Apple Mac OS X Server (Administrator’s Guide) User Manual

190

Chapter 3

m Using LDAP bind authentication with a non-Apple LDAPv3 directory server.

Clients needing password validation, such as login window and the AFP server, call Mac OS X
directory services. Directory services determines from the user’s account how to validate the
password.

m Directory services can validate a password stored in the account or by interacting with the

Password Server or a remote LDAP directory server (using LDAP bind authentication).

m If a Kerberos server is used to validate a user, when the user accesses a Kerberized client,

such as the AFP server in the following picture, the client interacts directly with the
Kerberos server to validate the user. Then the client interacts with directory services to
retrieve the user’s record for other information it needs, such as the UID or primary
group ID.

See “The Authentication Authority Attribute” on page 192 for information about the attribute
in a user’s account that indicates how to validate a particular user’s password.

Directory

services

Password Server

Kerberos server

Directory server

User

account

Password provided

can be validated

using value stored

in account.

Password can also

be validated using

value stored on

another server on

the network.

Directory

services

Login

window

Telenet

and SSH

AFP file

server

Kerberos

server

Password

Server

Mac OS X

lock icon

User account