Identification and Authorization

Once you have configured your Mac OS X computer to bind to an LDAP directory on Mac OS X Server and authenticate using Kerberos, the following process takes place when a user logs in at the Login Window:

1. A user enters (or chooses) an account name, enters a password, and clicks Log In.

   By logging in, a user is proposing an identity and a means of authenticating that identity.

2. Login Window makes a request for the values of RecordName and AuthenticationAuthority through DirectoryService.

3. DirectoryService checks the local NetInfo database first (using the NetInfo plug-in).

   If the record is not found in the local NetInfo database, DirectoryService makes queries through the next configured plug-inin this case, the LDAPv3 plug-in.

4. The LDAPv3 plug-in will make a request to the LDAP process on the server, remapping RecordName to uid and cn, and AuthenticationAuthority to authAuthority. This allows users to log in with their short name or long name.

5. If the entries are found, the values for uid and authAuthority are returned to Login Window.

   Since one of the values is ApplePasswordServer, DirectoryService will authenticate the user against the password server on Mac OS X Server.

6. Since the other value is Kerberosv5, Login Window verifies the entered password against the KDC so that a TGT will be sent back to the user.