Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
34 Chapter 3 User Authentication With Open Directory
You experience authentication and authorization when you use a credit card. The
merchant authenticates you by comparing your signature on the sales slip to the
signature on your credit card. Then the merchant submits your authorized credit card
account number to the bank, which authorizes payment based on your account
balance and credit limit.
Open Directory authenticates user accounts, but does not authorize access to any
services. After Open Directory authenticates you, the login window can authorize you
to log in, file service can authorize access to certain folders and files, mail service can
authorize access to your email, and so on.
Determining Which Authentication Option to Use
To authenticate a user, Open Directory first must determine which authentication
option to use—Kerberos, Open Directory Password Server, shadow password, crypt
password, or LDAP bind. The users account contains information that specifies which
authentication option to use. This information is called the authentication authority
attribute. Therefore Open Directory uses the name provided by the user to locate the
users account in the directory domain. Then Open Directory consults the
authentication authority attribute in the user’s account and learns which authentication
option to use.
The authentication authority attribute is not limited to specifying a single
authentication option. For example, an authentication authority attribute could specify
that a user can be authenticated by Kerberos and Open Directory Password Server.
Nor must a users account contain an authentication authority attribute at all. If a users
account contains no authentication authority attribute, Mac OS X Server assumes a
crypt password is stored in the users account. For example, user accounts created
using Mac OS X version 10.1 and earlier contain a crypt password but not an
authentication authority attribute.
You can change a users authentication authority attribute by changing the password
type in the Advanced pane of Workgroup Manager. Some password type settings result
in the authentication authority attribute specifying more than one authentication
option. See Chapter 6, “Managing User Authentication,” for instructions on setting the
password type.
LL2352.Book Page 34 Friday, August 22, 2003 3:12 PM