034-2352_Cvr 9/12/03 10:29 AM Page 1 Mac OS X Server Open Directory Administration For Version 10.3 or Later LL2352.Book Page 2 Friday, August 22, 2003 3:12 PM Apple Computer, Inc. © 2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc., is not responsible for printing or clerical errors. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Mac OS, Macintosh, Power Mac, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Extensions Manager, and Finder are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. RealAudio is a trademark of Progressive Networks, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 034-2352/09-20-03 LL2352.Book Page 3 Friday, August 22, 2003 3:12 PM 3 Contents Preface 9 About This Guide 10 Using This Guide 11 Getting Additional Information Chapter 1 13 Directory Service Concepts 15 Directory Services and Directory Domains 16 A Historical Perspective 17 Data Consolidation 18 Data Distribution 19 Uses of Directory Data 21 Inside a Directory Domain 21 Local and Shared Directory Domains 21 About the Local Directory Domain 22 About Shared Directory Domains 24 Shared Data in Existing Directory Domains 25 Access to Directory Services 25 Discovery of Network Services Chapter 2 27 Open Directory Search Policies 27 Search Policy Levels 28 Local Directory Search Policy 28 Two-Level Search Policies 29 Multilevel Search Policies 30 Automatic Search Policies 32 Custom Search Policies 32 Search Policies for Authentication and Contacts Chapter 3 33 User Authentication With Open Directory 33 Authentication and Authorization 34 Determining Which Authentication Option to Use 35 Open Directory Authentication 35 Password Policies 35 Which Users Can Have Open Directory Passwords 36 Open Directory Password Server Authentication Methods 3 LL2352.Book Page 4 Friday, August 22, 2003 3:12 PM 36 Contents of Open Directory Password Server Database 37 Kerberos Authentication 37 Kerberized Services 37 Kerberos Principals and Realms 38 Kerberos Authentication Process 39 Single Signon 39 Shadow and Crypt Passwords 40 Encrypting Shadow and Crypt Passwords in User Accounts 41 Cracking Readable Passwords 42 LDAP Bind Authentication Chapter 4 43 Open Directory Planning 43 General Planning Guidelines 44 Controlling Data Accessibility 45 Simplifying Changes to Data in Directories 45 Estimating Directory and Authentication Requirements 46 Identifying Servers for Hosting Shared Domains 47 Replicating Open Directory Services 47 Replication in a Multi-Building Campus 48 Improving Performance and Redundancy 49 Open Directory Security 50 Tools for Managing Open Directory Services 50 Server Admin 51 Directory Access 51 Workgroup Manager 51 Command-Line Tools 52 NetInfo Manager Chapter 5 53 Setting Up Open Directory Services 53 Setup Overview 54 Before You Begin 54 Setting Up Open Directory With Server Assistant 55 Managing Open Directory on a Remote Server 55 Setting Up a Standalone Server 56 Setting Up an Open Directory Master 57 Setting Up an Open Directory Replica 59 Setting Up Open Directory Failover 60 Setting Up a Connection to a Directory System 61 Setting Up Single Signon and Kerberos 61 Setting Up an Open Directory Master for Single Signon and Kerberos 62 Delegating Authority to Join an Open Directory Master for Single Signon and Kerberos 63 Joining a Server to an Open Directory Master for Single Signon and Kerberos 4 Contents LL2352.Book Page 5 Friday, August 22, 2003 3:12 PM 63 Setting LDAP Options 64 Setting the Replication Frequency of an Open Directory Master 64 Changing the Location of an LDAP Database 65 Limiting Search Results for LDAP Service 65 Changing the Search Timeout for LDAP Service 65 Setting up SSL for LDAP Service 66 Migrating a Directory Domain From Netinfo to LDAP 68 Switching Directory Access From NetInfo to LDAP 69 Disabling NetInfo After Migrating to LDAP Chapter 6 71Managing User Authentication 72 Composing a Password 72 Changing a User’s Password 73 Resetting the Passwords of Multiple Users 74 Changing the Global Password Policy 75 Setting Password Policies for Individual Users 76 Changing a User’s Password Type 76 Changing the Password Type to Open Directory 78 Changing the Password Type to Crypt Password 79 Changing the Password Type to Shadow Password 79 Enabling Single Signon Authentication for a User 79 Enabling Kerberos Authentication for a User 80 Enabling LDAP Bind Authentication for a User 80 Assigning Administrator Rights for Open Directory Authentication 81 Exporting and Importing Users Whose Password Type Is Open Directory 81 Exporting and Importing Authentication Manager Users 82 Migrating Passwords to Open Directory Authentication Chapter 7 83 Managing Directory Access 83 Setting Up Services in Directory Access 84 Enabling or Disabling Active Directory Service 84 Enabling or Disabling AppleTalk Service Discovery 84 Enabling or Disabling BSD Flat File and NIS Directory Services 85 Enabling or Disabling LDAP Directory Services 85 Enabling or Disabling NetInfo Directory Services 86 Enabling or Disabling Rendezvous Service Discovery 86 Enabling or Disabling SLP Service Discovery 86 Enabling or Disabling SMB Service Discovery 87 Configuring SMB Service Discovery 87 Setting Up the Authentication and Contacts Search Policies 88 Defining Automatic Search Policies 89 Defining Custom Search Policies 89 Defining Local Directory Search Policies Contents 5 LL2352.Book Page 6 Friday, August 22, 2003 3:12 PM 90 Accessing LDAP Directories 91 Enabling or Disabling Use of a DHCP-Supplied LDAP Directory 91 Showing or Hiding Options for LDAP Directories 92 Configuring Access to an LDAP Directory 93 Changing a Configuration for Accessing an LDAP Directory 93 Duplicating a Configuration for Accessing an LDAP Directory 94 Deleting a Configuration for Accessing an LDAP Directory 95 Changing the Connection Settings for an LDAP Directory 96 Configuring LDAP Searches and Mappings 98 Mapping Config Record Attributes for LDAP Directories 98 Editing RFC 2307 Mapping to Enable Creating Users 99 Preparing a Read-Only LDAP Directory for Mac OS X 100 Populating LDAP Directories With Data for Mac OS X 100 Accessing an Active Directory Domain 101 Learning About the Active Directory Plug-in 102 Configuring Access to an Active Directory Domain 104 Enabling or Disabling Active Directory Credential Caching 104 Specifying a Preferred Active Directory Server 105 Mapping the UID to an Active Directory Attribute 105 Changing the Active Directory Groups That Can Administer the Computer 106 Editing User Accounts and Other Records in Active Directory 106 Setting Up LDAP Access to Active Directory Domains 107 Accessing an NIS Domain 108 Using BSD Configuration Files 109 Setting Up Data in BSD Configuration Files 109 Accessing Legacy NetInfo Domains 110 About NetInfo Binding 111 Configuring NetInfo Binding 111 Adding a Machine Record to a Parent NetInfo Domain 112 Configuring Static Ports for Shared NetInfo Domains 113 Setting Up Directory Access on a Remote Server Chapter 8 115 Maintenance and Problem Solving 115 Monitoring Open Directory 115 Viewing Open Directory Status and Logs 116 Monitoring Open Directory Authentication 116 Directly Viewing and Editing Directory Data 116 Showing the Directory Inspector 117 Hiding the Directory Inspector 117 Changing a User’s Short Name 118 Backing Up Open Directory Files 120 Restoring Open Directory Files 121 Solving Directory Access Problems 6 Contents LL2352.Book Page 7 Friday, August 22, 2003 3:12 PM 121 A Delay Occurs During Startup 122 Solving Authentication Problems 122 A User’s Password Can’t Be Modified 122 A User Can’t Authenticate for VPN Service 122 A User’s Password Type Can’t Be Changed to Open Directory 122 Kerberos Users Can’t Authenticate 123 Resetting an Administrator Password Appendix A 125 Mac OS X Directory Data 126 Open Directory Extensions to LDAP Schema 126 Object Classes in Open Directory LDAP Schema 132 Attributes in Open Directory LDAP Schema 145 Mapping Standard Attributes to LDAP and Active Directory 145 Mappings for Users 149 Mappings for Groups 150 Mappings for Mounts 151 Mappings for Computers 153 Mappings for ComputerLists 153 Mappings for Config 154 Mappings for People 156 Mappings for PresetComputerLists 156 Mappings for PresetGroups 157 Mappings for PresetUsers 159 Mappings for Printers 160 Mappings for AutoServerSetup 160 Mappings for Locations 161 Standard Attributes in User Records 165 User Data That Mac OS X Server Uses 166 Standard Attributes in Group Records