Support User Manuals

Apple 10.5 Leapard Model Vehicle User Manual

Open as PDF

of 275

Chapter 10 Managing Preferences 195

When enabling the use of login and logout scripts, you can set a trust value for the

client. Trust values determine the required level of authentication before a client trusts

a server enough to run its scripts. Most trust values directly correlate to LDAP security

policy settings that are configured in Directory Utility.

The trust value of DHCP doesn’t correlate to a security policy. Instead, it correlates to

whether Directory Utility is configured to use a DHCP-supplied LDAP server. The trust

value of Authenticated requires that you set up trusted binding to an LDAP directory.

For more information about how to use Directory Utility to enable LDAP security

policies, using DHCP-supplied LDAP, or setting up trusted binding, see Open Directory

Administration.

The following table lists valid trust values and describes their requirements. The table is

arranged in order of increasing trust, where the last entry requires the highest level of

trust.

To set the minimum required trust level, set the MCXScriptTrust client setting:

Â If the client’s MCXScriptTrust setting is a level of trust equal to or less than the trust

value, the client trusts the server and runs its login and logout scripts.

Â If the client’s MCXScriptTrust setting is a level of trust more than the trust value, the

client doesn’t trust the server and doesn’t run its scripts.

The default trust value is FullTrust.

To enable the use of login or logout scripts:

1 Log in to the user’s computer locally or use Apple Remote Desktop.

2 Open the Sharing pane of System Preferences.

3 Click the lock to authenticate, and enter the name of a local or domain administrator.

Trust value name Requirements

Anonymous The client trusts any directory domain server.

DHCP In Directory Utility, select “Add DHCP-supplied LDAP servers to

automatic search policies.”

Encryption In Directory Utility, select “Encrypt all packets (requires SSL or

Kerberos).”

Authenticated Set up trusted binding between the client computer and the LDAP

directory.

PartialTrust In Directory Utility, select “Digitally sign all packets (requires

Kerberos).” Most Active Directory nodes support PartialTrust but

not FullTrust.

FullTrust In Directory Utility, select “Block man-in-the-middle attacks

(requires Kerberos)” and “Digitally sign all packets (requires

Kerberos).”

previous next