Apple mac os x 10.4 Handbuch
Chapter 4
Securing Accounts
49
In addition to enabling and disabling services, you can use Directory Access to choose
the directory domains that you want to authenticate with. Directory Access defines the
authentication search policy that Mac OS X uses to locate and retrieve user
authentication information and other administrative data from directory domains.
The login window, Finder, and other parts of Mac OS X use this authentication
information and administrative data. File service, mail service, and other services
provided by Mac OS X Server also use this information.
the directory domains that you want to authenticate with. Directory Access defines the
authentication search policy that Mac OS X uses to locate and retrieve user
authentication information and other administrative data from directory domains.
The login window, Finder, and other parts of Mac OS X use this authentication
information and administrative data. File service, mail service, and other services
provided by Mac OS X Server also use this information.
Directory Access also defines the contacts search policy that Mac OS X uses to locate
and retrieve name, address, and other contact information from directory domains.
Address Book can use this contact information, and other applications can be
programmed to use it as well.
and retrieve name, address, and other contact information from directory domains.
Address Book can use this contact information, and other applications can be
programmed to use it as well.
The authentication and contacts search policy consists of a list of directory domains
(also known as directory nodes). The order of directory domains in the list defines the
search policy. Starting at the top of the list, Mac OS X searches each listed directory
domain in turn until it either finds the information it needs or reaches the end of the
list without finding the information.
(also known as directory nodes). The order of directory domains in the list defines the
search policy. Starting at the top of the list, Mac OS X searches each listed directory
domain in turn until it either finds the information it needs or reaches the end of the
list without finding the information.
For more information about using Directory Access, see the Open Directory
administration guide.
administration guide.
Configuring LDAPv3 Access
Mac OS X version 10.4 primarily uses Open Directory as its network-based directory
domain. Open Directory uses LDAPv3 as its connection protocol. LDAPv3 includes
several security features that you should enable if your server supports them. Enabling
every LDAPv3 security feature maximizes your LDAPv3 security. Check with your
network administrator to make sure your settings match your network’s required
settings.
domain. Open Directory uses LDAPv3 as its connection protocol. LDAPv3 includes
several security features that you should enable if your server supports them. Enabling
every LDAPv3 security feature maximizes your LDAPv3 security. Check with your
network administrator to make sure your settings match your network’s required
settings.
When configuring LDAPv3, you should not add DHCP-supplied LDAP servers to
automatic search policies. Otherwise, a malicious individual can create a rogue DHCP
server and a rogue LDAP directory and then control your computer as the root user.
automatic search policies. Otherwise, a malicious individual can create a rogue DHCP
server and a rogue LDAP directory and then control your computer as the root user.
For information about changing the security policy for an LDAP connection, or about
protecting computers from malicious DHCP servers, see the Open Directory
administration guide.
protecting computers from malicious DHCP servers, see the Open Directory
administration guide.