Apple 10.3 manual Using Other Directories, Search Policies, Authentication

Using Other Directories

Open Directory lets you take advantage of information you have already set up in non- Apple directories and in flat files:

•On other LDAPv3 servers

•On Active Directory servers

•In Berkeley Software Distribution (BSD) configuration files

•In Sun Microsystems Network Information System (NIS) files

Mac OS X Server provides full read/write and Secure Sockets Layer (SSL) communications support for LDAPv3 directories.

Search Policies

Before a user can log in to or connect with a Mac OS X client or server, he or she must enter a name and password associated with a user account that the computer can find. A Mac OS X computer can find user accounts that reside in a directory listed in the computer’s search policy. A search policy is simply a list of directories the computer searches when it needs configuration data.

You can configure the search policy of Mac OS X computers on the computers themselves, using the Directory Access application. You can automate Mac OS X client directory setup by using Mac OS X Server’s built-in DHCP Option 95 support, which lets a DHCP server send out information about the server from which a Mac OS X computer should obtain directory data at the same time it provides an IP address to the computer.

Authentication

You have several options for authenticating users:

•Open Directory authentication. Based on the standard Simple Authentication and Security Layer (SASL) protocol, Open Directory authentication supports many authentication methods, including CRAM-MD5, APOP, WebDAV, NT/LAN Manager 2, and SHA-1. It is the preferred way to authenticate Windows users.

Open Directory authentication lets you set up password policies for individual users or for all users whose records are stored in a particular directory, with exceptions if required. Open Directory authentication also lets you specify password policies for individual directory replicas.

For example, you can specify a minimum password length or require a user to change the password the next time he or she logs in. You can also disable login for inactive accounts or after a specified number of failed login attempts.

•Kerberos v5 authentication. Using Kerberos authentication offers the opportunity to integrate into existing Kerberos environments. You can also set up a Key Distribution Center (KDC) on Mac OS X Server, which offers support for password policies you set up on the server. Using Kerberos also provides a feature known as single signon, described in the next section.