Specifications

264 Chapter 15 Configuring and Managing Open Directory

Often the server administrator can assume that its server’s principal name is

serviceType/fqdn@REALM. For example, the service principal for the AFP server on the

host “server.example.com” in the realm “EXAMPLE.COM” is afpserver/

server.example.com@EXAMPLE. However, the service type is service-specific and the

primary place to get the information is from the service documentation.

To kerberize a service (from a terminal running on that host):

1 To create the service principal, use kadmin.

$ sudo kadmin -p admin_principal -q “addprinc -randkey service-principal”

2 Import the principal key into the keytab file.

$ sudo kadmin -p admin_principal -q “ktadd service-principal”

3 Configure the service to use the new principal.

This step is service-specific. For information about how to perform this step, see the

service documentation.

Using Directory Service Tools

The following are miscellaneous directory service tools that you can use to configure

directory services and to troubleshoot problems.

Operating on Directory Service Domains

Use dscl, a general-purpose tool, for operating on directory domains. You can create,

read, and manage directory data. If invoked without commands, dscl runs in an

interactive mode, reading commands from standard input.

The following example shows basic dscl tool uses:

To verify that you can access an LDAPv3 directory:

$ dscl localhost

> cd /LDAPv3/directory.example.com/Users

> ls

You should see a list of the server’s network user accounts

For more information, see the dscl man page.