FileMaker Server 7 External Auth question

[mecchaeric]

I have an external Account in FileMaker database that matches a group on our Mac OS X Server xServe. There are three users that are members of this group. The external Account is assigned to a Privilege Set specific to to the OS X server group. Works great.

However, by using External Auth, am I losing ability to use the Privilege Set password policy options (Allow user to modify their own password, must be changed every x days, minimum password length x characters)?

When I set same account to be a regular FileMaker account, Privilege Set password policy options then seem to work.

Open Directory password policies on OS X server apply to the server only I imagine and have nothing to do with FileMaker Db.

Any help would be appreciated.

Thanx in advance,

Eric

[Steven H. Blackwell]

When you use External Server Authentication your Accounts are in the Directory Server (or the local FMS CPU) and NOT in the Filemaker Pro file. That's the whole concept behind External Server Authentication.

In that instance credential lifecycle management is controlled by the Directory Service (Active Directory or Open Directory), and the options are much more extensive and granular than those found in FileMaker Pro. Expiration, reuse, character mix, password length, allowable hours, designated CPU's, etc. are all controlled by the policies set in the Directory Service.

HTH

Steven

[mecchaeric]

Steven,

Thanx for your reply.

However, I'm confused by your answer. An External Server FileMaker Account is still using a FileMaker Privilege Set. It has to. It is these Privilege Sets that have password options/policies in FileMaker.

Now, I know the Open Directory (OD) Account obviously has it's own Password options/policies as per OD, however, it appers this is seperate from FileMaker Privilege Sets Password options/policies.

In any event, weather I set Password options/policies in FileMaker Privilege Set OR in OD on OS X server, when logging into FileMaker Db as that user, Change Password wasnt available, wouldnt let me change password for that user, etc.

Again, thanx for any and all help.

[Steven H. Blackwell]

The Privilege Set's privilege bits related to passwords apply only to internally authenticated accounts. When an Account (Group) is authenticated by External Server Authentication all the properties of the Account are controlled by the Directory Server (or the local server) security policy.

The Privilege Set in this instance is attached to a Group. Note the change from Account Name to Group Name when the authentication method cahnges. When the Account in the Directory Service is authenticated, FileMaker Server receives a list of all Groups to which that Account belongs. It then matches that list with the list of groups in the file, and the first match governs the access to the file. That's waht the authentication order option is for.

HTH

Steven

[mecchaeric]

Yeah, I figured out one of my issues.

Turns out my Open Directory (OD) domain is NOT a shared domain after all (I didn't config the xServe).

All I have to figure out now is the account Userid and Password that has access to the LDAPv3 OD Shared domain on my xServe.

However, I do have another problem. In Mac OS X Server, the user accounts in the local non-shared domain have Password policies that override the overall OD Password policies, so why is it my FM users arent being prompted to change password at next log-in, like I have it set to do?

Thanx so much for all your assistance hough.

Eric

[Steven H. Blackwell]

the user accounts in the local non-shared domain have Password policies that override the overall OD Password policies, so why is it my FM users arent being prompted to change password at next log-in, like I have it set to do?

This is a bit odd. I would expect the domain level policies to supercede the local ones. When the server is booted, where does it authenticate?

Steven