Managing an Open Directory Master

An Open Directory (OD) master houses shared identification, authentication, and authorization data for Mac, Linux, and, in some cases, Windows clients. It is the basis of a shared Open Directory domain.

Open Directory Server provides a fairly scalable and, in most cases, reliable infrastructure for small to medium-sized Mac-centric workgroups. Since it is based on open standards and in many cases open source software, it is also an acceptable (although not always ideal) platform for other directory-based applications, such as LDAP-enabled Web portals and document management systems.

To make use of Open Directory Server, however, you first need to create the Open Directory master to house it.

Creating an Open Directory master

As with most administrative tasks, you can create an OD master graphically by using the Server Admin application. This time, you'll work with the Open Directory module.

First, ensure that your server is up to date and that forward and reverse DNS entries are properly configured. If the Mac OS X Server is also a DNS server, refer to Chapter 6, "Network Services Options."

To create an Open Directory master

1.	Launch Server Admin, located in /Applications/Server and select Open Directory from the services list. See Chapter 2, "Server Tools," for instructions on launching the various tools used throughout this book.
2.	Click the General tab and choose Open Directory Master from the Role pop-up menu (see Figure 3.1).
3.	In the dialog that appears, specify a name, short name, and password for the new administrator of the shared domain you are creating (Figure 3.2). Defaults (Directory Administrator and dadmin) are suggested for you. You can override these defaults to make the administrator's name harder to guess. Figure 3.2. The default values when creating an Open Directory master.
4.	Either accept or enter different Kerberos and LDAP information for your Open Directory domain. If your DNS configuration is correct, defaults are supplied for you. Feel free to override them, especially if your DNS environment results in an abnormally long or awkward search base or Kerberos realm.
5.	Click Create to close the dialog.
6.	Click Save in the Server Admin window.

Tip

View the slapconfig.log file located in the /Library/Logs directory if you encounter any errors.

What Else Happens When You Create an Open Directory Master?

After you create an Open Directory master, you can open your Directory Access application and select the Authentication tab (Figure 3.3).

Figure 3.3. The Authentication tab of Directory Access on Mac OS X Server after becoming an Open Directory master.

You'll see an entry for LDAPv3/127.0.0.1, which indicates that the Mac OS X Server is now bound to itself. That is, the process that creates the LDAP directory and the Kerberos Key Distribution Center (KDC), discussed later in this chapter, also creates the entry and places it in the Directory Services structure.

The Directory Administrator you create is also added to the admin group in the Server's local NetInfo domain, and a root user (with the same password as the Directory Administrator) is created in the shared domain.

The directory structure now looks like this:

NetInfo (Local) Domain

Members of the admin group are
Local root w/same password as...
Your local administrator account
Your LDAP administrator account

LDAP Domain

LDAP root w/same password as...
Your LDAP administrator account

This duplicity in root, both with the user ID 0, is a bit confusing. Access is granted to folder and file access based on UID, but access to databases is based on generated unique ID. So, the user root may have two distinct passwordsone local, and one LDAP.

Working with a shared Open Directory domain

To manage user, group, and computer accounts in your shared Open Directory domain, use the Workgroup Manager application to connect to your Open Directory master.

Depending on which domain you want to administer, you either use the local NetInfo administrator's name or the LDAP administrator's name. It's a good idea to use the local administrator's name (Figure 3.4), so that he or she can access the local database, and then unlock the LDAP database using the LDAP administrator's username and password.

Figure 3.4. Authenticating to Workgroup Manager using an administrator name and password.

Because the LDAP administrator's name is added to the local NetInfo admin group, you could add it to the keychain of the user who will be using Workgroup Manager on a consistent basis, if you want. However, for security reasons, you may not want to do this (Figure 3.5).

Figure 3.5. Unlocking access to the shared (LDAP) domain.

Once both administrators are added, you can choose different directories to administer by viewing the Directory pop-up menu in the upper-left corner of Workgroup Manager (Figure 3.6). Actual account management is covered in more depth in Chapter 4, "User and Group Management."

Figure 3.6. Showing the bound domains using Workgroup Manager.

Tips

In Mac OS X Server 10.4, clicking Workgroup Manager in the upper-left corner of Server Admin results in a Workgroup Manager authentication dialog that specifically targets Server Admin's currently selected server. This is one workaround for Workgroup Manager's annoying habit of trying to log in to the local workstation you're working from.
You should display the All records tab and Inspector, covered in Chapter 2, as you go through this chapter.