You are previewing Apple Training Series Mac OS X Directory Services v10.5.
O'Reilly logo
Apple Training Series Mac OS X Directory Services v10.5

Book Description

This reference provides in-depth technical information on Mac OS X and Mac OS X Server's directory services architecture. System administrators and IT professionals will learn the details of how to deploy Mac OS X and Mac OS X Server within a multiplatform, heterogeneous environment, with an emphasis on integrating user accounts and authentication processes. This book is a perfect study aid for the Directory Services exam, and also serves as an in-depth technical reference for experienced system administrators and engineers. This reference follows the learning objectives of the Directory Services exam, which is one requirement toward the Apple Certified System Administrator (ACSA) certification, Apple's highest level of IT certification. Chapter tests reinforce the knowledge gained along the way.

Table of Contents

  1. Copyright
  2. Acknowledgments
  3. Getting Started
    1. Learning Methodology
    2. Chapter Structure
    3. Apple Certifications
    4. About the Apple Training Series
  4. 1. Accessing the Local Directory Service
    1. Exploring Directory Services
      1. Directory Services Definitions
      2. Understanding the BSD/local Node and BSD Flat Files
      3. Examining DNS Information
      4. Defining User Records
      5. Distinguishing Between Standard and Native Attributes
      6. Using dscl to Examine the Local Default Node
      7. Using the File System to Examine the Local Default Node
    2. Creating and Editing Local Users
      1. Understanding the Structure of User Records
      2. Creating and Editing User Records with Workgroup Manager
      3. Creating a Local User Record with dsimport
        1. Specifying the Record Description in the Input File
        2. Specifying the Record Description as an Option to the dsimport Command
        3. Using the Standard User Record Option
      4. Creating a Local User Record by Copying a Record File
      5. Modifying a Local User Record with a Text Editor
      6. Modifying a Local User Record with dscl
      7. Creating and Modifying a Local User Record in the /BSD/local Node with a Text Editor
    3. Creating and Editing Local Groups
      1. Understanding the Attributes of Group Records
      2. Creating and Editing Local Groups with Workgroup Manager
      3. Creating and Editing Local Groups with dscl
      4. Creating and Editing Local Groups with dseditgroup
      5. Creating and Editing Local Groups with a Text Editor
    4. Troubleshooting Directory Services
      1. Using Logs
      2. Using dserr
      3. Resolving User Name Collision with Two Directories
      4. Logging in with >console
      5. Logging in as the System Administrator
    5. What You’ve Learned
    6. References
      1. Documentation
      2. Developer Notes
    7. Review Quiz
      1. Answers
  5. 2. Accessing an Open Directory Server
    1. Configuring Open Directory Clients
      1. Using Directory Utility to Bind to an Open Directory Master
      2. Confirming Mac OS X Is Bound to an Open Directory Server
        1. Using id to Confirm Binding
      3. Setting Up Trusted Binding with an Open Directory Master
      4. Using Directory Utility to Set Up Trusted Binding
        1. Illustrating Clear Text Network Traffic
      5. Confirming Open Directory Traffic Is Secured
    2. Configuring Directory Services Search Paths
      1. Understanding the Authentication Search Path
      2. Understanding the Contacts Search Path
      3. Configuring Search Paths with Directory Utility
      4. Examining and Modifying the Authentication Search Path with dscl
    3. Troubleshooting Binding Issues
      1. Using DHCP-Supplied LDAP Server to Bind to an Open Directory Master
      2. Understanding the Processes and Files Involved with Binding
      3. Comparing dscl Data with ldapsearch Data
      4. Setting Up Binding at the Command Line
      5. Using dscl to Verify Binding to an Open Directory Master
        1. Understanding the Computer Record Created When Establishing Trusted Binding
    4. Troubleshooting Login Issues
      1. Identifying the Network User Account with Directory Services
      2. Verifying Authentication Against the Password Server
      3. Verifying Kerberos Authentication
        1. Understanding Kerberos Authentication
        2. Using the Kerberos Application
        3. Using the klist and kinit Commands
      4. Verifying Home Folder Access
        1. Identifying the Home Folder attributes
        2. Confirming Automount Records
        3. Understanding the Open Directory Value of 99
        4. Confirming Access to the Network Home Folder
        5. Confirming the Location of the Network Home Folder
      5. Understanding the Login Process
        1. Understanding the Role of the AuthenticationAuthority Attribute in the Login Process
        2. Mounting the Network Home Folder
      6. Using the >console Login for Troubleshooting
      7. Viewing Log Files
    5. What You’ve Learned
    6. References
      1. Apple Knowledge Base Articles
      2. Documentation
      3. Books
    7. Review Quiz
      1. Answers
  6. 3. Accessing a Third-Party LDAP Service
    1. Populating an LDAP Server for Network Login
      1. Inspecting Information from an LDAP Service
        1. Inspecting Information from a Standard LDAP Service
        2. Inspecting the OpenLDAP Schema Files
        3. Inspecting Information from an eDirectory Service
      2. Identifying Required Network User Attributes
        1. Understanding Similar LDAP Attributes
      3. Editing Your Directory Schema
      4. Reusing Existing, Unused Attributes
      5. Providing Records for Automount
        1. Modifying Your LDAP Workflow
    2. Configuring Mac OS X to Log In Using a Standard LDAP Server
      1. Understanding How a User Authenticates at the Login Window
      2. Understanding MCX Records
      3. Mapping Records and Attributes
      4. Augmenting LDAP Data with Local Static and Variable Mappings
      5. Saving and Reusing a Mapping Template
      6. Supplementing LDAP Data with Information from an Open Directory Server
      7. Configuring Mac OS X to Use a Third-Party Kerberos KDC
        1. Understanding Kerberos Configuration Files
    3. Troubleshooting Binding Issues
    4. Troubleshooting Login Issues
      1. Booting and Using Mount Records
      2. Identifying and Authenticating the User
      3. Applying Managed Preferences
      4. Mounting the Home Folder
    5. What You’ve Learned
    6. References
      1. Documentation
      2. Books
      3. Websites
    7. Review Quiz
      1. Answers
  7. 4. Accessing an Active Directory Service
    1. Configuring Mac OS X to Log In Using Active Directory
      1. Understanding Active Directory Terms
        1. Understanding the Active Directory Computer Object
        2. Specifying a User to Create the Computer Object
      2. Binding to Active Directory with Directory Utility
      3. Logging In as an Active Directory User on Mac OS X
        1. Specifying a User Name at the Login Screen
        2. Understanding the Home Folder Default Behavior
        3. Understanding Home Folder Synchronization
      4. Changing the Active Directory Plug-in Default Settings
      5. Exploring the “User Experience” Advanced Options Pane
        1. Specifying a Network Home Folder
        2. Logging In with a Windows Home Folder
      6. Changing User and Group Mappings
      7. Exploring the “Administrative” Advanced Options Pane
      8. Creating the Computer Account in a Custom Location
      9. Binding to Active Directory with dsconfigad
        1. Using Configuration Options Available Only with dsconfigad
        2. Providing Managed Preferences to Active Directory Users
    2. Troubleshooting Binding Issues
      1. Using Command-Line Tools to Confirm Binding
      2. Binding After Imaging
      3. Using System Logs
      4. Confirming DNS Service
      5. Confirming Access to Service Ports
      6. Understanding the Binding Process
      7. Specifying a User with Authorization to Bind
      8. Unbinding from Active Directory
      9. Binding to Active Directory and Open Directory
    3. Troubleshooting Login Issues
      1. Resolving Time Issues
      2. Using the Logs
      3. Transitioning from a Local User to an Active Directory User
      4. Understanding Mobile Accounts
      5. Updating Active Directory Indexing
      6. Forcing Replication
    4. What You’ve Learned
    5. References
      1. Administration Guides
      2. Apple Knowledge Base Documents
      3. Books
      4. Websites
    6. Review Quiz
      1. Answers
  8. 5. Configuring Open Directory Server
    1. Configuring Mac OS X Server as an Open Directory Master
      1. Using changeip to Confirm Your DNS Records
      2. Upgrading from Earlier Versions of Mac OS X Server
        1. Upgrading from Earlier Versions of Mac OS X Server
        2. Restoring from an Open Directory Archive
      3. Promoting a Standalone Server to Open Directory Master
        1. Using Server Admin to Promote to Open Directory Master
      4. Preparing Mac OS X Server to Serve Home Folders
        1. Configuring an Automount Record for User Home Folders
        2. Starting Apple File Protocol (AFP)
      5. Securing LDAP Connections
        1. Creating a Self-Signed TLS Certificate to Secure LDAP Service
        2. Using Server Admin to Secure LDAP Service with TLS
        3. Configuring LDAP Client to Accept a TLS Certificate
        4. Configuring Mac OS X to Use TLS for LDAP Queries
      6. Tuning Open Directory Master Performance and Security Settings
        1. Setting Global Password Policy
        2. Setting Binding Policy
        3. Allowing Users to Edit Their Own Contact Information
        4. Changing the Types of Password Hashes Stored in the Password Server Database
        5. Disallowing Anonymous Binding
        6. Making Changes to the Berkeley DB Cache Size
    2. Configuring Mac OS X Server as a Primary Domain Controller (PDC)
      1. Providing WINS Services
      2. Providing Windows Roaming Profiles
      3. Providing Windows Network Home Directories
      4. Providing a Single Network Home Directory for Windows and Mac OS X Logins
    3. Managing Data Stored in an Open Directory Master
      1. Defining Limited Administrators
      2. Inspecting the Resulting DACs
      3. Understanding OpenLDAP Components
        1. Using ldapadd to Add Records to the Directory
      4. Understanding LDIF Files
        1. Using ldapmodify to Add New Records with LDIF Files
        2. Using Kerberos with ldapadd to Add New Records with LDIF Files
        3. Understanding the Limitations of ldap* Commands
        4. Understanding the slap* Commands
        5. Using dsimport to Create New Open Directory Users
        6. Using Server Admin to Archive Your Directory Information
        7. Exporting Directory Information Using serveradmin
      5. Exporting and Importing Directory Information Using Workgroup Manager
        1. Exporting User Information Using Workgroup Manager
        2. Importing Directory Information Using Workgroup Manager
    4. Troubleshooting Issues Promoting Mac OS X Server to an Open Directory Master
      1. Using changeip to Change IP Address and Host Name of Mac OS X Server
      2. Using slapconfig to Promote to Open Directory Master
      3. Viewing the slapconfig.log Generated from Promoting to Open Directory Master
      4. Understanding the Files Modified or Created when Promoting to Open Directory Master
      5. Troubleshooting LDAP Connections
      6. Configuring slapd Logging
    5. What You’ve Learned
    6. References
      1. Documentation
      2. Apple Knowledge Base Documents
      3. Websites
    7. Review Quiz
      1. Answers
  9. 6. Configuring Open Directory Replicas
    1. Configuring Mac OS X Server as an Open Directory Replica
      1. Understanding the Load on an Open Directory Server
      2. Securing Your Open Directory Server
      3. Understanding Open Directory Replication Topology
        1. Setting How Often Replication Occurs
      4. Binding to an Open Directory Server
        1. Choosing an Open Directory Server for Binding
        2. Controlling to Which Open Directory Server a Client Binds
      5. Promoting to Open Directory Replica
        1. Promoting Mac OS X Server to Open Directory Replica with Server Admin
        2. Promoting Mac OS X Server to Open Directory Replica with slapconfig
        3. Monitoring the Status of the Replication System
      6. Promoting a Replica to Permanently Replace a Master
        1. Promoting a Replica to Master with Server Admin
        2. Promoting a Replica to Master with slapconfig
    2. Troubleshooting Open Directory Replication
      1. Understanding the Processes Responsible for Replicating
      2. Ensuring SSH Is Available When You Create a Replica
      3. Understanding the Replica Creation Process
    3. What You’ve Learned
    4. References
      1. Documentation
      2. Apple Knowledge Base Documents
      3. Books
      4. Websites
    5. Review Quiz
      1. Answers
  10. 7. Connecting Mac OS X Server to Open Directory
    1. Configuring a Mac OS X Server to Connect to an Existing Open Directory Master
      1. Joining Kerberos with Server Admin
      2. Joining Kerberos at the Command Line
        1. Scripting the Entire Binding Process
    2. Configuring a Service to Use an Open Directory Network User or Group Record
      1. Using Workgroup Manager to View Users and Groups in the Shared Domain
      2. Configuring Service Authorization for Network User and Group Records
      3. Configuring File System Authorization for Network User and Group Records
      4. Understanding How SACLs and File System ACLs Use a Record’s UUID
    3. Troubleshooting Binding Issues
      1. Understanding Kerberos Principals
      2. Understanding the Kerberos KDC
      3. Understanding kadmind
      4. Tracing the Steps of sso_util
      5. Viewing Log Files Created in the Binding Process
      6. Reverting a Server to a Prejoin State
    4. Troubleshooting Authentication Issues
      1. Synchronizing the Date and Time with a Local NTP Service
      2. Understanding the Processes That Handle Authentication
        1. Understanding the Password Server
        2. Using Statistics from the Password Server
      3. Understanding How the Password Server and Kerberos Service Interact
      4. Understanding the Process of Kerberos Authentication
        1. Obtaining a TGT
        2. Obtaining a Service Ticket
        3. Authenticating to a Kerberized Service
      5. Confirming Your Keytab
        1. Confirming Your KDC Principals
      6. Using the Authentication Log Files
        1. Using the Password Server Log
        2. Using the KDC Log
        3. Using the kadmin Log
    5. What You’ve Learned
    6. References
      1. Documentation
      2. Apple Knowledge Base Documents
      3. Books
      4. Websites
    7. Review Quiz
      1. Answers
  11. 8. Integrating Mac OS X Server with Other Systems
    1. Configuring Mac OS X Server to Supplement a Third-Party Directory Service
      1. Preparing Mac OS X Server for the Magic Triangle Configuration
      2. Preparing Mac OS X for the Magic Triangle Configuration
      3. Using Workgroup Manager to Provide Managed Preferences in the Magic Triangle Configuration
      4. Using Workgroup Manager to Add Users from a Third-Party Node to Open Directory Groups
      5. Augmenting Third-Party Directory Service User Records with Attributes for Mac OS X Server Services
        1. Understanding Augments
        2. Creating an Augment with a Mac OS X Server in Workgroup Configuration
        3. Inspecting the Augment
        4. Using Workgroup Manager to Inspect an Augment
        5. Creating Augments on Mac OS X Server in Advanced Configuration with Workgroup Manager
        6. Understanding How Open Directory Augments a Record
      6. Determining Which Directory Will Be Used for Identification and Authentication
        1. Exploring the AuthenticationAuthority Attribute
    2. Configuring Mac OS X Server Services to Authenticate in a Third-Party Kerberos Realm
      1. Configuring Mac OS X Server Services to Use a Third-Party Kerberos Realm
      2. Configuring Mac OS X Server Services to Use an Active Directory Kerberos Realm
      3. Confirming Your Active Directory Plug-In and the Samba Service Are Using the Same Active Directory Computer Password
    3. Configuring a Third-Party Server to Use an Open Directory KDC
      1. Creating Service Principals and Exporting Keytabs
    4. What You’ve Learned
    5. References
      1. Documentation
      2. Apple Knowledge Base Documents
      3. Books
      4. Websites
    6. Review Quiz
      1. Answers
  12. A. Extending Your Novell eDirectory Schema
    1. Confirm That You Need to Extend Your Schema
      1. Deciding Not to Extend Your Schema
      2. Providing Mount Records
      3. Using Managed Preferences
    2. Extend Your eDirectory Schema
      1. Using Workgroup Manager to Edit eDirectory Objects
      2. Understanding the Authentication Challenge with eDirectory
  13. B. Extending Your Active Directory Schema
    1. Confirm That You Need to Extend Your Schema
      1. Deciding Not to Extend Your Schema
      2. Providing Mount Records
      3. Using Managed Preferences
    2. Extend Your Active Directory Schema
  14. C. Understanding the Local KDC