Apple OS X manual Directory Proxy, Directory Native Authentication

Page 21

C H A P T E R 1

Concepts

Other directory services store authorization information outside of the service. By providing an interface between clients of directory services and the directory services themselves, authorization information that is stored outside of the directory service can be shared. For example, you could design a system that controls authorization based on a common token (such as a user entry in a common directory) so that when an administrator creates, deletes, or modifies a token, all services use that same token for authorization. Accordingly, the Open Directory dsDoDirNodeAuth function’s inDirNodeAuthOnlyFlag parameter tells the plug-in whether the proof of identity process is being used to establish access to the foreign directory or whether the proof of identity process is being used only to verify a password.

Here are some ways that could be used to establish an identity that is authorized to access a foreign directory:

have the Open Directory client use a preference to establish a “configuration” identity that can access a given directory

configure the Open Directory plug-in with identity information

It will be necessary for the administrator of the foreign directory to set up, provide, or configure an identity with sufficient access so that a service or plug-in can access or modify all of the necessary information in the foreign directory. Allowing anonymous read access is an alternative to storing a username and password on each client machine. Whether this is possible depends on the directory server in use.

Mac OS X v10.4 optionally uses trusted directory binding, which establishes a trust relationship between a client machine and the directory server.

Directory Native Authentication

Open Directory supports a mechanism that frees Open Directory clients from having to provide specific information about a particular authentication method. This mechanism is called directory native authentication.

When using directory native authentication to authenticate a user to a node, the Open Directory client passes to the Open Directory plug-in the user’s name, password, and an optional specification that cleartext is not an acceptable authentication method.

Upon receipt of the authentication request, the Open Directory plug-in determines the appropriate authentication method based on its configuration (if the plug-in is configurable) or on authentication methods the plug-in has been coded to handle. When the authentication is successful, the Open Directory client receives the authentication type that the plug-in used.

When cleartext is the only available authentication method, the plug-in would deny the authentication if the Open Directory client specifies that cleartext authentication is unacceptable.

Directory Proxy

In previous versions of Mac OS X, an application could only open an Open Directory session with the local DirectoryService daemon. The Open Directory function dsOpenDirService is responsible for opening local Open Directory sessions and returning an Open Directory reference that the application passes to subsequent calls of Open Directory functions.

With Mac OS X v10.2 and later, applications can open an authenticated and encrypted Open Directory session with a remote DirectoryService daemon over TCP/IP. The Open Directory function dsOpenDirServiceProxy is responsible for opening remote Open Directory sessions. As with dsOpenDirService, dsOpenDirServiceProxy returns a Open Directory reference that the application passes to any Open

Open Directory Overview

21

2007-01-08 © 2007 Apple Inc. All Rights Reserved.

Page 20 Page 22
Image 21
Page 20 Page 22
Contents Open Directory Programming Guide Apple Inc Contents N T E N T S Figures, Tables, and Listings G U R E S , T a B L E S , a N D L I S T I N G S See Also Organization of This DocumentIntroduction See Also Open Directory Overview Concepts1Flow of an Open Directory request Nodes2An Open Directory request over a network Record Types Search Policies and Search NodesConstant Description Standard attribute for storing a unique ID commonly found Standard Attribute TypesNative Attribute Types AuthenticationBasic Authentication Open Directory Overview Local Windows Hash Authentication Local Cached User Authentication Disabled User Authentication Directory Proxy Directory Native AuthenticationOpen Directory, lookupd, and NetInfo 3lookupd and NetInfo interaction when using SSH Debugging Directory Service Command Line UtilityListing Registered Nodes Working with NodesWorking with Nodes Finding a Node Opening and Closing a Node Authenticating a User to a Node Authenticating using directory native authentication Directory Native AuthenticationWorking with Nodes Working with Nodes Authenticating a User to a Node Listing Records Working with RecordsListing Records Working with Records Getting Information About a Record’s AttributeGetting Information About a Record’s Attribute Setting the Name of a Record Working with Records Listing 3-3Setting the name of a record Creating a Record and Adding an Attribute Void CreateRecord const tDirNodeReference inDirNodeRef Deleting a Record Working with Records Document Revision History Document Revision History
Related manuals
Manual 32 pages 7.58 Kb
Top Page Image Contents