Troubleshooting Integration


When troubleshooting your directory integration, take a step back and observe the chain of events in a successful integration. Walking through this will help you troubleshoot issues that may crop up along the way.

Prior to rebooting, the Mac OS X computer was configured with Directory Access to use two different LDAP directory services for authentication. The primary directory is the third-party directory, where all user records exist. The second is an Apple Open Directory (Mac OS X Server) server that will supplement the third-party directory service by hosting Mac OS Xspecific information outside of the user records, such as mounts and computer MCX records. This configuration is stored in two files:

  • SearchNodeConfig.plist stores what order directories should be searched.

  • DSLDAPv3PlugInConfig.plist has the specific mappings for each LDAP configuration.


  1. On boot, these files are read and any available directories are searched for mount record information and computer-level MCX settings.

  1. In the example in the following figure, the Open Directory Server has mount record information and computer MCX settings.

  1. After those settings have been applied, the Login Window appears.

User Authentication

Once the Login Window appears, a user types in his or her user name and password, and the following occurs:


  1. The Login Window process checks the local NetInfo database for the user record.

  1. If no match is found, the Login Window process will query the first configured directory from Directory Access according to the Authentication list.

  1. The listed directory server, bound correctly, will respond with the contents of the user's record.

  1. Now that the Login Window process has found a matching user record, it will attempt to validate if the password entered was correct through LDAP bind.

  1. If the password is correct, the user will be logged into the system with all the user attributes, such as User ID and home folder, applied to that user for this session.

MCX Settings

After the user is verified, Mac OS X retrieves any available MCX records via the following process:


  1. The user is verified.

  1. Next, Mac OS X queries all available directories for MCX group records.

  1. The Open Directory server, which is hosting MCX group records, responds with a list of groups and all of their MCX settings that are available to that user record, and the Login Window process presents the user with a list of groups from which to choose.

  1. Once the user chooses a MCX group, the Login Window process resumes a traditional user login process and attempts to find the user's home folder.

Home Directory

The Login Window process is designed to handle the listing of several groups; if more groups are found than can be shown, a scroll bar will appear on the right of the Login Window, allowing the user to scroll up and down to find the selected group. The following steps take place after the Login Window shows all available groups:


  1. The user selects a managed group, and the process for mounting the home folder begins.

  1. The home folder is automatically mounted by the automount binary located in /usr/sbin, which mounts remote file systems when they are first accessed.

    In the example in the figure below, the user's record in the directory had attributes that stated the home folder was on the Open Directory server.

  1. Once the home folder is actually mounted on the remote server, the connection must be authenticated. The Open Directory server has no user names and does not directly know about the user who is attempting to connect. The local NetInfo database is searched first for valid criteria.

  1. If no match is found, the server progresses through its own custom authentication path, configured in Directory Access on the server. In this case, the authentication moves up to the Open Directory directory service and then to the primary directory domain where the user actually exists. Now the user and password can be authenticated for the second time.

  1. The home folder is successfully mounted.

  1. The connection is allowed.

This complete process is essentially invisible to the user, which is the ultimate goal of spreading user data, home folders, and managed client settings on different servers.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net