Directory Access, you can configure
Mac OS X to access basic user account information in an Active Directory domain on a
Windows server. The Active Directory plug-in generates all attributes required for
Mac OS X authentication. No changes to the Active Directory schema are required. Yet
the Active Directory plug-in detects and accesses standard Mac OS X record types and
attributes, such as the attributes required for Mac OS X client management, if the
Active Directory schema has been extended to include them.
Important: An advanced option of the Active Directory plug-in allows you to map the
Mac OS X unique user ID (UID) attribute to an appropriate attribute that has been
added to the Active Directory schema. If you change the setting of this mapping
option at a later date, users may lose access to previously created files.
To configure access to an Active Directory domain:
1 In Directory Access, click Services.
2 If the lock icon is locked, click it and type the name and password of an administrator.
3 Select Active Directory in the list of services, then click Configure.
4 Enter the DNS names of the servers that host the Active Directory forest and domain of
which the computer you’re configuring will be a member.
The administrator of the Active Directory domain can tell you the names of the forest
and domain. If you have a single forest with a single domain, enter the same name for
forest and domain.
5 Enter the Computer ID, which is the name that the computer you’re configuring has
been assigned in the Active Directory domain.
If you’re not sure what name to enter, ask the Active Directory domain administrator.
LL2352.Book Page 102 Friday, August 22, 2003 3:12 PM