Managing Directory Information | Apple Training Series: Mac OS X System Administration Reference, Volume 1

Directory services allow easy access and management of information by organizing data in records. Each record describes different kinds of entities in the database such as users, groups, or mounts. The information stored into each record is in plaintext format and is organized in attributes and related values.

Mac OS X uses sets of predefined standard records called record types, which serve as a blueprint for standard entry into the directory data store (often referred to as the directory database). Some standard entries in the database are:

User records, with attributes such as RecordName, RealName, UniqueID, GeneratedUID, and AuthenticationAuthority
Group records, with attributes such as RecordName, RealName, PrimaryGroupID, GeneratedUID, and GroupMembers
Mount records, with attributes such as RecordName, VFSLinkDir, VFSType, and VFSOpts

Each record type contains sets of predefined attributes and related values that define specific information for a specific entry, such as users. These attributes describe a characteristic type of information related to a record and are used to hold values (the actual data that an attribute contains).

As you will see throughout this section, there can be many different types of records and attributes can often have more than one value.

User Records

Every user account on the computer must contain enough information to uniquely identify and authenticate the user. Providing additional attributes, such as both the long name and short name, user ID, password type, primary group ID, shell type, and home folder location, will make for a richer user experience than just a plain login.

When creating user accounts using Mac OS X and Mac OS X Server GUI tools such as the Accounts preferences pane and Workgroup Manager, certain attributes are necessary (and automatically generated unless otherwise noted). For a basic level of user experience, the following attributes should have values:

Attribute	Definition	Example Value
RecordName	The user's primary short name, used to identify the record in the database	susan
RealName	The user's long name	Susan Admin
UniqueID	The user ID used by standard UNIX file permissions	501
GeneratedUID	128-bit user ID; should be unique across multiple systems; used by access control list (ACL) permissions and group membership	C56D2D5C-7EB4-11D8-84F1-0030654CB2AC
Password	Crypt password	xwi/q8lhgFrYU
NFSHomeDirectory	Local file-system path to the user's home folder	/Users/susan
UserShell	The location of the default shell for command line	/bin/bash

More Info

The previous table lists key user-record attributes. Additional attributes will be discussed in Lesson 3, "Accessing Mac OS X Server Directory Services."

Note

Standard UNIX file permissions are for user, group, and other. The permissions options are read, write, and execute. Bear in mind that users added with the GUI tools do not require a password, although the attribute will still be created. Also, the Accounts preferences pane automatically creates a home folder for every user on Mac OS X, whereas using Workgroup Manager to create local Mac OS X accounts does not.

Understanding Local Authentication

Because the operating system must always be able to authenticate a user even when the computer is not connected to a network, user passwords are stored locally on the computer in a scrambled form using either crypt or shadow hash.

Crypt Passwords

A crypt password is stored as a hash directly in the user account. Because user records are accessible by anyone using the computer (in the case of shared directory, potentially anyone on the network), crypt passwords are not very secure. Once another user has the hash, they can easily run cracking applications to reverse the hash into the users password using readily available tools, such as John the Ripper.

New accounts created in Mac OS X v10.3 or later no longer use crypt passwords. However, because older versions of Mac OS X expect to find passwords in crypt format, Mac OS X will still accept authentication using crypt passwords. The requestor (for example, the Login Window application) is responsible for authenticating user accounts that have crypt passwords by doing a crypt compare. However, the Login Window will change the password type from Crypt to Shadow the first time the user logs in with the old crypt password. It also creates a GeneratedUID for that user account if none exists.

When looking at a user record with a tool such as dscl, crypt passwords are denoted by the "basic" value in the AuthenticationAuthority attribute. The scrambled form of the password is found in the Password attribute. If there is no value for the AuthenticationAuthority attribute, then basic, or crypt, is assumed.

Shadow Passwords

A shadow password is stored as several hashes in a file. Because the password isn't stored directly in the user account, other users cannot access it, and it is more secure than a crypt password. The shadow password file for each user is named according to the user's GeneratedUID or RecordName and is stored in /var/db/shadow/hash. These files are accessible only by root. Earlier versions of Mac OS X stored an NTLM hash of the password, but Mac OS X v10.4 does not, a significant security gain.

Note

Shadow passwords are used only for local or mobile accounts.

The AuthenticationAuthority for a shadow password is ;ShadowHash; and you will see eight asterisks in the Password attribute, indicating that there is no password stored in this record. The DirectoryService process is the authoritative authentication agent for Mac OS X (except in the case of crypt passwords or Kerberos authentication, which will be discussed in Lesson 2, "Accessing Local Directory Services"). This means that DirectoryService is responsible for authenticating user accounts that use shadow passwords.

While crypt passwords can be only 8 bytes in length, shadow passwords do not have that limitation. Furthermore, hashes for NT/LAN Manager are also stored in the shadow password file, providing additional compatibility. LAN Manager uses the first 14 characters of the shadow password; NT authentication uses the first 128 characters. These limitations are applicable only in the case of a Server Message Block (SMB) authentication. The SHA1 method, which you will learn more about later in this section, hashes the entire password.

Group Records

Advanced configurations and customizations might require additional information. Configuring workgroup management or setting up group folders requires access to different entities in the database. Group record types will provide all the attributes needed to support groups functionality in Mac OS X client computers.

Like user records, group records contain attributes and values. The following table lists group attributes.

Attribute	Definition	Example Value
RecordName	Name associated with the group	admin
RealName	The group's full name	Administrators
PrimaryGroupID	Unique identifier for the group used by standard BSD file permissions	80
GenerateUID	128-bit group ID; should be unique across multiple systems; used by ACL permissions and group membership	C56D2D5C-7EB4-11D8-84F1-0030654CB2AC
GroupMembership	A list of short names of user records that are considered part of the group	root susan
GroupMembers	A list of generated UIDs of user records that are considered part of the group	B12D5D56-7EB2-99D8-54C1-34929CB20A964DAA0134-7699-11D8-84F1-87ABBC1378988
NestedGroups	A list of generated UIDs of group records that are considered part of the group	F7D7D614-5C33-4183-B8A3-7F476F781DC8F8328B5C-1234-6BCE-A7B2-7F3423BDCA11

A default installation of Mac OS X includes the creation of several system groups. One of the more important groups is Administrator. All members of this group have administrative capabilities on the computer.

memberd and Nested Groups

Mac OS X v10.4 also uses a new schema which permits the nesting of groups (Legacy UNIX groups, however, will retain their older style). The process now used to resolve group memberships is memberd, but it is not sufficient to manually edit groups so you should use dseditgroup for that task.