Mac OS X Server Open Directory Administration For Version 10.5 Leopard Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to make sure that the information in this manual is correct. Apple Inc., is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino CA 95014-2084 www.apple.com The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, Mac, Macintosh, Xgrid, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products. 019-0935/2007-09-01 3 Contents Preface 11 12 12 14 14 15 16 16 17 17 19 19 20 21 21 23 24 25 25 27 28 28 29 30 30 31 32 33 33 33 34 About This Guide What's New in Version 10.5 What's in This Guide Using This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides on Screen Printing PDF Guides Getting Documentation Updates Getting Additional Information Directory Services with Open Directory Benefits of Using Directory Services Directory Services and Directory Domains A Historical Perspective Data Consolidation Data Distribution Uses of Directory Data Access to Directory Services Inside a Directory Domain Structure of LDAP Directory Information Local and Shared Directory Domains About the Local Directory Domain About Shared Directory Domains Shared Data in Existing Directory Domains SMB Services and Open Directory Open Directory as a Primary Domain Controller Open Directory as a BDC Open Directory Search Policies Search Policy Levels Local Directory Domain Search Policy Two-Level Search Policies Chapter 1 Chapter 2 3 35 36 38 38 Chapter 3 39 40 40 41 41 42 42 43 44 45 46 46 47 48 48 49 49 49 50 50 51 51 52 54 55 56 56 57 58 61 62 62 63 64 65 65 66 Multilevel Search Policies Automatic Search Policies Custom Search Policies Search Policies for Authentication and Contacts Open Directory Authentication Password Types Authentication and Authorization Open Directory Passwords Shadow Passwords Crypt Passwords Providing Secure Authentication for Windows Users Offline Attacks on Passwords Determining Which Authentication Option to Use Password Policies Single Sign-On Authentication Kerberos Authentication Breaking the Barriers to Kerberos Deployment Single Sign-On Experience Secure Authentication Ready to Move Beyond Passwords Multiplatform Authentication Centralized Authentication Kerberized Services Configuring Services for Kerberos After Upgrading Kerberos Principals and Realms Kerberos Authentication Process Open Directory Password Server and Shadow Password Authentication Methods Disabling Open Directory Authentication Methods Disabling Shadow Password Authentication Methods Contents of the Open Directory Password Server Database LDAP Bind Authentication Open Directory Planning and Management Tools General Planning Guidelines Estimating Directory and Authentication Requirements Identifying Servers for Hosting Shared Domains Replicating Open Directory Services Replica Sets Cascading Replication Planning the Upgrade of Multiple Open Directory Replicas Load Balancing in Small, Medium, and Large Environments Replication in a Multibuilding Campus Chapter 4 4 Contents 66 67 67 69 70 70 70 72 73 74 75 75 76 77 77 78 Chapter 5 79 79 80 81 81 81 83 85 85 86 87 87 88 90 91 91 92 93 94 95 97 98 99 100 102 Using an Open Directory Master, Replica, or Relay with NAT Open Directory Master and Replica Compatibility Mixing Active Directory and Open Directory Master and Replica Services Integrating with Existing Directory Domains Integrating Without Schema Changes Integrating with Schema Changes Avoiding Kerberos Conflicts with Multiple Directories Improving Performance and Redundancy Open Directory Security Service Access Control Lists (SACLs) Tiered Administration Tools for Managing Open Directory Services Server Admin Directory Utility Workgroup Manager Command-Line Tools Setting Up Open Directory Services Setup Overview Before You Begin Managing Open Directory on a Remote Server Turning Open Directory On Setting Up a Standalone Directory Service Setting Up an Open Directory Master Instructing Users How to Log In Setting Up a Primary Domain Controller Setting Up Windows Vista for Domain Login Setting Up Windows XP for Domain Login Setting Up Windows 2000 for Domain Login Setting Up an Open Directory Replica Creating Multiple Replicas of an Open Directory Master Setting Up Open Directory Relays for Cascading Replication Setting Up a Server as a BDC Setting Up Open Directory Failover Setting Up a Connection to a Directory Server Setting Up a Server as a Mac OS X Server PDC Domain Member Setting Up a Server as an Active Directory Domain Member Setting Up Single Sign-On Kerberos Authentication Setting Up an Open Directory Kerberos Realm Starting Kerberos After Setting Up an Open Directory Master Delegating Authority to Join an Open Directory Kerberos Realm Joining a Server to a Kerberos Realm Contents 5 Chapter 6 105 106 106 107 108 108 110 110 111 111 112 113 114 115 116 116 117 117 119 119 119 120 121 121 122 122 123 123 123 124 125 125 126 126 126 127 128 128 129 130 131 Managing User Authentication Composing a Password Changing a User's Password Resetting the Passwords of Multiple Users Changing a User's Password Type Changing the Password Type to Open Directory Changing the Password Type to Crypt Password Changing the Password Type to Shadow Password Enabling Single Sign-On Kerberos Authentication for a User Changing the Global Password Policy Setting Password Policies for Individual Users Selecting Authentication Methods for Shadow Password Users Selecting Authentication Methods for Open Directory Passwords Assigning Administrator Rights for Open Directory Authentication Keeping the Primary Administrator's Passwords in Sync Enabling LDAP Bind Authentication for a User Setting Passwords of Exported or Imported Users Migrating Passwords From Mac OS X Server v10.1 or Earlier Managing Directory Clients Connecting Clients to Directory Servers About Directory Server Connections Automated Client Configuration Adding an Active Directory Server Connection Adding an Open Directory Server Connection Removing a Directory Server Connection Editing a Directory Server Connection Monitoring Directory Server Connections Managing the Root User Account Enabling the Root User Account Changing the Root User Account Password Advanced Directory Client Settings About Advanced Directory Services Settings Setting Up Directory Utility on a Remote Server Configuring Mount Records for a Computer's Local Directory Domain Adding a Mount Record to the Local Directory Domain Removing a Mount Record from the Local Directory Domain Editing a Mount Record in the Local Directory Domain Using Advanced Search Policy Settings Defining Automatic Search Policies Defining Custom Search Policies Defining Local Directory Search Policies Chapter 7 Chapter 8 6 Contents 131 131 132 132 133 133 134 134 135 136 138 140 141 143 144 145 146 149 150 150 151 151 152 152 152 153 153 154 154 155 155 156 157 159 161 162 163 163 164 165 166 166 167 Waiting for a Search Policy Change to Take Effect Protecting Computers from a Malicious DHCP Server Using Advanced Directory Services Settings Enabling or Disabling Active Directory Service Enabling or Disabling LDAP Directory Services Using Advanced LDAP Service Settings Accessing LDAP Directories in Mail and Address Book Enabling or Disabling Use of a DHCP-Supplied LDAP Directory Showing or Hiding Configurations for LDAP Servers Configuring Access to an LDAP Directory Configuring Access to an LDAP Directory Manually Changing a Configuration for Accessing an LDAP Directory Duplicating a Configuration for Accessing an LDAP Directory Deleting a Configuration for Accessing an LDAP Directory Changing the Connection Settings for an LDAP Directory Changing the Security Policy for an LDAP Connection Configuring LDAP Searches and Mappings Setting Up Trusted Binding for an LDAP Directory Stopping Trusted Binding with an LDAP Directory Changing the Open/Close Timeout for an LDAP Connection Changing the Query Timeout for an LDAP Connection Changing the Rebind-Try Delay Time for an LDAP Connection Changing the Idle Timeout for an LDAP Connection Forcing Read-Only LDAPv2 Access Ignoring LDAP Server Referrals Authenticating an LDAP Connection Changing the Password Used for Authenticating an LDAP Connection Mapping Config Record Attributes for LDAP Directories Editing RFC 2307 Mapping to Enable Creating Users Preparing a Read-Only LDAP Directory for Mac OS X Populating LDAP Directories with Data for Mac OS X Using Advanced Active Directory Service Settings About Active Directory Access Configuring Access to an Active Directory Domain Setting Up Mobile User Accounts in Active Directory Setting Up Home Folders for Active Directory User Accounts Setting a UNIX Shell for Active Directory User Accounts Mapping the UID to an Active Directory Attribute Mapping the Primary Group ID to an Active Directory Attribute Mapping the Group ID in Group Accounts to an Active Directory Attribute Specifying a Preferred Active Directory Server Changing the Active Directory Groups That Can Administer the Computer Controlling Authentication from All Domains in the Active Directory Forest Contents 7 168 168 169 170 171 171 Chapter 9 173 173 174 174 175 176 177 177 177 178 178 179 179 180 180 180 181 182 183 183 184 184 186 186 187 187 188 189 189 190 190 190 193 194 195 Unbinding from the Active Directory Server Editing User Accounts and Other Records in Active Directory Setting Up LDAP Access to Active Directory Domains Specifying NIS Settings Specifying BSD Configuration File Settings Setting Up Data in BSD Configuration Files Maintaining Open Directory Services Controlling Access to Open Directory Servers and Services Controlling Access to a Server's Login Window Controlling Access to SSH Service Configuring Service Access Control Configuring Record Privileges Monitoring Open Directory Checking the Status of an Open Directory Server Monitoring Replicas and Replays of an Open Directory Master Viewing Open Directory Status and Logs Monitoring Open Directory Authentication Viewing and Editing Directory Data Showing the Directory Inspector Hiding the Directory Inspector Setting Directory Access Controls (DACs) Deleting Records Deleting Users or Computers Using Inspector or the Command Line Changing a User's Short Name Importing Records of Any Type Setting Options for an Open Directory Server Setting a Binding Policy for an Open Directory Server Setting a Security Policy for an Open Directory Server Changing the Location of an LDAP Database Limiting Search Results for LDAP Service Setting the Search Timeout Interval for LDAP Service Setting up SSL for LDAP Service Creating a Custom SSL Configuration for LDAP Managing Open Directory Replication Scheduling Replication of an Open Directory Master or Primary Domain Controller (PDC) Synchronizing an Open Directory Replica or BDC on Demand Making an Open Directory Replica into a Relay Promoting an Open Directory Replica Decommissioning an Open Directory Replica Archiving an Open Directory Master Restoring an Open Directory Master 8 Contents Chapter 10 199 199 199 200 200 200 200 201 201 201 201 201 202 202 202 202 203 203 205 205 206 Solving Open Directory Problems Solving Open Directory Master and Replica Problems If Kerberos Is Stopped on an Open Directory Master or Replica If You Can't Create an Open Directory Replica If You Can't Create an Open Directory Master or Replica from a Configuration File If You Can't Connect a Replica to Your Relay If You Can't Join an Open Directory Replica to an Open Directory that is a Subordinate of an Active Directory Server Solving Directory Connection Problems If a Delay Occurs During Startup Solving Authentication Problems If You Can't Change a User's Open Directory Password If a User Can't Access Some Services If a User Can't Authenticate f ...