Like other third-party directory servers, an Active Directory does not include Mac OS Xspecific attributes without modifying the schema. Through discussions with the server administrator, you need to determine the appropriate approach, either by modifying the Active Directory schema or by configuring a supplemental server. MCX Records Can Be Stored in Active DirectoryBeing able to log in to Active Directory from Mac OS X is adequate integration for many organizations. However, others may also wish to use the Apple Managed Client for X (MCX) technology to further enhance their Active Directory user experience. One way of supporting MCX on Mac OS X for Active Directory accounts is to modify the existing Active Directory schema so that it incorporates Apple's MCX schema attributes. Then the administrator will need to create and populate all the MCX user, group, and computer records with functional data.
More Info Apple Professional Services has the ability to modify the Active Directory schema to include these and other Mac OS Xspecific attributes. Please refer to the References at the end of this lesson. Administrators using the Active Directory plug-in can deploy MCX in their Active Directory schema whenever they choose without thought to client configuration. If the Active Directory schema has been extended to include Mac OS X record types (object classes) and attributes, the Active Directory plug-in detects and accesses them automatically. This schema modification enables the Active Directory plug-in to support managed client settings (MCX) made using Workgroup Manager. Note Mac OS X clients assume full read access to attributes that are added to the directory. Therefore, it may be necessary to modify the ACL of those attributes to allow computer lists to read these added attributes. Integrating MCX, Active Directory, and Open DirectoryInstead of merging the Apple schema with that of Active Directory, you can host MCX directory content on a separate Open Directory server. Configuring a Mac OS X computer to use this setup is relatively simple. In Directory Access, administrators just need to add an LDAP configuration for the Open Directory server in addition to their Active Directory configuration, which will work for both the Active Directory plug-in and the LDAPv3 plug-in. It also lets you use Workgroup Manager to create MCX workgroup and computer lists. The biggest drawback is that administrators forfeit their ability to manage individual users; users will need to be managed by group or computer. Still, it's usually more than acceptable, since the more users you have, the more time consuming it is to manage them individually. StartupUnderstanding the big picture is an important part of being able to effectively troubleshoot a problem. In the following figure, you can see what happens at startup with a Mac OS X computer that has been configured to use the Active Directory plug-in for user records and the LDAPv3 plug-in for MCX settings.
User AuthenticationThe following figure shows the process of user authentication:
MCX and Home DirectoryNow that the user has been verified, the following figure shows what happens next:
Other Binding ConsiderationsAdministrators will want to consider some final details prior to deploying Mac OS X with the Active Directory plug-in:
|