Apple MacOSXServer Open Directory User Manual Mac OSXServerv10.4 Administration V10.4

• Open Directory Administration
  • Contents
  • About This Guide
    • What’s New in Version 10.4
    • What’s in This Guide
    • Using This Guide
    • Using Onscreen Help
    • The Mac OS X Server Suite
    • Getting Documentation Updates
    • Getting Additional Information
  • Directory Service With Open Directory
    • Directory Services and Directory Domains
    • A Historical Perspective
      • Data Consolidation
      • Data Distribution
    • Uses of Directory Data
    • Access to Directory Services
    • Discovery of Network Services
    • Inside a Directory Domain
    • Structure of LDAP Directory Information
    • Local and Shared Directory Domains
      • About the Local Directory Domain
      • About Shared Directory Domains
      • Shared Data in Existing Directory Domains
  • Open Directory Search Policies
    • Search Policy Levels
      • Local Directory Search Policy
      • Two-Level Search Policies
      • Multilevel Search Policies
    • Automatic Search Policies
    • Custom Search Policies
    • Search Policies for Authentication and Contacts
  • Open Directory Authentication
    • Password Types
      • Authentication and Authorization
      • Open Directory Passwords
      • Shadow Passwords
      • Crypt Passwords
      • Offline Attacks on Passwords
      • Determining Which Authentication Option to Use
    • Password Policies
    • Single Sign-On Authentication
    • Kerberos Authentication
      • Breaking the Barriers to Kerberos Deployment
      • Single Sign-On Experience
      • Secure Authentication
      • Ready to Move Beyond Passwords
      • Multiplatform Authentication
      • Centralized Authentication
      • Kerberized Services
      • Kerberos Principals and Realms
      • Kerberos Authentication Process
    • Open Directory Password Server and Shadow Password Authentication Methods
      • Disabling Open Directory Authentication Methods
      • Disabling Shadow Password Authentication Methods
    • Contents of Open Directory Password Server Database
    • LDAP Bind Authentication
    • Authentication Manager
  • Open Directory Planning
    • General Planning Guidelines
    • Controlling Data Accessibility
    • Simplifying Changes to Data in Directories
    • Estimating Directory and Authentication Requirements
    • Identifying Servers for Hosting Shared Domains
    • Replicating Open Directory Services
      • Load Balancing in Small, Medium, and Large Environments
      • Replication in a Multibuilding Campus
      • Using an Open Directory Master or Replica With NAT
    • Avoiding Kerberos Conflicts With Multiple Directories
    • Improving Performance and Redundancy
    • Open Directory Security
    • Tools for Managing Open Directory Services
      • Server Admin
      • Directory Access
      • Workgroup Manager
      • Command-Line Tools
      • NetInfo Manager
  • Setting Up Open Directory Services
    • Setup Overview
    • Before You Begin
    • Setting Up Open Directory With Server Assistant
    • Managing Open Directory on a Remote Server
    • Setting Up a Standalone Server
    • Open Directory Master and Replica Compatibility
    • Setting Up an Open Directory Master
      • Instructing Users How to Log In
    • Setting Up an Open Directory Replica
      • Creating Multiple Replicas of an Open Directory Master
    • Setting Up Open Directory Failover
    • Setting Up a Connection to a Directory System
    • Setting Up Single Sign-On Kerberos Authentication
      • Setting Up an Open Directory Kerberos Realm
      • Starting Kerberos After Setting Up an Open Directory Master
      • Delegating Authority to Join an Open Directory Kerberos Realm
      • Joining a Server to a Kerberos Realm
    • Setting Options for an Open Directory Master or Replica
      • Setting a Binding Policy for an Open Directory Master and Replicas
      • Setting a Security Policy for an Open Directory Master and Replicas
      • Changing the Location of an LDAP Database
      • Limiting Search Results for LDAP Service
      • Changing the Search Timeout for LDAP Service
      • Setting up SSL for LDAP Service
    • Migrating a Directory Domain From Netinfo to LDAP
    • Switching Directory Access From NetInfo to LDAP
    • Disabling NetInfo After Migrating to LDAP
  • Managing User Authentication
    • Composing a Password
    • Changing a User’s Password
    • Resetting the Passwords of Multiple Users
    • Changing a User’s Password Type
      • Changing the Password Type to Open Directory
      • Changing the Password Type to Crypt Password
      • Changing the Password Type to Shadow Password
    • Enabling Single Sign-On Kerberos Authentication for a User
    • Changing the Global Password Policy
    • Setting Password Policies for Individual Users
    • Selecting Authentication Methods for Shadow Password Users
    • Selecting Authentication Methods for Open Directory Passwords
    • Assigning Administrator Rights for Open Directory Authentication
    • Keeping the Primary Administrator’s Passwords in Sync
    • Enabling LDAP Bind Authentication for a User
    • Setting Passwords of Exported or Imported Users
    • Migrating Passwords From Mac OS X Server v10.1 or Earlier
      • Exporting and Importing Authentication Manager Users
  • Managing Directory Access
    • Setting Up Directory Access on a Remote Server
    • Configuring Access to Services
      • Enabling or Disabling Active Directory Service
      • Enabling or Disabling AppleTalk Service Discovery
      • Enabling or Disabling BSD Flat File and NIS Directory Services
      • Enabling or Disabling LDAP Directory Services
      • Enabling or Disabling NetInfo Directory Services
      • Enabling Bonjour Service Discovery
      • Enabling or Disabling SLP Service Discovery
      • Enabling or Disabling SMB/CIFS Service Discovery
      • Configuring SMB/CIFS Service Discovery
    • Setting Up Search Policies
      • Defining Automatic Search Policies
      • Defining Custom Search Policies
      • Defining Local Directory Search Policies
      • Waiting for a Search Policy Change to Take Effect
      • Protecting Computers From a Malicious DHCP Server
    • Accessing LDAP Directories
      • Accessing LDAP Directories in Mail and Address Book
      • Enabling or Disabling Use of a DHCP-Supplied LDAP Directory
      • Showing or Hiding Configurations for LDAP Servers
      • Configuring Access to an LDAP Directory
      • Configuring Access to an LDAP Directory Manually
      • Changing a Configuration for Accessing an LDAP Directory
      • Duplicating a Configuration for Accessing an LDAP Directory
      • Deleting a Configuration for Accessing an LDAP Directory
      • Changing the Connection Settings for an LDAP Directory
      • Changing the Security Policy for an LDAP Connection
      • Configuring LDAP Searches and Mappings
      • Setting Up Trusted Binding to an LDAP Directory
      • Stopping Trusted Binding With an LDAP Directory
      • Changing the Open/Close Timeout for an LDAP Connection
      • Changing the Query Timeout for an LDAP Connection
      • Changing the Rebind-Try Delay Time for an LDAP Connection
      • Changing the Idle Timeout for an LDAP Connection
      • Forcing Read-Only LDAPv2 Access
      • Ignoring LDAP Server Referrals
      • Authenticating an LDAP Connection
      • Changing the Password Used for Authenticating an LDAP Connection
      • Mapping Config Record Attributes for LDAP Directories
      • Editing RFC 2307 Mapping to Enable Creating Users
      • Preparing a Read-Only LDAP Directory for Mac OS X
      • Populating LDAP Directories With Data for Mac OS X
    • Accessing an Active Directory Domain
      • About the Active Directory Plug-in
      • Configuring Access to an Active Directory Domain
      • Setting Up Mobile User Accounts in Active Directory
      • Setting Up Home Folders for Active Directory User Accounts
      • Setting a UNIX Shell for Active Directory User Accounts
      • Mapping the UID to an Active Directory Attribute
      • Mapping the Primary Group ID to an Active Directory Attribute
      • Mapping the Group ID in Group Accounts to an Active Directory Attribute
      • Specifying a Preferred Active Directory Server
      • Changing the Active Directory Groups That Can Administer the Computer
      • Controlling Authentication From All Domains in the Active Directory Forest
      • Unbinding From the Active Directory Server
      • Editing User Accounts and Other Records in Active Directory
      • Setting Up LDAP Access to Active Directory Domains
    • Accessing an NIS Domain
    • Using BSD Configuration Files
      • Setting Up Data in BSD Configuration Files
    • Accessing Legacy NetInfo Domains
      • About NetInfo Binding
      • Configuring NetInfo Binding
      • Adding a Machine Record to a Parent NetInfo Domain
      • Configuring Static Ports for Shared NetInfo Domains
  • Maintenance and Problem Solving
    • Controlling Access to Open Directory Servers
      • Controlling Access to a Server’s Login Window
      • Controlling Access to SSH Service
    • Monitoring Open Directory
      • Checking the Status of an Open Directory Master or Replica
      • Monitoring Replicas of an Open Directory Master
      • Viewing Open Directory Status and Logs
      • Monitoring Open Directory Authentication
    • Directly Viewing and Editing Directory Data
      • Showing the Directory Inspector
      • Hiding the Directory Inspector
      • Changing a User’s Short Name
      • Setting Directory Access Controls (DACs)
      • Deleting Records
    • Importing Records of Any Type
    • Managing Open Directory Replication
      • Scheduling Replication of an Open Directory Master
      • Synchronizing an Open Directory Replica on Demand
      • Promoting an Open Directory Replica
      • Decommissioning an Open Directory Replica
    • Archiving an Open Directory Master
    • Restoring an Open Directory Master
    • Solving Open Directory Master and Replica Problems
      • Kerberos is Stopped on an Open Directory Master or Replica
      • Can’t Create an Open Directory Replica
    • Solving Directory Access Problems
      • A Delay Occurs During Startup
    • Solving Authentication Problems
      • You Can’t Modify a User’s Open Directory Password
      • A User Can’t Access Some Services
      • A User Can’t Authenticate for VPN Service
      • You Can’t Change a User’s Password Type to Open Directory
      • Users Relying on a Password Server Can’t Log In
      • Users Can’t Log In With Accounts in a Shared Directory Domain
      • Can’t Log In as Active Directory User
      • Users Can’t Authenticate Using Single Sign-On or Kerberos
      • Users Can’t Change Their Passwords
      • Can’t Join a Server to an Open Directory Kerberos Realm
      • Resetting an Administrator Password
  • Mac OS X Directory Data
    • Open Directory Extensions to LDAP Schema
      • Object Classes in Open Directory LDAP Schema
      • Attributes in Open Directory LDAP Schema
    • Mapping Standard Record Types and Attributes to LDAP and Active Directory
      • Mappings for Users
      • Mappings for Groups
      • Mappings for Mounts
      • Mappings for Computers
      • Mappings for ComputerLists
      • Mappings for Config
      • Mappings for People
      • Mappings for PresetComputerLists
      • Mappings for PresetGroups
      • Mappings for PresetUsers
      • Mappings for Printers
      • Mappings for AutoServerSetup
      • Mappings for Locations
    • Standard Open Directory Record Types and Attributes
      • Standard Attributes in User Records
      • Standard Attributes in Group Records
      • Standard Attributes in Computer Records
      • Standard Attributes in Computer List Records
      • Standard Attributes in Mount Records
      • Standard Attributes in Config Records
  • Glossary
  • Index
    • A
    • B
    • C
    • D
    • E
    • F
    • G
    • H
    • I
    • J
    • K
    • L
    • M
    • N
    • O
    • P
    • Q
    • R
    • S
    • T
    • U
    • V
    • W
    • X