Apple Mac OS X Server Command-Line Spezifikationen

Mac OS X ServerOpen Directory AdministrationVersion 10.6 Snow Leopard

10 Contents260 Mappings for Computers262 Mappings for ComputerLists263 Mappings for Cong265 Mappings for People266 Mappings for PresetCompute

Delegating Authority to Join an Open Directory Kerberos RealmUsing Server Admin, you can delegate the authority to join a server to an Open Directory

Chapter 5 Setting Up Open Directory Services 101If any item in the array of preference categories has a small arrow next to its icon, the item h

Joining a Server to a Kerberos RealmUsing Server Admin, a Kerberos administrator or a user whose account has the properly delegated authority can join

Chapter 5 Setting Up Open Directory Services 103Magic Triangle General Setup OverviewHere is a summary of the general tasks you perform to set u

104Use this chapter to learn how to reset user passwords, change password types, set password policies, select authentication methods, and perform o

Chapter 6 Managing User Authentication Using Workgroup Manager 105Composing a PasswordThe password associated with a user’s account must be ente

To open a directory domain, click the small globe icon above the list of users and choose from the pop-up menu.If the user’s password type is Open Dir

Chapter 6 Managing User Authentication Using Workgroup Manager 107If you change the password of accounts whose password type is Open Directory a

Note: To set a user account’s password type to Open Directory, you must have administrator rights for Open Directory authentication in the directory

Chapter 6 Managing User Authentication Using Workgroup Manager 109Changing the Password Type to Crypt PasswordIf necessary, you can use Workgrou

11This guide describes the directory and authentication services you can set up using Mac OS X Server. It also explains how to congure Mac OS X S

Click the lock and authenticate as a directory domain administrator, then select the user in the list. 2 Click Advanced. 3 From the User Password Ty

Chapter 6 Managing User Authentication Using Workgroup Manager 111Administrator accounts are exempt from password policies. Each user can have a

Setting Password Policies for Individual UsersUsing Workgroup Manager, you can set password policies for user accounts whose password type is Open Dir

Chapter 6 Managing User Authentication Using Workgroup Manager 11 3From the command line:To change the global password policy of user accounts:

To enable or disable authentication methods for a Shadow Password user: 1 In Workgroup Manager, open the account you want to work with (if it is not

Chapter 6 Managing User Authentication Using Workgroup Manager 11 5To enable or disable authentication methods for Open Directory passwords: 1

Keeping the Primary Administrator’s Passwords in SyncHaving dierent passwords for the primary local administrator account and the LDAP administrator

Chapter 6 Managing User Authentication Using Workgroup Manager 11 7If you congure an LDAP connection that doesn’t map the password and authenti

Although existing crypt passwords can continue to be used after importing or upgrading, you can change user accounts to have Open Directory or shadow

11 9Use this chapter to learn how to access, congure, and manage computers using Accounts preferences.After you congure your directory server, y

12 Preface About This GuideFor services that don’t accept Kerberos authentication, the integrated Secure Authentication and Service Layer (SA

Mac OS X v10.6 computers can connect to an Open Directory, Active Directory, or LDAP directory server. If you don’t know which server to connect to,

Chapter 7 Managing Directory Clients Using Accounts Preferences 121 6 When the UpgradeUser tool is complete, click Continue. 7 When the messag

If you see an Edit button, your computer has at least one connection to a directory server. 4 Click the Add (+) button. 5 From the “Add a new direc

Chapter 7 Managing Directory Clients Using Accounts Preferences 12 3Editing a Directory Server ConnectionYou can use Account preferences to edit

Managing the Root User AccountYou can use Directory Utility (located in Accounts preferences) to manage the root user account by enabling or disabling

Chapter 7 Managing Directory Clients Using Accounts Preferences 12 5Changing the Root User Account PasswordYou can use Directory Utility (locate

12 6Use this chapter to set up and manage how a computer with Mac OS X or Mac OS X Server accesses directory services.After you congure your direct

Chapter 8 Advanced Directory Client Settings 12 7Setting Up Directory Utility on a Remote ServerYou can use Directory Utility on your computer t

The authentication and contacts search policies can have one of the following settings: Â Automatic: Starts with the local directory domain and can in

Chapter 8 Advanced Directory Client Settings 12 9To have a search policy dened automatically: 1 Open System Preferences and click Accounts. 2

Preface About This Guide 13Chapter  9, “Maintaining Open Directory Services,” tells you how to monitor Open Directory services, view and edit

6 Click Search Policy and choose a search policy. Â Authentication: Shows the search policy used for authentication and most other administrative da

Chapter 8 Advanced Directory Client Settings 131 6 Click Search Policy and choose a search policy: Â Authentication: Shows the search policy us

Using Advanced Directory Services SettingsDirectory Utility lists the directory services that Mac OS X can access. The list includes directory service

Chapter 8 Advanced Directory Client Settings 133Enabling or Disabling LDAP Directory ServicesYou can use Directory Utility to enable or disable

“ Â Changing the Connection Settings for an LDAP Directory” on page 143“ Â Changing the Security Policy for an LDAP Connection” on page 145“ Â Congur

Chapter 8 Advanced Directory Client Settings 13 5 7 In the list of services, select LDAPv3 and click the Edit (/) button. 8 Click the Show Opt

9 Select the options for accessing the directory:Select “Encrypt using SSL” if you want Open Directory to use Secure Sockets Layer Â(SSL) for conne

Chapter 8 Advanced Directory Client Settings 137For more information about adding a computer to a computer group, see the computer groups chapte

 Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server  RFC 2307, for most directories hosted by UNIX servers

Chapter 8 Advanced Directory Client Settings 13 9If you choose Custom, you must set up mappings between Mac OS X record Âtypes and attributes a

14 Preface About This GuideDocumentation MapMac OS X Server has a suite of guides that cover management of individual services. Each service m

Changing a Conguration for Accessing an LDAP DirectoryYou can use Directory Utility to change the settings of an LDAP directory conguration. The con

Chapter 8 Advanced Directory Client Settings 141 10 To change the following default settings for this LDAP conguration, click Edit to display

 LDAP Mapping: Choose a template from the pop-up menu, then enter the search base sux for the LDAP directory and click OK.If you chose a template,

Chapter 8 Advanced Directory Client Settings 143Deleting a Conguration for Accessing an LDAP DirectoryYou can use Directory Utility to delete a

To change the connection settings for accessing an LDAP directory: 1 Open System Preferences and click Accounts. 2 If the lock icon is locked, unloc

Chapter 8 Advanced Directory Client Settings 145Changing the Security Policy for an LDAP ConnectionUsing Directory Utility, you can congure a s

If any of the last four options are selected but disabled, the LDAP directory requires them. If any of these options are unselected and disabled, the

Chapter 8 Advanced Directory Client Settings 147The mapping of Mac OS X data types, or attributes, to LDAP attributes for each Ârecord typeThe

To add record types, click Add (below the Record Types and Attributes list); then, in Âthe sheet that appears, select Record Types, select record typ

Chapter 8 Advanced Directory Client Settings 149Templates saved in the default location are listed in pop-up menus of LDAP mapping templates the

Preface About This Guide 15Viewing PDF Guides OnscreenWhile reading the PDF version of a guide onscreen:Show bookmarks to see the guide’s outlin

7 In the list of services, select LDAPv3 and click the Edit (/) button. 8 If the list of server congurations is hidden, click Show Options. 9 Sel

Chapter 8 Advanced Directory Client Settings 151 10 Click Unbind, then enter the following credentials and click OK.Enter the name and passwor

Changing the Query Timeout for an LDAP ConnectionUsing Directory Utility, you can specify how long Open Directory waits before cancelling a query sent

Chapter 8 Advanced Directory Client Settings 153Changing the Idle Timeout for an LDAP ConnectionUsing Directory Utility, you can specify how lon

9 In the list, select a server conguration and click Edit. 10 Click Connection and select “Ignore server referrals.”Authenticating an LDAP Connec

Chapter 8 Advanced Directory Client Settings 155Changing the Password Used for Authenticating an LDAP ConnectionUsing Directory Utility, you can

To enable creating user records in an LDAP directory with RFC 2307 mappings: 1 Open System Preferences and click Accounts. 2 If the lock icon is loc

Chapter 8 Advanced Directory Client Settings 157Preparing a Read-Only LDAP Directory for Mac OS XIf you want a Mac OS X computer to get administ

Using Advanced Active Directory Service SettingsYou can congure a server with Mac OS X Server or a computer with Mac OS X to access an Active Directo

Chapter 8 Advanced Directory Client Settings 159Mac OS X v10.6 supports packet encryption and packet signing options for all Windows Active Dire

16 Preface About This GuideGetting Additional InformationFor more information, consult these resources: Â Read Me documents—get important upda

If the Active Directory schema has been extended to include Mac OS X record types (object classes) and attributes, the Active Directory connector dete

Chapter 8 Advanced Directory Client Settings 161Important: If your computer name contains a hyphen you might not be able to join or bind to a D

“ Â Changing the Active Directory Groups That Can Administer the Computer” on page 169“ Â Controlling Authentication from All Domains in the Active D

Chapter 8 Advanced Directory Client Settings 163Setting Up Mobile User Accounts in Active DirectoryYou can enable or disable mobile Active Direc

Setting Up Home Folders for Active Directory User AccountsOn a computer that’s congured to use the Directory Utility Active Directory connector you c

Chapter 8 Advanced Directory Client Settings 165 12 To use the Mac OS X attribute for the home folder location, deselect “Use UNC path from A

Mapping the UID to an Active Directory AttributeOn a computer that’s congured to use Directory Utility’s Active Directory connector, you can specify

Chapter 8 Advanced Directory Client Settings 167Mapping the Primary Group ID to an Active Directory AttributeOn a computer that’s congured to u

Mapping the Group ID in Group Accounts to an Active Directory AttributeOn a computer that’s congured to use Directory Utility’s Active Directory conn

Chapter 8 Advanced Directory Client Settings 169Specifying a Preferred Active Directory ServerOn a computer that’s congured to use Directory Ut

17Use this chapter to learn about directory domains, how they are used, and how they are organized.Benets of Using Directory ServicesA directory

To add or remove Active Directory group accounts whose members have administrator privileges: 1 Open System Preferences and click Accounts. 2 If the

Chapter 8 Advanced Directory Client Settings 171 7 If the lock icon is locked, unlock it by clicking it and entering the name and password of a

5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6 Click Services. 7 In the list of

Chapter 8 Advanced Directory Client Settings 173Automatic mounting of the Windows home folder ÂMobile user accounts with cached authentication c

The Active Directory mapping template for an LDAPv3 conguration maps some Mac OS X record types and attributes to object classes and attributes that

Chapter 8 Advanced Directory Client Settings 175Specifying BSD Conguration File SettingsHistorically, UNIX computers have stored administrative

Setting Up Data in BSD Conguration FilesIf you want a Mac OS X computer to get administrative data from BSD conguration les, the data must exist in

177Use this chapter to learn how to monitor Open Directory services, view and edit raw data from Open Directory domains, and back up Open Director

Controlling Access to a Server’s Login WindowYou can use Server Admin to control which users can log in to Mac OS X Server using the login window. Use

Chapter 9 Maintaining Open Directory Services 179 5 Select “Allow only users and groups below” and edit the list of users and groups that you w

With centralized directory service and le service set up to host network home folders, wherever a user logs in, the user gets the same home folder, p

7 Set the users permission:To grant administrator access, choose Administrator from the Permission pop-up Âmenu next to the user name.To grant moni

Chapter 9 Maintaining Open Directory Services 181 3 From the expanded Servers list, select Open Directory. 4 Click Settings, then click Genera

To see Open Directory authentication logs: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server.The list of

Chapter 9 Maintaining Open Directory Services 183 5 To see other types of records, click the All Records button next to the Computer Group butt

Deleting RecordsYou can use the Inspector in Workgroup Manager to delete a record.WARNING: After using the Inspector to delete user or computer recor

Chapter 9 Maintaining Open Directory Services 185If you delete a user account in Workgroup Manager by clicking the User button (not the All Reco

Importing Records of Any TypeWorkgroup Manager can import all types of records into the LDAP directory of an Open Directory master. This includes user

Chapter 9 Maintaining Open Directory Services 187Setting a Binding Policy for an Open Directory ServerUsing Server Admin, you can congure an Op

Note: If you change the security policy for the LDAP directory of an Open Directory master, you must disconnect and reconnect (unbind and rebind) eve

Chapter 9 Maintaining Open Directory Services 189Limiting Search Results for LDAP ServiceUsing Server Admin, you can prevent one type of denial-

Chapter 1 Directory Services with Open Directory 19Other application and system software processes can also use the user account information sto

Setting Up SSL for LDAP ServiceUsing Server Admin, you can enable Secure Sockets Layer (SSL) for encrypted communications between an Open Directory se

Chapter 9 Maintaining Open Directory Services 191To create an Open Directory service certicate: 1 Generate a private key for the server in the

Managing Open Directory ReplicationYou can schedule Open Directory replication or replicate on demand, promote a replica to a master, or take a replic

Chapter 9 Maintaining Open Directory Services 193 4 Click Settings, then click General. 5 Click Change.This opens the Open Directory Assistant

This saves your setting and restarts the service. 19 Click Change.The Open Directory Assistant opens. 20 Choose Set up an Open Directory Replica,

Chapter 9 Maintaining Open Directory Services 195Decommissioning an Open Directory ReplicaYou can take an Open Directory replica server out of s

11 If you chose “Decommission replica and connect to another directory” from the Open Directory Assistant, click the Open Directory Utility button

Chapter 9 Maintaining Open Directory Services 197Restoring an Open Directory MasterYou can use Server Admin or the slapconfig command-line tool

6 Enter the password that was used to encrypt the archive when it was created, then click OK. 7 When the restore operation nishes, check the slapc

Chapter 9 Maintaining Open Directory Services 199Managing OpenLDAPTo provide directory services for mixed-platform environments, Open Directory

Apple Inc. K© 2009 Apple Inc. All rights reserved.The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publicat

If you’re experienced with UNIX, you probably know about the les in the /etc directory—group, hosts, hosts.equiv, master.passwd, and so forth. For ex

These tools are included in the standard OpenLDAP distribution:Tool Used to/usr/bin/ldapaddAdd entries to the LDAP directory./usr/bin/ldapcompareCompa

Chapter 9 Maintaining Open Directory Services 201If this parameter doesn’t exist in the DSLDAPv3PlugInCong.plist le, add it near <key>Op

supportedextension: 1.3.18.0.2.12.44supportedextension: 1.3.18.0.2.12.24supportedextension: 1.3.18.0.2.12.22supportedextension: 1.3.18.0.2.12.20suppor

Chapter 9 Maintaining Open Directory Services 203ibm-supportedAuditVersion: 2ibm-sasldigestrealmname: tr17n01.aset.psu.eduIf the server is an Op

Using LDIF FilesLightweight Directory Interchange Format (LDIF) is a le format used to represent LDAP entries in text form. LDAP tools such as ldappa

Chapter 9 Maintaining Open Directory Services 205Maintaining KerberosA robust authentication server that uses MIT’s Kerberos Key Distribution Ce

Managing PrincipalsMac OS X Server uses MIT’s Kerberos administration architecture for principal management. The Kerberos kadmind administration daemo

Chapter 9 Maintaining Open Directory Services 207Using kadmin to Kerberize a Service You can use kadmin to Kerberize additional services, depend

Using Directory Service ToolsThe following are miscellaneous directory service tools that you can use to congure directory services and to troublesho

Chapter 9 Maintaining Open Directory Services 209Parameter Descriptiondiradmin_nameName of the directory administratordiradmin_passwordPassword

Chapter 1 Directory Services with Open Directory 21However, a directory domain stores much more data to support functions that are unique to Mac

210Use this chapter to nd solutions for common problems you might encounter while working with Open Directory.This section contains solutions to co

Chapter 10 Solving Open Directory Problems 2 11If the Open Directory server’s host name still isn’t its fully qualied DNS name, restart the se

Solving Directory Connection ProblemsProblems accessing directory services during startup can have several causes.If a Delay Occurs During StartupIf M

Chapter 10 Solving Open Directory Problems 213If a User Can’t Authenticate for VPN ServiceUsers whose accounts are stored on a server with Mac O

If You Can’t Log In as an Active Directory UserAfter conguring a connection to an Active Directory domain in the Service pane of Directory Utility (l

Chapter 10 Solving Open Directory Problems 215For information that can help you solve problems, see the KDC log. Also see “Viewing Open Direct

If Users Can’t Change Their PasswordsUsers whose accounts reside in an LDAP directory not hosted by Mac OS X Server and who have a password type of cr

Chapter 10 Solving Open Directory Problems 217If You Must Reset an Administrator PasswordUsing the Mac OS X Server installation disc, you can ch

218Open Directory Service SettingsTo change settings for the Open Directory service, use the following parameters with the serveradmin tool. Be sur

Appendix A Command-Line Parameters for Open Directory 219OpenLDAP Standard Distribution ToolsTwo types of tools come with OpenLDAP:Tools that op

Uses of Directory DataOpen Directory makes it possible to consolidate and maintain network information easily in a directory domain, but this informat

220Use this appendix to learn Open Directory extensions to LDAP schema, mappings of Open Directory attributes to LDAP and Active Directory attribute

Appendix B Mac OS X Directory Data 221“ Â Mappings for Computers” on page 260“ Â Mappings for ComputerLists” on page 262“ Â Mappings for Cong”

222 Appendix B Mac OS X Directory DataNote: Apple might extend the Open Directory LDAP schema in the future; for example, to support new vers

Appendix B Mac OS X Directory Data 223 apple-user-printattribute $ apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-

224 Appendix B Mac OS X Directory Data apple-group-services $ apple-contactguid $ apple-ownerguid $ labeledURI $ apple-services

Appendix B Mac OS X Directory Data 225Computer Object Classobjectclass ( 1.3.6.1.4.1.63.1000.1.1.2.10 NAME 'apple-computer' D

226 Appendix B Mac OS X Directory DataConguration Object Classobjectclass ( 1.3.6.1.4.1.63.1000.1.1.2.12 NAME 'apple-configuration

Appendix B Mac OS X Directory Data 227Preset Computer Group Object Classobjectclass ( 1.3.6.1.4.1.63.1000.1.1.2.26 NAME 'apple-preset

228 Appendix B Mac OS X Directory DataPreset User Object Classobjectclass ( 1.3.6.1.4.1.63.1000.1.1.2.15 NAME 'apple-preset-user&ap

Appendix B Mac OS X Directory Data 229Server Assistant Conguration Object Classobjectclass ( 1.3.6.1.4.1.63.1000.1.1.2.17 NAME 'appl

Chapter 1 Directory Services with Open Directory 23 Â Managed network views: The administrator can set up custom views that users see when they

230 Appendix B Mac OS X Directory Data apple-computeralias $ apple-keyword $ apple-realname $ apple-xmlplist $ ttl ) )ACL Object C

Appendix B Mac OS X Directory Data 231Automount Object Classobjectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURA

232 Appendix B Mac OS X Directory Dataapple-user-homequotaUsed to specify the home folder quota in kilobytes.attributetype ( 1.3.6.1.4.1.63

Appendix B Mac OS X Directory Data 233 1.3.6.1.4.1.63.1000.1.1.1.1.16 NAME ( 'apple-mcxsettings' 'apple-mcxsettings2'

234 Appendix B Mac OS X Directory Dataapple-user-authenticationhintUsed by the login window to provide a hint if the user logs in incorrectly

Appendix B Mac OS X Directory Data 235 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN

236 Appendix B Mac OS X Directory Data DESC 'Phone Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch

Appendix B Mac OS X Directory Data 237 NAME ( 'apple-nickname' ) DESC 'nickname' EQUALITY caseExactMatch SUBSTR

238 Appendix B Mac OS X Directory Dataapple-namesuxattributetype ( 1.3.6.1.4.1.63.1000.1.1.1.1.35 NAME ( 'apple-namesuffix' )

Appendix B Mac OS X Directory Data 239apple-primarycomputerguidattributetype ( 1.3.6.1.4.1.63.1000.1.1.1.14.11 NAME ( 'apple-primaryc

For an object class, a directory domain can contain multiple entries, and each entry can contain multiple attributes. Some attributes have a single va

240 Appendix B Mac OS X Directory Dataapple-group-realnameUsed to associate a longer, more user-friendly name with groups. This name appears i

Appendix B Mac OS X Directory Data 241# 1.3.6.1.4.1.63.1000.1.1.1.14.1000# NAME 'apple-group-memberUid'# DESC 'group member list&

242 Appendix B Mac OS X Directory Dataapple-machine-suxattributeType ( 1.3.6.1.4.1.63.1000.1.1.1.3.11 NAME 'apple-machine-suffix&a

Appendix B Mac OS X Directory Data 243 SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )mountTypeattribu

244 Appendix B Mac OS X Directory Data# NAME ( 'apple-mount-name' )# DESC 'mount name'# SUP name )Printer Attributesapple-

Appendix B Mac OS X Directory Data 245 NAME 'apple-printer-note' DESC 'printer note' EQUALITY caseIgnoreMatch SU

246 Appendix B Mac OS X Directory Dataapple-computer-list-groupsattributetype ( 1.3.6.1.4.1.63.1000.1.1.1.11.4 NAME 'apple-computer

Appendix B Mac OS X Directory Data 247 NAME 'apple-password-server-location' DESC 'password server location' EQUALI

248 Appendix B Mac OS X Directory Dataapple-ldap-writable-replicaattributetype ( 1.3.6.1.4.1.63.1000.1.1.1.12.6 NAME 'apple-ldap-wr

Appendix B Mac OS X Directory Data 249# EQUALITY caseExactIA5Match# SUBSTR caseExactIA5SubstringsMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )au

Chapter 1 Directory Services with Open Directory 25About the Structure of LDAP EntriesIn an LDAP directory, entries are arranged in a hierarchic

250 Appendix B Mac OS X Directory Dataapple-service-url#attributetype (# 1.3.6.1.4.1.63.1000.1.1.1.19.2# NAME 'apple-service-url'# D

Appendix B Mac OS X Directory Data 251 SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )apple-neighborhoodaliasattrib

252 Appendix B Mac OS X Directory Data# NAME 'objectClassesConfig'# DESC 'object class configuration'# EQUALITY objectIden

Appendix B Mac OS X Directory Data 253automountKeyattributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount K

254 Appendix B Mac OS X Directory DataRecord Type Mappings for UsersOpen Directory name,RFC/classLDAP object class nameOID Active Directory co

Appendix B Mac OS X Directory Data 255Open Directory name,RFC/class, special purposeLDAP attribute name OID Active Directory connectorAuthentica

256 Appendix B Mac OS X Directory DataOpen Directory name,RFC/class, special purposeLDAP attribute name OID Active Directory connectorPostalCo

Appendix B Mac OS X Directory Data 257Open Directory name,RFC/class, special purposeLDAP attribute name OID Active Directory connectorSMBKickoT

258 Appendix B Mac OS X Directory DataOpen Directory name,RFC/class, special purposeLDAP attribute name OID Active Directory connectorPagerNum

Appendix B Mac OS X Directory Data 259Attribute Mappings for GroupsOpen Directory name,RFC/classLDAP attribute nameOID Active Directory connecto

Local and Shared Directory DomainsWhere you store your server’s user information and other administrative data is determined by whether the data must

260 Appendix B Mac OS X Directory DataRecord Type Mappings for MountsOpen Directory name,RFC/classLDAP object class nameOID Active Directory c

Appendix B Mac OS X Directory Data 261Attribute Mappings for ComputersOpen Directory name,RFC/class,special purposeLDAP attribute nameOID Active

262 Appendix B Mac OS X Directory DataOpen Directory name,RFC/class,special purposeLDAP attribute nameOID Active Directory connectorSMBLogoTi

Appendix B Mac OS X Directory Data 263Attribute Mappings for ComputerListsOpen Directory name,RFC/classLDAP attribute nameOID Active Directory c

264 Appendix B Mac OS X Directory DataAttribute Mappings for CongOpen Directory name,RFC/class,special purposeLDAP attribute nameOID Active D

Appendix B Mac OS X Directory Data 265Mappings for PeopleThe following tables specify how the LDAPv3 plug-in in Directory Utility (located in Ac

266 Appendix B Mac OS X Directory DataOpen Directory name,RFC/classLDAP attribute nameOID Active Directory connectorJobTitle,RFC 2256title2.5.

Appendix B Mac OS X Directory Data 267Record Type Mappings for PresetComputerListsOpen Directory name,RFC/classLDAP object class nameOID Active

268 Appendix B Mac OS X Directory DataAttribute Mappings for PresetGroupsOpen Directory name,RFC/classLDAP attribute nameOID Active Directory

Appendix B Mac OS X Directory Data 269Attribute Mappings for PresetUsersOpen Directory name,RFC/classLDAP attribute nameOIDActive Directory conn

Chapter 1 Directory Services with Open Directory 27About Shared Directory DomainsAlthough Open Directory on any Mac OS X computer can store admi

270 Appendix B Mac OS X Directory DataOpen Directory name,RFC/classLDAP attribute nameOIDActive Directory connectorPassword,RFC 2256userPasswo

Appendix B Mac OS X Directory Data 271Attribute Mappings for PrintersOpen Directory name,RFC/class,special purposeLDAP attribute nameOIDActive D

272 Appendix B Mac OS X Directory DataMappings for AutoServerSetupThe following tables specify how the LDAPv3 plug-in in Directory Utility (lo

Appendix B Mac OS X Directory Data 273Attribute Mappings for LocationsOpen Directory name,RFC/classLDAP attribute nameOIDActive Directory connec

274 Appendix B Mac OS X Directory DataMac OS X user attribute Format Example valuesRecordName:A list of names associated with a user. The rst

Appendix B Mac OS X Directory Data 275Mac OS X user attribute Format Example valuesHomeDirectory:The location of an AFP-based home folder.UTF-8

276 Appendix B Mac OS X Directory DataMac OS X user attribute Format Example valuesUserShell:The location of the default shell for command-lin

Appendix B Mac OS X Directory Data 277Mac OS X user attribute Format Example valuesFirstName:Used by Address Book and other applications that us

278 Appendix B Mac OS X Directory DataFormat of MailAttribute in User RecordsUser record MailAttribute eld Format Sample valuesAttributeVersi

Appendix B Mac OS X Directory Data 279User record MailAttribute eld Format Sample valuesNoticationState An optional keyword describing whether

Shared Data in Existing Directory DomainsSome organizations—such as universities and worldwide corporations—maintain user information and other admini

280 Appendix B Mac OS X Directory DataUser Data That Mac OS X Server UsesThe following table describes how your Mac OS X Server uses data from

Appendix B Mac OS X Directory Data 281Standard Attributes in Group RecordsThe following table describes the standard attributes found in Open Di

282 Appendix B Mac OS X Directory DataMac OS X group attribute Format Example valuesHomeLocOwner:The short name of the user that owns the grou

Appendix B Mac OS X Directory Data 283Mac OS X computer attribute Format Example valuesMCXFlags:Used only in the “guest” computer record; if pre

284 Appendix B Mac OS X Directory DataStandard Attributes in Mount RecordsThe following table describes the standard attributes found in Open

Appendix B Mac OS X Directory Data 285Standard Attributes in Cong RecordsThe following table describes the standard attributes found in the fol

AaccessACLs 38, 72, 73, 179, 183Active Directory domains 160, 17 2administrator 73, 179directory domain uses 22directory service 132, 133le 22f

Index 287mount 253, 284neighborhood 253passwords 253printer 233, 253replication 253resource 253schema 253service 253standard 273, 278, 280

288 Indexclient computers 120, 121command-line tools 15 9connection 92, 93, 94cross-domain authorization 66directory domain integration 65, 66

Index 289exporting users 117See also importingFfailoverBDC 30, 90load balancing 63PDC 30setup 91le servicesauthentication 50share points 22

Chapter 1 Directory Services with Open Directory 29The same user account that can be used for logging in from a Windows workstation can also be

290 Indexconnection settings 92, 14 3, 15 0, 152, 153denition 23deleting conguration 143DHCP 35, 89directory schemas 69disabling 133distrib

Index 291password policies 43, 11 2search policies 35, 36VPN service 64mount attributes 253, 284mount object class 231Mount record type 259,

292 Indexreplica management 58, 61, 63, 64, 81, 192, 19 5restoring 197security policy 187setup 81, 83status checking 180troubleshooting 210,

Index 293See also DHCP, LDAPpseudo-master server 66public network 64pwpolicy tool 111, 11 3, 114, 11 5Qquery timeout, LDAP 152RRAID (Redundant

294 Indexports for 72pseudo-master 66referrals 153remote 79, 12 7, 178removing 12 2restoring 197, 198security policy 187setup 93, 94, 272su

Index 295record types 268, 269, 273, 278, 280searching for 201troubleshooting authentication 212, 213, 214, 216Windows 28, 29, 84See also clien

11 Preface: About This Guide12 What’s in This Guide13 Using Onscreen Help14 Documentation Map15 Viewing PDF Guides Onscreen15 Printing PDF Guid

When setting up Mac OS X Server as a PDC, make sure your network doesn’t have another PDC with the same domain name. The network can have multiple Ope

31Use this chapter to learn how to use search policies with domains and to understand automatic, custom, and local-only search policies.Each Mac O

The following illustration shows two computers on a network that only search their own local directory domain for administrative data.Local directoryd

Chapter 2 Open Directory Search Policies 33Each class (English, math, science) has its own computer. The students in each class are dened as us

Here’s a scenario in which more than one shared directory might be used:School directorydomainScience directorydomain1Search Policy2English directoryd

Chapter 2 Open Directory Search Policies 35A computer’s automatic search policy always begins with the computer’s local directory domain. If a M

Important: If you congure Mac OS X to use an automatic authentication search policy and a DHCP-supplied LDAP server or a DHCP-supplied local directo

37Use this chapter to learn how to use Open Directory authentication, shadow and crypt passwords, Kerberos, LDAP bind, and single sign-on.Open Dir

Authentication and AuthorizationServices such as the login window and Apple Filing Protocol (AFP) service request user authentication from Open Direct

Chapter 3 Open Directory Authentication 39User accounts in the following directory domains can have Open Directory passwords:The LDAP directory

4 Contents36 Custom Search Policies36 Search Policies for Authentication and Contacts37 Chapter 3: Open Directory Authentication37 About Pas

Providing Secure Authentication for Windows UsersMac OS X Server also oers the same types of secure passwords for Windows users:Open Directory passwo

Chapter 3 Open Directory Authentication 41Shadow passwords and Open Directory passwords are far less susceptible to oine attack because they ar

Password type Authentication authority Attribute in user recordOpen Directory Open Directory Password Server and Kerberos1Either or both:; Â ApplePass

Chapter 3 Open Directory Authentication 43The password policy for a mobile user account applies when the account is used while disconnected from

Kerberos permits a client and a server to identify each other much more securely than typical challenge-response password authentication methods. Kerb

Chapter 3 Open Directory Authentication 45You needed a suite of Kerberized applications (server and client software). Some of Âthe basics were

Kerberos was designed to solve network security problems. It never transmits the user’s password across the network, nor does it save the password in

Chapter 3 Open Directory Authentication 47Multiplatform AuthenticationKerberos is available on every major platform, including Mac OS X, Windows

To congure new and upgraded services to use Kerberos: 1 Open Server Admin and connect to the upgraded server. 2 Click the triangle at the left of t

Chapter 3 Open Directory Authentication 49About the Kerberos Authentication ProcessThere are several phases to Kerberos authentication. In the 

Contents 564 Open Directory Master and Replica Compatibility65 Mixing Active Directory and Open Directory Master and Replica Services66 Integrati

Time is very important with Kerberos. If the client and the KDC are out of sync by more than a few minutes, the client fails to achieve authentication

Chapter 3 Open Directory Authentication 51Open Directory supports many authentication methods because each service that requires authentication

Disabling Open Directory Authentication MethodsTo make Open Directory password storage on the server more secure, you can selectively disable authenti

Chapter 3 Open Directory Authentication 53Disabling Shadow Password Authentication MethodsYou can selectively disable authentication methods to

Contents of the Open Directory Password Server DatabaseOpen Directory Password Server maintains an authentication database separate from the directory

55Use this chapter to assess directory domain needs, estimate directory and authentication requirements, identify servers for hosting shared domai

With this arrangement, each user has two accounts, one for logging in to a computer and one for accessing services of Mac OS X Server, as illustrated

Chapter 4 Open Directory Planning and Management Tools 57In many organizations, a single shared directory domain is adequate. It can handle hund

You also congure Mac OS X Server to handle cross-domain authorization if a Kerberos realm exists.If you have an existing Active Directory server, you

Chapter 4 Open Directory Planning and Management Tools 59The Open Directory server can provide LDAP and authentication services to more client c

6 Contents102 Joining a Server to a Kerberos Realm103 Magic Triangle General Setup Overview104 Chapter 6: Managing User Authentication Using

Replicating Open Directory ServicesMac OS X Server supports replication of the LDAP directory service, the Open Directory Password Server, and the Ker

Chapter 4 Open Directory Planning and Management Tools 61Replica version Mac OS X Server v10.5 or later masterMac OS X Server v10.4 masterMac OS

A single Open Directory master server can have up to 32 replicas and each of those replicas can have up to 32 replicas, which gives you 1,056 replicas

Chapter 4 Open Directory Planning and Management Tools 63Load Balancing in Small, Medium, and Large EnvironmentsDo not use service load-balancin

Using an Open Directory Master, Replica, or Relay with NATIf your network has an Open Directory server on the private network side of a network addres

Chapter 4 Open Directory Planning and Management Tools 65Mixing Active Directory and Open Directory Master and Replica ServicesThere are some sp

OrActive Directory Domain = ads.company.com ÂActive Directory Kerberos realm = ADS.COMPANY.COM ÂOpen Directory Server master = server1.od.company.com

Chapter 4 Open Directory Planning and Management Tools 67Using cross-domain authorization keeps you from needing to create dierent user names a

The Active Directory server manages authentication requests while the Open Directory server manages preference and policy settings of client computers

Chapter 4 Open Directory Planning and Management Tools 69Integrating Without Schema ChangesMac OS X and Mac OS X Server integrate with most LDAP

Contents 7131 Protecting Computers from a Malicious DHCP Server132 Using Advanced Directory Services Settings132 Enabling or Disabling Active Dir

Mac OS X Server must belong to the same Kerberos realm as its client users. The realm has only one authoritative Kerberos server, which is responsible

Chapter 4 Open Directory Planning and Management Tools 71If you must use an Open Directory server to manage users in another server’s directory

Open Directory SecurityWith Mac OS X Server, a server with a shared LDAP directory domain also provides Open Directory authentication.It is important

Chapter 4 Open Directory Planning and Management Tools 73Equip the Open Directory master computer with an uninterruptible power supply. ÂIn summ

Tools for Managing Open Directory ServicesThe Server Admin, Directory Utility, and Workgroup Manager applications provide a graphical interface for m

Chapter 4 Open Directory Planning and Management Tools 75For basic information about using Server Admin, see the Server Administration chapter i

Workgroup ManagerWorkgroup Manager provides comprehensive management of Mac OS X Server clients. You use Workgroup Manager to:Set up and manage user a

77Use this chapter to learn how to set up Open Directory services, including congurations, roles, master and replica LDAP service options, and si

Step 5: Set up a Primary Domain Controller (PDC).To set up a server to provide directory and authentication services for Windows and Mac OS X platform

Chapter 5 Setting Up Open Directory Services 79Users whose information can be managed most easily on a server should be dened in the shared LDA

8 Contents174 Specifying NIS Settings175 Specifying BSD Conguration File Settings176 Setting Up Data in BSD Conguration Files177 Chapter 9:

Setting Up a Standalone Directory ServiceUsing Server Admin, you can set up Mac OS X Server to use only the server’s local directory domain. The serve

Chapter 5 Setting Up Open Directory Services 81If your server is an Open Directory replica, select “Decommission replica and Âset up standalon

To congure a server to be an Open Directory master: 1 Open Server Admin and connect to the server. 2 Click the triangle at the left of the server.T

Chapter 5 Setting Up Open Directory Services 83 Â Search Base: This eld is set to a search base sux for the new LDAP directory, derived from t

Setting Up a Primary Domain Controller (PDC)Using Server Admin, you can set up Mac OS X Server as a Windows PDC. The PDC hosts a Windows domain and pr

Chapter 5 Setting Up Open Directory Services 85 Â Domain: Enter the name of the Windows domain that the server will host. The domain name canno

Setting Up Windows XP for Domain LoginYou can enable domain login on a Windows XP computer by joining it to the Windows domain of a Mac OS X Server PD

Chapter 5 Setting Up Open Directory Services 87Setting Up an Open Directory ReplicaUsing Server Admin, you can set up Mac OS X Server to be a re

To congure a server to host a replica of an Open Directory master: 1 Make sure the master, the prospective replica, and every rewall between them i

Chapter 5 Setting Up Open Directory Services 89After you set up an Open Directory replica, other computers will connect to it as needed.Computer

Contents 9207 Using kadmin to Kerberize a Service 207 Kerberizing Services with an Active Directory Server208 Using Directory Service Tools208 O

Setting Up a Server as a Backup Domain Controller (BDC)Using Server Admin, you can set up Mac OS X Server as a Windows backup domain controller (BDC).

Chapter 5 Setting Up Open Directory Services 91After setting up a BDC, you might want to change access restrictions, logging detail level, code

Setting Up a Connection to a Directory ServerUsing Server Admin, you can set up Mac OS X Server to get user records and other directory information fr

Chapter 5 Setting Up Open Directory Services 93Open Directory Password Server in Mac OS X Server v10.4 or later supports NTLMv2 authentication,

 Computer Name: Enter the name you want Windows users to see when they connect to the server. This is the server’s NetBIOS name. The name should con

Chapter 5 Setting Up Open Directory Services 95 8 Click Done. 9 If you want to congure advanced settings for your Active Directory connection

24 Click OK. 25 From the Servers list, select SMB. 26 Click Settings, then click General. 27 Verify that the server is now a member of the Ac

Chapter 5 Setting Up Open Directory Services 97When Open Directory is started for the rst time, Kerberos uses DNS to generate conguration sett

The server can also support single sign-on Kerberos authentication for Kerberized services of other servers on the network. The other servers must be

Chapter 5 Setting Up Open Directory Services 99 5 Use Network Utility (in /Applications/Utilities/) to do a DNS lookup of the Open Directory ma