Section 7.5. Configuring Shared Domains | Running Mac OS X Tiger: A No-Compromise Power Users Guide to the Mac (Animal Guide)

7.5. Configuring Shared Domains

For many users, especially those who use their Macs at home, the default local NetInfo-based domain is all that's needed. However, users in corporate settings will want to take advantage of the ease of administration and flexibility that using shared domains allows. When a shared domain is in use, any user can log into any machine that is part of the domain and access her Home folder from a network server. All the settings and data for all the computers on the network can be centralized. Also, because there is no user data stored on an individual machine, the data can be replaced or upgraded with ease. When the user logs into the new machine, all of her data is just where she left it.

To enable a Mac to participate in a shared domain, you need to perform a two-step process. The first step is to set up the shared domain directory server that you want to use. The second is set up the authentication rules for your system. Both steps can be performed with the Directory Access utility (/Applications/Utilities), shown in Figure 7-7.

Figure 7-7. The Directory Access application used to configure Open Directory

7.5.1. Configuring Open Directory Sources

When you launch Directory Access, the first thing you'll see is the Services configuration, as shown in Figure 7-7. This gives you a list of directory sources that can be used with Open Directory. These are the same sources of information discussed earlier in the chapter. By using Directory Access, you can enable and disable these sources as well as configure them.

7.5.1.1. Using Mac OS X Server's Open Directory Server

To configure a client to use the LDAP-based directory services provided by Open Directory Server, select the LDAPv3 entry and click the Configure button. Even if the padlock icon at the lower-left of the window is unlocked, you may still be challenged for an administrator password. After you authenticate, you'll see the panel shown in Figure 7-8.

Figure 7-8. Configuring the LDAP servers that Open Directory will use

The "Use DHCP-supplied LDAP servers" box is checked by default. This means that if the system obtained an IP address from a DHCP server that also is set to provide information on where to find an LDAP server, it will go ahead and use it as a directory service. If you are on a network where an LDAP server isn't configured through DHCP, or if you are using a fixed IP address, you'll need to add your server manually. To do this, click the New button and enter the following information:

Configuration Name: This can be any name you want to assign to your LDAP configuration.
Server Name or IP Address: The hostname or IP address of the LDAP server.
LDAP Mappings: The type of LDAP mappings to use. For most purposes, the default "From Server" setting is appropriate. You'll see how to use the other options in this list in the next section.
SSL: Indicate whether or not to use SSL to contact the LDAP server. This secures the LDAP connection using the certificate credentials provided by the server.

This procedure works for most network environments that use Mac OS X Server's LDAP services. However, it's a good idea to verify this information with the administrator of the Mac OS X Server to which you are trying to connect.

7.5.1.2. Using other LDAP servers

Since Open Directory Server uses the standard LDAP protocol with no special modifications, the Open Directory client is already LDAP savvy. The only thing that Open Directory needs to know to use any other LDAP server is how data in the directory is stored. This is known as the server's data mappings. The LDAP servers you may use fall into three categories:

The server is already configured to provide seamless integration with Mac OS X.
The server is set up to use standard Unix RFC 2307 mappings.
The server requires you to configure your mappings on Mac OS X.

Trusting the Network

As this book was being prepared for publication, a story broke in the press about a security vulnerability in Mac OS X. It stated an attacker could take over a machine by exploiting Open Directory. To perform this attack, an attacker sets up a DHCP server for a network (shutting down any other operational DHCP servers), and then configures LDAP through DHCP to let him log into any machine that boots on the network.

This isn't a new exploit, but rather is symptomatic of the changes in networking. It used to be that it was rare to move your machine between networks. You always knew the DHCP server or at least knew your admins took care of such things. Therefore picking up LDAP settings from DHCP settings aided easy system configuration. Now, with mobile computing being such a pervasive part of life, it's more questionable to make this assumption.

If you have a laptop that you carry between networks, uncheck the "Use DHCP-supplied LDAP servers" box shown in Figure 7-8, and you won't be subject to this kind of attack.

Unless your setup falls into the first category, you'll most likely need to get some information from your system administrator to configure the LDAP directory service. If you do need to configure your own mappings, select the Custom option from the LDAP mappings pull-down menu. How you set up these mappings depends on your LDAP server and is beyond the scope of this book.

7.5.1.3. Configuring Active Directory domain servers

Mac OS X Panther brought the ability to use Active Directory, the native directory service used by Microsoft Windows 2000 or Windows 2003 Server. This support relies on the fact that Active Directory uses standard LDAP and Kerberos protocols. In fact, if you wanted to, you could connect to an Active Directory server simply by configuring it as an LDAP server. However, the mappings of data in an Active Directory server don't match up with the mappings needed by Mac OS X. Fortunately, Apple has provided Active Directory-specific functionality in Open Directory that seamlessly maps between the data mappings used by Microsoft Windows and the mappings that Mac OS X expects to see.

What Is Active Directory?

Active Directory is Microsoft's directory that is provided as part of Windows 2000 Server and Windows 2003 Server. It performs the same kinds of duties for a Windows-based network that Apple's Open Directory in Mac OS X Server can provide for Macintosh systems. Since Active Directory is widely deployed in enterprise environments, Apple built in the ability to run from Active Directory into Mac OS X to make it easier for the admins of Windows-based networks to work with Macs. Hopefully it will inspire some of the employees of those companies to switch to the Mac.

At this time, it's a one-way street. Open Directory on Mac OS X can't provide all the functionality for a Windows-based machine that Active Directory can. Being able to run a Mac on an Active Directory-based network, however, is a great step forward for interoperability.

Active Directory comes with a slew of its own terms like forest, which refers to a group of Active Directory trees. It reuses terms like domain for its own purposes. For the most part, your system administrator will provide the information you need to know. You can also get more information from Active Directory, Second Edition, by Robbie Allen, et al. (O'Reilly).

To configure Open Directory to use an Active Directory server, select the Active Directory entry in Directory Access and click the Configure button. You'll be presented with the panel shown in Figure 7-9. Fill in the directory forest, domain, and computer ID fields with the values provided by your network administrator and then click the Bind button.

Figure 7-9. Setting up Active Directory in Directory Access

Depending on your setup, you may also want to set the following advanced options:

Create mobile account at login: Mac OS X will store your Active Directory user account information as an account on your portable. This lets you log into your machine even if the Active Directory domain controller isn't available.
Force local home directory on startup disk: This option will force Mac OS X to keep users' Home directories on the local filesystem, instead of using a network-based Home directory.
Use UNC path from Active Directory to derive network home location: A UNC path is similar to a URL. Windows networks and the SMB protocol make use of UNC paths to specify the locations of network resources. Enabling this option will tell Mac OS X to use the UNC path when accessing users' Home directories.
Default user shell: There's only one command-line shell on Windows. Since it's not included with Mac OS X, use this value to set which shell should be used as the default Unix shell for Active Directory users on your Mac.
Map UID to attribute, Map user GID to attribute, Map group GID to attribute: By default, Active Directory doesn't use user IDs, but prefers to use longer GUIDs (Globally Unique ID). If your Active Directory server has been configured to store a user ID for each user (typically when Active Directory has already been configured to support Unix computers), you can specify the attribute within Active Directory that is used to store the UID. If you don't select this option, then a user ID is automatically generated for you based on the GUID attribute in Active Directory. Similarly, the user and group GIDs can also be stored in Active Directory and mapped here.
Prefer this domain server: Lets you specify the hostname of the Active Directory server that you want to use by default. If this server is unavailable, Open Directory automatically uses another server that is part of the forest if available.
Allow administration by: Specifies a list of Active Directory groups whose members are considered to have administrative privileges by Open Directory.
Allow authentication from any domain in the forest: Lets users from any domain in the Active Directory system for your network log into your computer.

7.5.1.4. Configuring NetInfo-based domain servers

If your network directory services are based on NetInfo, you can configure Open Directory to use it by selecting the NetInfo service type and clicking the Configure button. You'll be presented with the NetInfo configuration panel shown in Figure 7-10. As with LDAP, Open Directory is configured to automatically discover any NetInfo server set in DHCP. In addition, you can set Open Directory to try to contact a NetInfo server via a network broadcast attempt, or you can configure it to contact a specific NetInfo server. Since directory information in NetInfo is always stored the same way, there's no further configuration to perform.

7.5.1.5. Configuring NIS domain servers

To configure the use of NIS-based directory services, select the checkbox next to the BSD Flat File and NIS entry in Directory Access (refer back to Figure 7-7). Next, click the Configure button. You'll be presented with a panel where you can enter the NIS domain name of your network and, optionally, a list of NIS servers. You can also configure Open Directory to attempt to locate an NIS server by using network broad-

Figure 7-10. Configuring access to NetInfo-based directory services

casts. As with NetInfo, since there is only one way to store data in an NIS server, there is no further configuration to be performed.

7.5.2. Configuring Shared Domain Authentication

Once you have set up the various servers that provide shared domain directory services to your machine, you'll be able to access the resources defined by those servers. However, to use those servers for authentication and to let users defined by those servers log into your machine, you need to configure Open Directory's authentication settings. When you click the Authentication tab, you'll see the interface shown in Figure 7-11. By default, you'll see one entry: /NetInfo/root. This indicates that your machine is set up to use only the local domain for authentication.

To add a shared domain directory service to be used for authentication, change the search pull-down menu to "Custom path," as shown in Figure 7-11. You'll then be able to click the Add button to use any of the servers you've configured in the Services panel. In Figure 7-11, I've set up Open Directory to use the LDAPv3 server

Figure 7-11. Configuring directory services used for authentication

located at 192.168.79.5 to serve as an authentication directory service. This means any user with an account defined by that server will be able to log onto the machine. If you have configured multiple servers, you can drag them into the order in which you want them to be consulted for authentication purposes.

/NetInfo/root stays at the top of the list. This ensures that the local domain always takes precedence over information in any shared domain.

When you click the Add button, you'll also notice an entry for /BSD/local. This sets up Open Directory to use the classic Unix /etc/passwd and /etc/group files for authentication. It lets you use these files if you wish, but for all the reasons stated at the beginning of the chapter, you most likely don't want to use this option.

7.5.3. Configuring Shared Domain Contacts

Not only does Open Directory handle network services and authentication duties, but it can also provide contact information to the Address Book. To use shared domain servers for contact data, simply change the search pull-down menu to "Custom path" (just as you did for Authentication) and add the servers you would like to use.

Configuring shared contacts in Open Directory isn't the only way to take advantage of LDAP servers from the Address Book. You can set any number of LDAP servers in Address Book's preferences to use as sources of contact information.