Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
71727374757677787980
80 Chapter 6 Managing User Authentication
Enabling LDAP Bind Authentication for a User
You can use Workgroup Manager to enable the use of LDAP bind authentication for a
user account stored in an LDAP directory domain. When you use this password
validation technique, you rely on the LDAP server that contains the user account to
authenticate the user’s password.
To enable LDAP bind user authentication using Workgroup Manager:
1 Make sure the account for a user whose password you want to validate using LDAP
bind resides on an LDAP server in the search path of the Mac OS X computer that
needs to validate the password.
See “Accessing LDAP Directories” on page 90 for information about configuring LDAP
server connections. Avoid mapping the password attribute when configuring the
connection; bind authentication will occur automatically. Also, set up the connection so
it uses SSL in order to protect the password, passed in clear text, while it is in transit.
2 In Workgroup Manager, open the account you want to work with if it is not already
open.
To open an account, click the Accounts button, then click the Users button. Click the
small globe icon above the list of users and choose from the pop-up menu to open the
LDAP directory domain where the user’s account resides. Click the lock and
authenticate as a directory domain administrator. Then select the user in the user list.
3 On the Advanced pane, choose “Crypt password” from the User Password Type pop-up
menu.
4 On the Basic pane, make sure the Password field is empty.
5 Click Save.
Assigning Administrator Rights for Open Directory
Authentication
You can work with Open Directory authentication settings in Workgroup Manager only
if you authenticate as an administrator of the directory domain that contains the user
accounts you want to work with. In addition, the administrator must use Open
Directory authentication. These restrictions protect the security of passwords stored in
the Kerberos KDC and the Open Directory Password Server database. See “Changing
the Password Type to Open Directory on page 76. For instructions on assigning
administrator rights for a directory domain, see the user accounts chapter in the user
management guide.
Do not use the Options button on the Advanced pane to set up password policies for
directory domain administrators. Password policies are not enforced for administrator
accounts. Directory domain administrators need to be able to change password
policies of individual user accounts.
LL2352.Book Page 80 Friday, August 22, 2003 3:12 PM