What You ve Learned

What You've Learned

• Apple has addressed some of the major difficulties associated with creating a KDC on Mac OS X Server.

• The processes associated with the KDC are krb5kdc and kadmind.

• The role of Password Server is to permit authentication of non-Kerberized services.

• The main process for Password Server is PasswordService and is launched at startup by launchd.

• The main files used by Password Server are located in /private/var/db/authserver and are authservermain and authserverreplicas.

• You retrieve a user's Password Server ID from the user record.

• The slapconfig process logs verbosely to /Library/Logs/slapconfig.log.

References

Administration Guides

"Mac OS X Server Open Directory Administration": http://images.apple.com/server/pdfs/Open_Directory_v10.4.pdf

"Mac OS X Server Command-Line Administration": http://images.apple.com/server/pdfs/Command_Line_v10.4.pdf

Apple Knowledge Base Documents

The following Knowledge Base documents (located at www.apple.com/support) provide further information on Kerberos authentication.

Document 301339, "Mac OS X Server: Open Directory Master requires proper DNS for KDC to work"

Document 107702, "Mac OS X Server 10.3 or later: Kerberos authentication may not work after changing to LDAP master or replica, or Kerberizing a particular service"

Document 107289, "Mac OS X Server: Some Features Require Use of the Password Server"

Books

Carter, Gerald. LDAP System Administration (O'Reilly, 2003).

URLs

Kerberos: The Network Authentication Protocol: http://web.mit.edu/kerberos/www/

Kerberos: www.ietf.org/rfc/rfc1510.txt

SASL: www.ietf.org/rfc/rfc2222.txt