7.5. Configuring Shared DomainsFor many users, especially those who use their Macs at home, the default local NetInfo-based domain is all that's needed. However, users in corporate settings will want to take advantage of the ease of administration and flexibility that using shared domains allows. When a shared domain is in use, any user can log into any machine that is part of the domain and access her Home folder from a network server. All the settings and data for all the computers on the network can be centralized. Also, because there is no user data stored on an individual machine, the data can be replaced or upgraded with ease. When the user logs into the new machine, all of her data is just where she left it. To enable a Mac to participate in a shared domain, you need to perform a two-step process. The first step is to set up the shared domain directory server that you want to use. The second is set up the authentication rules for your system. Both steps can be performed with the Directory Access utility (/Applications/Utilities), shown in Figure 7-7. Figure 7-7. The Directory Access application used to configure Open Directory7.5.1. Configuring Open Directory SourcesWhen you launch Directory Access, the first thing you'll see is the Services configuration, as shown in Figure 7-7. This gives you a list of directory sources that can be used with Open Directory. These are the same sources of information discussed earlier in the chapter. By using Directory Access, you can enable and disable these sources as well as configure them. 7.5.1.1. Using Mac OS X Server's Open Directory ServerTo configure a client to use the LDAP-based directory services provided by Open Directory Server, select the LDAPv3 entry and click the Configure button. Even if the padlock icon at the lower-left of the window is unlocked, you may still be challenged for an administrator password. After you authenticate, you'll see the panel shown in Figure 7-8. Figure 7-8. Configuring the LDAP servers that Open Directory will useThe "Use DHCP-supplied LDAP servers" box is checked by default. This means that if the system obtained an IP address from a DHCP server that also is set to provide information on where to find an LDAP server, it will go ahead and use it as a directory service. If you are on a network where an LDAP server isn't configured through DHCP, or if you are using a fixed IP address, you'll need to add your server manually. To do this, click the New button and enter the following information:
This procedure works for most network environments that use Mac OS X Server's LDAP services. However, it's a good idea to verify this information with the administrator of the Mac OS X Server to which you are trying to connect. 7.5.1.2. Using other LDAP serversSince Open Directory Server uses the standard LDAP protocol with no special modifications, the Open Directory client is already LDAP savvy. The only thing that Open Directory needs to know to use any other LDAP server is how data in the directory is stored. This is known as the server's data mappings. The LDAP servers you may use fall into three categories:
Unless your setup falls into the first category, you'll most likely need to get some information from your system administrator to configure the LDAP directory service. If you do need to configure your own mappings, select the Custom option from the LDAP mappings pull-down menu. How you set up these mappings depends on your LDAP server and is beyond the scope of this book. 7.5.1.3. Configuring Active Directory domain serversMac OS X Panther brought the ability to use Active Directory, the native directory service used by Microsoft Windows 2000 or Windows 2003 Server. This support relies on the fact that Active Directory uses standard LDAP and Kerberos protocols. In fact, if you wanted to, you could connect to an Active Directory server simply by configuring it as an LDAP server. However, the mappings of data in an Active Directory server don't match up with the mappings needed by Mac OS X. Fortunately, Apple has provided Active Directory-specific functionality in Open Directory that seamlessly maps between the data mappings used by Microsoft Windows and the mappings that Mac OS X expects to see.
To configure Open Directory to use an Active Directory server, select the Active Directory entry in Directory Access and click the Configure button. You'll be presented with the panel shown in Figure 7-9. Fill in the directory forest, domain, and computer ID fields with the values provided by your network administrator and then click the Bind button. Figure 7-9. Setting up Active Directory in Directory AccessDepending on your setup, you may also want to set the following advanced options:
7.5.1.4. Configuring NetInfo-based domain serversIf your network directory services are based on NetInfo, you can configure Open Directory to use it by selecting the NetInfo service type and clicking the Configure button. You'll be presented with the NetInfo configuration panel shown in Figure 7-10. As with LDAP, Open Directory is configured to automatically discover any NetInfo server set in DHCP. In addition, you can set Open Directory to try to contact a NetInfo server via a network broadcast attempt, or you can configure it to contact a specific NetInfo server. Since directory information in NetInfo is always stored the same way, there's no further configuration to perform. 7.5.1.5. Configuring NIS domain serversTo configure the use of NIS-based directory services, select the checkbox next to the BSD Flat File and NIS entry in Directory Access (refer back to Figure 7-7). Next, click the Configure button. You'll be presented with a panel where you can enter the NIS domain name of your network and, optionally, a list of NIS servers. You can also configure Open Directory to attempt to locate an NIS server by using network broad- Figure 7-10. Configuring access to NetInfo-based directory servicescasts. As with NetInfo, since there is only one way to store data in an NIS server, there is no further configuration to be performed. 7.5.2. Configuring Shared Domain AuthenticationOnce you have set up the various servers that provide shared domain directory services to your machine, you'll be able to access the resources defined by those servers. However, to use those servers for authentication and to let users defined by those servers log into your machine, you need to configure Open Directory's authentication settings. When you click the Authentication tab, you'll see the interface shown in Figure 7-11. By default, you'll see one entry: /NetInfo/root. This indicates that your machine is set up to use only the local domain for authentication. To add a shared domain directory service to be used for authentication, change the search pull-down menu to "Custom path," as shown in Figure 7-11. You'll then be able to click the Add button to use any of the servers you've configured in the Services panel. In Figure 7-11, I've set up Open Directory to use the LDAPv3 server Figure 7-11. Configuring directory services used for authenticationlocated at 192.168.79.5 to serve as an authentication directory service. This means any user with an account defined by that server will be able to log onto the machine. If you have configured multiple servers, you can drag them into the order in which you want them to be consulted for authentication purposes.
When you click the Add button, you'll also notice an entry for /BSD/local. This sets up Open Directory to use the classic Unix /etc/passwd and /etc/group files for authentication. It lets you use these files if you wish, but for all the reasons stated at the beginning of the chapter, you most likely don't want to use this option. 7.5.3. Configuring Shared Domain ContactsNot only does Open Directory handle network services and authentication duties, but it can also provide contact information to the Address Book. To use shared domain servers for contact data, simply change the search pull-down menu to "Custom path" (just as you did for Authentication) and add the servers you would like to use.
|