3.1 Configuring the Mandatory Settings

Following are the mandatory settings for Mac OS Client:

To setup communication between Mac OS Client and the Advanced Authentication server, perform one of the following:
- Allow Mac OS Client to interact with the Advanced Authentication servers through the DNS and configure the DNS for Advanced Authentication server lookup. For more information, see Setting-up a DNS for Advanced Authentication Server Discovery.
  
  Or
- Configure the Advanced Authentication server lookup in non-DNS mode by manually specifying a custom Advanced Authentication server. For more information, see Using a Specific Advanced Authentication Server in the Non-DNS Mode.
To configure the Mac recovery, see Enabling Remote Login.

3.1.1 Setting-up a DNS for Advanced Authentication Server Discovery

You can configure a DNS to allow the Mac OS X Client to discover and connect with the Advanced Authentication server through the DNS.

To configure the DNS for server discovery, perform the following tasks:

Adding a Host in DNS

Click Start > Administrative Tools > DNS to open the DNS Manager.
Perform the following steps to add Host A or AAAA record and PTR record:
1. Right-click your domain name and click New Host (A or AAAA) under Forward Lookup Zone in the console tree.
2. Specify a DNS name for the Advanced Authentication server in Name.
3. Specify the IP address for the Advanced Authentication server in IP address.
  
  You can specify the address in IP version 4 (IPv4) format (to add a host (A) resource record) or IP version 6 (IPv6) format (to add a host (AAAA) resource record).
4. Select Create associated pointer (PTR) record to create an additional pointer (PTR) resource record in a reverse zone for this host, using the details that you have provided in Name and IP address.

Adding an SRV Record

For best load balancing, it is recommended to perform the following actions only for Advanced Authentication web servers. You need not create the records for Global Master, DB Master, and DB servers.

NOTE:Ensure that the LDAP SRV record exists in the DNS server. If the record is not available, you must add it manually.

Adding an SRV Record from a Primary Advanced Authentication Site

To add an SRV record for the Advanced Authentication servers from a primary Advanced Authentication site (a site with the Global Master server), perform the following steps:

Right-click on a node with the domain name and click Other New Records in the Forward Lookup Zones of the console tree.
Select Service Location (SRV) from Select a resource record type.
Click Create Record.
Specify _aav6 in Service of the New Resource Record dialog box.
Specify _tcp in Protocol.
Specify 443 in Port Number.
Specify the Fully Qualified Domain Name (FQDN) of the server that is added in Host offering this service. For example, authsrv.mycompany.com.service.
Click OK.

Adding an SRV Record from Other Advanced Authentication Sites

Expand the preferred domain name node and select _sites in the Forward Lookup Zones of the console tree.
Right-click on the preferred site name and click Other New Records.
Select Service Location (SRV) from Select a resource record type.
Click Create Record.
Specify _aav6 in Service of New Resource Record dialog box.
Specify _tcp in Protocol.
Specify 443 in Port Number.
Specify the FQDN of the server that is added in Host offering this service. For example, authsrv.mycompany.com.
Click OK.

You must add a host and the SRV records in DNS for all the authentication servers. The Priority and Weight values for different servers may vary.

DNS Server Entries

DNS server contains the following elements in an SRV record:

SRV entries _service._proto.name TTL class SRV priority weight port target

The following table defines these elements present in an SRV record.

Element	Description
Service	Symbolic name of an applicable service.
Protocol	Transport protocol of an applicable service. Typically, TCP or UDP.
Name	Domain name for which this record is valid. It ends with a dot.
TTL	Standard DNS time to live field.
Class	Standard DNS class field (set as IN, by default).
Priority	Priority of the target host. Lower the value, higher the priority.
Weight	A relative weight for records with the same priority. Higher the value, higher the priority.
Port number	TCP or UDP port on which the service is located.
Target (Host offering this service)	Canonical hostname of the machine providing the service. It ends with a dot.

Authentication Server Discovery Flow

The following diagram illustrates the server discovery workflow.

Configuring Authentication Server Discovery in Client

You can configure server discovery in the Mac OS Client by using the following parameters in the aucore_login.conf file that is located in the /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/ path:

Parameter	Description
discovery.Domain	DNS name of the domain.
discovery.host	Option to specify the DNS name or the IP address of an Advanced Authentication server.
discovery.port	Option to specify the port number for the client-server interaction.
discovery.subDomains	Lists additional sub-domains separated by a semicolon.
discovery.useOwnSite	Set the value to True to use the local site.
discovery.dnsTimeout	Set the time out for the DNS queries. The default value is 3 seconds.
discovery.connectTimeout	Time out for the Advanced Authentication server response. The default value is 2 seconds.
discovery.resolveAddr	Set the value to False to skip resolving the DNS. By default the value is set to True for Mac OS Client.
discovery.wakeupTimeout	Time out after the system starts or resumes from sleep. The default value is 10 seconds.
discovery.skipAlreadyTriedPeriod	A delay for which the Mac OS Client stops searching the server after an unsuccessful search attempt. The default value is 5 minutes after which the Client switches to the online mode. During background operations (for example, policy updates) if the cache determines that the server is available, then the set period can be reduced.

3.1.2 Using a Specific Advanced Authentication Server in the Non-DNS Mode

You can achieve the following requirements with this setting:

Enforce a connection to a specific workstation where the DNS is not available.
Override a domain based entry for a specific workstation and use the settings specified in the aucore_login.conf file.

To configure Mac OS X Client to discover a specific Advanced Authentication server without a DNS, perform the following steps:

Navigate to /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/ and open the aucore_login.conf file.
Specify discovery.host: <IP_address|domain_name>.

For example, discovery.host: 192.168.20.40 or discovery.host: auth2.mycompany.local.

If the configuration file does not exist, create a new file.
(Optional) Specify discovery.port = <portnumber> to configure the port number for the Client-server communication.
Restart the operating system.

NOTE:For Mac OS logon event, select the OS Logon (local) Event type if you want to use Mac OS X Client on non-domain joined workstations.

3.1.3 Enabling Remote Login

You must enable the remote login before installing Advanced Authentication Mac OS X Client. Perform the following steps to enable the remote login:

Click the Apple icon in the upper-left corner.
Click System Preferences... > Sharing.
Enable Remote Login.
Log in to Mac using the ssh login.

For example, pjones@192.168.0.112