Supplementing Active Directory With Mac OS X Server


Like other third-party directory servers, an Active Directory does not include Mac OS Xspecific attributes without modifying the schema. Through discussions with the server administrator, you need to determine the appropriate approach, either by modifying the Active Directory schema or by configuring a supplemental server.

MCX Records Can Be Stored in Active Directory

Being able to log in to Active Directory from Mac OS X is adequate integration for many organizations. However, others may also wish to use the Apple Managed Client for X (MCX) technology to further enhance their Active Directory user experience.

One way of supporting MCX on Mac OS X for Active Directory accounts is to modify the existing Active Directory schema so that it incorporates Apple's MCX schema attributes. Then the administrator will need to create and populate all the MCX user, group, and computer records with functional data.

More Info

Apple Professional Services has the ability to modify the Active Directory schema to include these and other Mac OS Xspecific attributes. Please refer to the References at the end of this lesson.


Administrators using the Active Directory plug-in can deploy MCX in their Active Directory schema whenever they choose without thought to client configuration. If the Active Directory schema has been extended to include Mac OS X record types (object classes) and attributes, the Active Directory plug-in detects and accesses them automatically. This schema modification enables the Active Directory plug-in to support managed client settings (MCX) made using Workgroup Manager.

Note

Mac OS X clients assume full read access to attributes that are added to the directory. Therefore, it may be necessary to modify the ACL of those attributes to allow computer lists to read these added attributes.


Integrating MCX, Active Directory, and Open Directory

Instead of merging the Apple schema with that of Active Directory, you can host MCX directory content on a separate Open Directory server. Configuring a Mac OS X computer to use this setup is relatively simple. In Directory Access, administrators just need to add an LDAP configuration for the Open Directory server in addition to their Active Directory configuration, which will work for both the Active Directory plug-in and the LDAPv3 plug-in. It also lets you use Workgroup Manager to create MCX workgroup and computer lists.

The biggest drawback is that administrators forfeit their ability to manage individual users; users will need to be managed by group or computer. Still, it's usually more than acceptable, since the more users you have, the more time consuming it is to manage them individually.

Startup

Understanding the big picture is an important part of being able to effectively troubleshoot a problem. In the following figure, you can see what happens at startup with a Mac OS X computer that has been configured to use the Active Directory plug-in for user records and the LDAPv3 plug-in for MCX settings.


  1. All the appropriate plist files discussed earlier have been configured with Directory Access prior to restart.

  1. At startup, the configured Mac OS X computer searches all configured directories for MCX computer records and applies the appropriate settings to itself.

  1. After the MCX settings are applied to the Mac OS X computer, the login screen appears.

User Authentication

The following figure shows the process of user authentication:


  1. The user now types a user name and password into the login screen and presses Return.

  1. The loginwindow process checks the local NetInfo database for the user record and if no match is found, loginwindow will then query the first configured directory from the Directory Access authentication path list.

  1. Assuming the directory server responds with the contents of the user's record, loginwindow will attempt to validate the user using the password.

  1. The existing Kerberos server specified in the edu.mit.Kerberos file.

  1. The user is issued a Kerberos TGT and is then logged in to the Mac OS X computer.

MCX and Home Directory

Now that the user has been verified, the following figure shows what happens next:


  1. The user is verified.

  1. Mac OS X searches all configured directories shown in the Directory Access authentication path list for MCX groups that are applicable to the current user.

  1. The login screen presents the user with a choice of available groups.

  1. The user chooses a group.

  1. Mac OS X continues the login process with the MCX settings applied to the session.

  1. If the user's record in Active Directory is configured with settings for an SMB home folder, Mac OS X attempts to mount the SMB home folder using Kerberos authentication. If the user's record in Active Directory is configured with settings for an AFP home folder, Mac OS X attempts to mount the AFP home folder.

Other Binding Considerations

Administrators will want to consider some final details prior to deploying Mac OS X with the Active Directory plug-in:

  • Currently, packet signing and packet encryption are not supported.

  • Mac OS X attempts to mount SMB home folders using Kerberos for authentication. Domain controllers can be set up to allow various forms of authentication. If the server hosting the SMB home folder has been configured not to allow Kerberos, Mac OS X will attempt to connect with NTLMv2.

  • The Active Directory plug-in is designed with the assumption that more than 40 user record attributes are readable by the computer record that the Mac OS X computer is configured to use. If these attributes are not readable, then Mac OS X may behave unexpectedly.

    More Info

    For a full list of user attributes used by the Active Directory plug-in, administrators should read the Knowledge Base document 107830, which is listed in the References section at the end of this lesson.


  • The plug-in works best with Active Directory deployments that are set up with the preWindows 2000 permission style. If you are not sure which permission style was used when your organization's Active Directory deployment was set up, you should coordinate with the Active Directory administrator and inspect the permissions of the attributes the plug-in uses.

  • The Active Directory plug-in makes Mac OS X computer integration with Active Directory a practical reality. The Active Directory plug-in greatly simplifies the work that administrators must perform to provide a full Active Directory experience for Mac OS X users. Some of the key Active Directory plug-in features are:

    • LDAP and Kerberos support

    • True SMB home folders

    • MCX support

    • No Active Directory schema modifications




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net