Apple Mac OS X Server Command-Line Specifications Page 72
- Page / 295
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
Open Directory Security
With Mac OS X Server, a server with a shared LDAP directory domain also provides
Open Directory authentication.
It is important to protect the authentication data stored by Open Directory. This
authentication data includes the Open Directory Password Server database and the
Kerberos database, which must also be protected. Therefore, make sure an Open
Directory master and all Open Directory replicas are secure by following these
guidelines:
Keep your server behind a locked door, and always log it out. Physical security of a Â
server that is an Open Directory master or replica is paramount.
Secure the media you use to back up an Open Directory Password Server database Â
and a Kerberos database. Having your Open Directory servers behind locked doors
won’t protect a backup tape that you leave on your desk.
Do not use a server that is an Open Directory master or replica to provide other Â
services. If you can’t dedicate servers to be Open Directory masters and replicas,
minimize the number of services they provide.
One of the other services could have a security breach that gives someone access
to the Kerberos or Open Directory Password Server databases. Dedicating servers to
provide Open Directory services is an optimal practice but is not required.
Set up service access control lists (SACLs) for the login window and secure shell Â
(SSH) to limit who can log in to an Open Directory master or replica.
Avoid using a RAID volume that’s shared with other computers as the startup Â
volume of a server that is an Open Directory master or replica. A security breach
on one of the other computers could jeopardize the security of the Open Directory
authentication information.
Set up the rewall service to block all ports except those listed here for directory, Â
authentication, and administration protocols:
Open Directory Password Server uses ports 106 and 3659. Â
The Kerberos KDC uses TCP/UDP port 88, and TCP/UDP port 749 is used for Â
Kerberos administration.
The shared LDAP directory uses TCP port 389 for an ordinary connection and TCP Â
port 636 for an SSL connection.
When creating an Open Directory replica, keep port 22 open between the master Â
and prospective replica. This port is used for SSH data transfer, which is used to
transfer a complete, up-to-date copy of the LDAP database. After initial replica
setup, only the LDAP port (389 or 636) is used for replication.
Workgroup Manager uses TCP port 311 and 625. Â
Server Admin uses TCP port 311. Â
SMB uses TCP/UDP ports 137, 138, 139, and 445. Â
72 Chapter 4 Open Directory Planning and Management Tools
- Mac OS X Server 1
- Contents 3
- 4 Contents 4
- Contents 5 5
- 6 Contents 6
- Contents 7 7
- 8 Contents 8
- Contents 9 9
- 10 Contents 10
- About This Guide 11
- What’s in This Guide 12
- Using Onscreen Help 13
- Documentation Map 14
- Viewing PDF Guides Onscreen 15
- Printing PDF Guides 15
- Getting Documentation Updates 15
- Directory Services with Open 17
- Directory 17
- A Historical Perspective 19
- Data Distribution 21
- Uses of Directory Data 22
- Access to Directory Services 23
- Inside a Directory Domain 23
- Search Policy Levels 31
- Two-Level Search Policies 32
- Multilevel Search Policies 33
- Automatic Search Policies 34
- Custom Search Policies 36
- Open Directory Authentication 37
- About Shadow Passwords 39
- About Crypt Passwords 39
- Oine Attacks on Passwords 40
- About Password Policies 42
- About Kerberos Authentication 43
- Single Sign-On Experience 45
- Secure Authentication 45
- Moving Beyond Passwords 46
- Multiplatform Authentication 47
- Centralized Authentication 47
- About Kerberized Services 47
- LDAP Bind Authentication 54
- Open Directory Planning and 55
- Management Tools 55
- Replica Sets 61
- Cascading Replication 61
- Replica Services 65
- Open Directory Security 72
- Server Admin 74
- Directory Utility 75
- Workgroup Manager 76
- Command-Line Tools 76
- Setting Up Open Directory 77
- Before You Begin 78
- Turning Open Directory On 79
- OF.KERBEROSREALM 99
- Managing User Authentication 104
- Using Workgroup Manager 104
- Composing a Password 105
- Changing a User’s Password 105
- Passwords 114
- Authentication 115
- Accounts Preferences 119
- Automated Client Conguration 120
- About Active Directory Access 158
- Attribute 167
- Directory Attribute 168
- Directory Forest 170
- Specifying NIS Settings 174
- Maintaining Open Directory 177
- Services 177
- Monitoring Open Directory 180
- Deleting Records 184
- Changing a User’s Short Name 185
- Importing Records of Any Type 186
- Parameter Description 198
- The path to the archive le 198
- Managing OpenLDAP 199
- Idle Rebinding Options 200
- Searching the LDAP Server 201
- Using LDIF Files 204
- Maintaining Kerberos 205
- Managing Principals 206
- Using Directory Service Tools 208
- Command-Line Parameters for 218
- Open Directory 218
- Â slap 219
- Â ldap 219
- Mac OS X Directory Data 220
- Group Auxiliary Object Class 223
- Mount Object Class 224
- Printer Object Class 224
- Computer Object Class 225
- ComputerList Object Class 225
- Conguration Object Class 226
- Preset Computer Object Class 226
- Preset Group Object Class 227
- Preset User Object Class 228
- Location Object Class 229
- Service Object Class 229
- Neighborhood Object Class 229
- ACL Object Class 230
- Resource Object Class 230
- Augment Object Class 230
- Automount Map Object Class 230
- Machine Attributes 241
- Active Directory 253
- Attribute Mappings for Users 254
- Mappings for Groups 258
- Mappings for Mounts 259
- Mappings for Computers 260
- Mappings for ComputerLists 262
- Mappings for Cong 263
- Attribute Mappings for Cong 264
- Mappings for People 265
- Mappings for PresetGroups 267
- Mappings for PresetUsers 268
- Mappings for Printers 270
- Mappings for AutoServerSetup 272
- Mappings for Locations 272
- Â ShadowHash; 276
- Index 287 287
- 288 Index 288
- Index 289 289
- 290 Index 290
- Index 291 291
- 292 Index 292
- Index 293 293
- 294 Index 294
- Index 295 295
Related products and manuals for Servers Apple Mac OS X Server Command-Line
Servers Apple QuickTime User's Guide
(50 pages)
(50 pages)
Servers Apple QuickTime Specifications
(28 pages)
(28 pages)
Servers Apple Workgroup 9120 User Manual
(20 pages)
(20 pages)
Servers Apple Darwin User Manual
(7 pages)
(7 pages)
Servers Apple Xserve RAID Specifications
(25 pages)
(25 pages)
Servers Apple Darwin User Manual
(68 pages)
(68 pages)
Servers Apple MAC PRO 3X108 User Manual
(48 pages)
(48 pages)
© 2020, manymanuals.com. All rights reserved. | 2.298 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals