Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
41424344454647484950
Leave the challenge password and an optional company name blank.
Sign the ldapserver.csr request:
sudo openssl ca -in ldapserver.csr -out ldapserver.crt
When prompted, enter the CA passphrase to continue and complete the process.
The certificate files needed to enable SSL on the LDAP server are now in the
/usr/share/certs directory. As described in the “Securing Open Directory
Service” section, some of these files will need to be moved to the LDAP server.
4.4.2 Enable Client Support
If you’re using self-signed certificates, most user applications will pop up a warning
that the Certificate Authority is not recognized. Other software, such as Mac OS X’s
LDAP client, will simply refuse to use SSL if the servers CA is unknown. The
operating system ships only with certificates from well-known commercial CA’s. In
order to prevent this warning, your CA certificate must be exported to every client
machine that will be connecting to the secure server. Each client should do the
following:
Copy the self-signed CA certificate (the file called ca.crt) onto the client machine.
This is preferably distributed via non-rewritable media, such as a CD-R.
1. Double click on the ca.crt icon where it was copied onto the client machine.
The Keychain Access tool will pop up. Add the certificate to the X509Anchors
keychain. Alternatively, issue the command:
sudo certtool i ca.crt k=/System/Library/Keychains/X509Anchors
Now, any client application that checks against the system's X509Anchors keychain
(such as Safari and Mail) will recognize any certificate signed by your CA.
4.5 Securing Open Directory Service
The Open Directory service allows Mac OS X Server to provide directory services
such as user authentication. Detailed documentation and configuration advice is
available in Apple’s “Mac OS X Server Open Directory Administration” guide. The
Open Directory service must be set to the proper role and configured to use SSL to
encrypt its communications to protect the confidentiality of its important
authentication data. Password policies can also be enforced by the Open Directory
service.
38
UNCLASSIFIED