In order to configure Directory Services, use the Directory Access application (/Applications/Utilities), shown in Figure 5-2. You can enable or disable various directory service plug-ins , or change their configuration.
Directory Access supports the following plug-ins:
This plug-in lets Mac OS X consult an Active Directory domain on a server running Windows 2000 or Windows 2003.
This is the ultimate Mac OS legacy protocol. AppleTalk was the original networking protocol supported by Mac OS versions prior to Mac OS X. Linux and the server editions of Windows also support AppleTalk.
Formerly known as Rendezvous, Bonjour is Apple's zero-configuration protocol for discovering file sharing, printers, and other network services. It uses a peer-to-peer approach to announce and discover services automatically as devices join a network.
BSD Flat File and NIS
This includes the Network Information Service (NIS) and the flat files located in the /etc directory, such as hosts, exports, and services. By default, this option is switched off. After you enable it, click Apply, switch to the Authentication tab, choose Custom Path from the search menu, click the Add button, choose /BSD/Local, and click Apply again.
Figure 5-2. The Directory Access application shows the available plug-ins
This is the same version of LDAP used by Microsoft's Active Directory and Novell's NDS. In addition to the client components, Mac OS X includes slapd, a standalone LDAP daemon. Mac OS X's LDAP support comes through OpenLDAP (http://www.openldap.org), an open source LDAPv3 implementation.
This is a legacy Directory Services protocol introduced in NeXTSTEP. If the checkbox is off (the default), NetInfo uses the local domain but does not consult network-based NetInfo domains. If the checkbox is on, NetInfo also looks for and potentially uses any network-based domains that it finds.
NetInfo and LDAP both use the same data store, which is contained in /var/db/netinfo/. The data store is a collection of embedded database files.
This is the Service Location Protocol, which supports file and print services over IP .
This is the Server Message Block protocol (a.k.a., Common Internet File System), which is Microsoft's protocol for file and print services.
Under the Services tab, everything except NetInfo and BSD Configuration Files is enabled by default. However, if you go to the Authentication tab (Figure 5-3), you'll see that NetInfo is the sole service in charge of authentication (which is handled by /etc/passwd and /etc/group on other Unix systems).
Figure 5-3. The Directory Access Authentication tab
By default, the Authentication tab is set to Automatic. You can set the Search popup to any of the following:
This is the default, which searches (in order) the local NetInfo directory, a shared NetInfo domain, and a shared LDAPv3 domain.
This searches only the local NetInfo directory.
This allows you to use BSD flat files (/etc/passwd and /etc/group). After you select Custom path from the pop up, click Add and select /BSD/local.
After you have changed the Search setting, click Apply. The Contact tab is set up identically to the Authentication tab and is used by programs that search Directory Services for contact information (office locations, phone numbers, full names, etc.).
Enabling BSD flat files does not copy or change the information in the local directory (the NetInfo database). If you want to rely only on flat files, you would need to find all the user entries from the local directory (you could use the command nidump passwd . to list them all) and add them to the password flat files (/etc/passwd and /etc/master.passwd) by running the vipw utility with no arguments (do not edit either file directly). When you are done editing the password file, vipw invokes pwd_mkdb to rebuild the databases (/etc/spwd.db and /etc/pwd.db) used for looking up usernames and passwords, and also updates /etc/passwd. Switching over to flat files would allow you to access encrypted passwords through getpwnam( ) and friends, but would also mean you could no longer use the GUI tools to manage user accounts.
If you change any settings in the Directory Access applications, you may find that some invalid credentials are temporarily cached by Directory Services. To clear out the cache immediately, run the following command as root:
$ lookupd -flushcache