Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
61626364656667686970
62 Chapter 5 Setting Up Open Directory Services
A server that is an Open DIrectory master requires no additional configuration to
support single signon and Kerberos authentication for all the Kerberized services that
the server itself provides. This server can also support single signon and Kerberos
authentication for Kerberized services of other servers on the network. The other
servers must be set up to join the Open Directory master for single signon and
Kerberos.
For instructions, see the getting started guide, “Setting Up an Open Directory Master
on page 56, “Delegating Authority to Join an Open Directory Master for Single Signon
and Kerberos” on page 62, and “Joining a Server to an Open Directory Master for Single
Signon and Kerberos” on page 63.
Delegating Authority to Join an Open Directory Master for Single
Signon and Kerberos
Using Server Admin, you can delegate the authority to join a server to an Open
Directory master for single signon and Kerberos authentication. You can delegate
authority to one or more user accounts on one server. The user accounts to which you
are delegating authority must have a password type of Open Directory and must reside
in the LDAP directory of the Open Directory master. The server for which you are
delegating authority must have Mac OS X Server version 10.3 or later.
If you want to delegate authority for more than one server, repeat this procedure for
each one.
Important: If a delegated administrator’s account is deleted and recreated on the
target server, the new account will not have authority to join the Kerberos server. As a
precaution, you should delegate authority to at least two accounts on the target server.
One account can belong to a network administrator (an administrator of the Kerberos
domain).
To delegate authority to join an Open Directory master for single signon and
Kerberos:
1 Open Workgroup Manager, make sure the target server has been added to a computer
account in the LDAP directory domain of the server from which youre delegating
authority, and note the name of the target server in the computer account.
2 The name of the target server in the computer account corresponds to the name of the
server’s computer record in the LDAP directory domain. Adding the server to a
computer account creates a computer record for the server. For instructions on adding
the server to a computer account, see the computer accounts chapter of the user
management guide. Open Server Admin and select Open Directory for the Open
Directory master server in the Computers & Services list.
3 Click Settings (near the bottom of the window), then click General (near the top).
4 Confirm that the Role is Open Directory Master, then click Add Kerberos Record and
enter the requested information.
LL2352.Book Page 62 Friday, August 22, 2003 3:12 PM