Information access control – Apple Mac OS X Server (Administrator’s Guide) User Manual

124

Chapter 3

m A non-Apple LDAP server can be used to validate the password.

Clients needing password validation, such as login window and the AFP server, call Mac OS X
directory services. Directory services determine from the user’s account how to validate the
password.

m Directory services can validate a password stored in the account or by interacting with the

Password Server or a remote LDAP directory server (using LDAP bind authentication).

m If a Kerberos server is used to validate a user, when the user accesses a Kerberized client,

such as Mac OS X AFP or mail, the client interacts directly with the Kerberos server to
validate the user. Then the client interacts with directory services to retrieve the user’s
record for other information it needs, such as the user ID (UID) or primary group ID.

Information Access Control

All directories (folders) and files on Mac OS X computers have access privileges for the file’s
owner, a group, and everyone else.

Mac OS X uses a particular data item in a user’s account—the UID—to keep track of directory
and file access privileges.

Directory

services

Password Server

Kerberos server

Directory server

User

account

Password provided

can be validated

using value stored

in account.

Password can also

be validated using

value stored on

another server on

the network.

Owner 127 can: Read & Write
Group 2017 can: Read only
Everyone else can: None

MyDoc