Lesson8.Providing Single Sign-on Authentication | Apple Training Series: Mac OS X System Administration Reference, Volume 1

Lesson 8. Providing Single Sign-on Authentication

Time

This lesson takes approximately 2 hours to complete.

Goals

Learn to identify the files used by the Kerberos service running on a Mac OS X server

Use the kdb5_util command to export and import data to and from the KDC database on a Mac OS X server

Use kadmin.local command-line utilities to manage Kerberos running on a Mac OS X server computer

Use klist to determine what encryption method was used to generate keytab files on a Mac OS X server

Use Workgroup Manager to configure password policies enforced by Password Server running on a Mac OS X server

This lesson focuses on Mac OS X Server's single sign-on (SSO) architecture with an eye toward authenticationthe process of proving you are who you say you are. Specifically, it looks at authentication as provided by MIT's Kerberos distribution and the Simple Authentication and Security Layer (SASL). These complex open-source components are simplified with Apple's configuration tools. Without harming their standards-compliant nature, these disparate systems are integrated into a smoothly functioning whole that's equally comfortable at the center of directory services and as a platform-specific component of a larger system.

The SSO architecture is made up of three open-source components:

LDAPv3 (OpenLDAP)
Kerberos (MIT key distribution center)
SASL (via Password Server)

Open Directory offers these identification and authentication services to both Mac OS X and other heterogeneous clients. Building on the previous lesson dealing with Lightweight Directory Access Protocol (LDAP), this lesson focuses on Kerberos and Password Server.