Open Directory Roles


Directory Services are complex. There's no getting around that. Like many of the services of Mac OS X Server, a thorough and complete graphical interface would resemble a jet cockpit, and would be inaccessible to much of Apple's core audience.

Open Directory Server is made up of three underlying services (OpenLDAP, Password Server, and MIT Kerberos). Adding complexity to this is the fact that non-Mac directories typically do not share Apple's goals of simplicity, and integrating Mac OS X Server with them can be quite onerous.

To simplify matters, Apple has introduced the concept of Open Directory roles. An Open Directory role is simply a sort of macro state that defines the configuration of Open Directory Server's underlying services. This well-defined set of configurations brings consistency and predictability to Open Directory Server's complex capabilities.

In general, changes in a server's Open Directory role are activated using the Open Directory module of the Server Admin application. The pop-up menu in the Open Directory's General Settings tab yields four choices (Figure 3.1):

  • When running in Standalone mode, a Mac OS X Server accesses only the local directorythere is no shared directory domain, and the user and group accounts are stored in the server's local NetInfo database. Passwords are stored in the /private/var/db/shadow/hash/ directory. This is what you should choose when setting up a Mac OS X Server for the first time.

  • In addition to its local domain, an Open Directory master hosts an Open Directory shared domain. User and group accounts (along with other directory data) are stored in an LDAP (Lightweight Directory Access Protocol) directory, and authentication takes place using Apple's Password Server. Single Sign-On (SSO) services are provided by an MIT Kerberos KDC (Key Distribution Center).

  • An Open Directory replica brings redundancy to an Open Directory domain by housing an exact copy of the master's LDAP Directory, Password Server, and MIT Kerberos KDC. In most circumstances, this data is read-only.

  • When Mac OS X Server is connected to a Directory System, it accesses directory data from Open Directory Server, an Active Directory domain, or some other directory service (including eDirectory and Sun's NIS).

Figure 3.1. Open Directory roles may be manipulated in the General Settings tab of Open Directory within Server Admin.


This Open Directory configuration infrastructure is the cornerstone of the Apple Directory Services platform. Its consistent service configuration and directory data provide a foundation on which robust and fairly scalable infrastructures may be built.

Shadow Passwords

Prior to Mac OS X Server 10.2, authentication data was stored as a crypt value in the local NetInfo directory. This wasn't secure, because NetInfo is world-readable and passwords were easily decrypted.

Mac OS X Server 10.2 introduced Password Server, which moved authentication data into a secure, network-available store that was separate from any directories that remained world-readable. Running such a service, though, proved to be overkill for a standalone infrastructure (Mac OS X 10.3), so in 10.4 Apple expanded the 10.3 shadow hash mechanism to support all of Password Server's authentication capabilities.





Mac OS X Server 10. 4 Tiger. Visual QuickPro Guide
Mac OS X Server 10.4 Tiger: Visual QuickPro Guide
ISBN: 0321362446
EAN: 2147483647
Year: 2006
Pages: 139
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net