Configuring Network Directory Services

In addition to configuring discovery service protocols, the Directory Access utility is also used to configure directory service options. You select which directory service methods to use and the configuration options for each service. Although Mac OS X includes support for several different networked directory services, this lesson will focus on how to configure the two most common types of directory services: LDAP and Active Directory.

Configuring LDAP in Mac OS X

As mentioned earlier, LDAP is the industry-standard method for communicating directory information over a network. Unfortunately, there is much variation in the organization of that information. The configuration options range from very easy to very difficult.

Automatically Configuring with DHCP

DHCP gives system administrators a standardized way to distribute LDAP information to client computers when they request an IP address. In fact, if your site is using Mac OS X Server to provide DHCP services, the default setting is to distribute LDAP binding information to DHCP clients. For this reason, it is possible to find and use a directory server on a newly installed computer without any additional configuration.

Manually Configuring for Specific Directory Servers

If your site doesn't use DHCP to distribute LDAP information, you'll have to add some information so that the client can find and use the directory information. The information you'll need to get from your administrator includes:

• The address of the LDAP server

• The type of server you are connecting to: Open Directory (for Mac OS X Server), RFC 2307 (for many UNIX servers), or Active Directory

  Normally, for Active Directory servers you'll want to use the Active Directory plug-in, as explained later in this lesson.

• The search base of the LDAP server

  The search base is a string of text that will be different for every site. It should look something like dc=pretendco, dc=com.

Manually Configuring for Custom Directory Server

This is an advanced configuration, which will not be covered in this book. It allows a very flexible but complex configuration that would enable you to work with a customized LDAP server. This configuration is covered by the Apple Certified System Administrator classes.

Finally, after you have configured Mac OS X to use your LDAP server, you need to tell Mac OS X to use this LDAP server for all authentication attempts. You do this by choosing Search > Custom path in the Authentication pane of Directory Access and adding the LDAP server to the Directory Node list.

Note that Directory Access configurations are independent of network locations. Selecting a different network location does not change LDAP settings.

NOTE

If you misconfigure directory services on Mac OS X, your computer can become unresponsive. To fix this, start your computer in single-user mode and reset the directory service settings by deleting the configuration files in /Library/Preferences/DirectoryService.

Configuring Active Directory in Mac OS X

In addition to LDAP, Mac OS X can use Active Directory fo r authentication information. There are three pieces of information you will need to obtain from your system administrator:

• Active Directory Forest address

• Active Directory Domain address

• Computer ID

Additionally, you can configure advanced options such as mobile account settings, network home directory protocols, and Active Directory attribute mappings.

After you have configured Active Directory, you will again need to configure the authentication search path to include Active Directory.