NetInfo — The local Open Directory domain Each Mac OS X computer, including Mac OS X Server, has a local Open Directory world. This knowledge domain stores all information about local users arsenic well as information about the machine itself. The local knowledge domain for Mac OS X is a NetInfo world. NetInfo is a proprietorship directory service primitively developed by NeXT Computer Inc. that in the first place served as Mac OS X ‘s native directory service. As Mac OS X Server evolved, Apple replaced NetInfo with a service based on the Lightweight Directory Access Protocol ( LDAP ) that is much referred to as plainly open Directory. There is little administration that needs to be done with the local NetInfo knowledge domain on Mac OS X computers. however, it is important to understand that the local domain is always the foremost reference in which a Mac OS X computer will look for drug user information. It is besides authoritative to know that the local knowledge domain is visible in Mac OS X Server ‘s Workgroup Manager ; this is the cock used for managing drug user, group and calculator accounts. User and group accounts stored in a server ‘s local sphere can entree resources on the waiter, including partake points, print queues and Internet services. local accounts are not separate of a shared sphere, however, so they ca n’t be used for log in at Mac OS X computers. Search paths for shared domains Mac OS X computers can be bound to multiple directory domains ( both Open Directory and domains of other platforms such as Active Directory ). This requires that a search path be established that defines the arrange in which available domains will be searched for bill information. This is unlike from a Windows environment, in which a list of available domains is part of the log in dialogue. As mentioned above, the local NetInfo sphere will always be first gear in the search path on Mac OS X. however, you can place any other domains in any order that you choose. Search paths can be utilitarian in a count of ways. They allow you to have separate containers for different groups of users and/or computers. They besides allow you to build support for multiple directory service platforms that can mix and match advantages of each system. For model, you could rely on exploiter accounts stored in Active Directory but cope computers using accounts stored in Open Directory, which enables you take advantage of Apple ‘s node management architecture. Search paths are powerful tools, but it is important to recognize that if you have users with the same name in two domains in a search way, alone the account in the first domain of the search path will actually be found. Directory binding Mac OS X computers can be bound to Open Directory domains in two ways. The beginning, and simplest, is Dynamic Host Configuration Protocol ( DHCP ). Mac OS X Server can include data about a world with other information in reception to a computer ‘s DHCP request. By default, Mac OS X will accept and use open Directory configurations received by DHCP. This is helpful both because it saves the time and effort of manually configuring each computer in a network. For static oblige, you configure access to directory domains using the Directory Access utility, which is located in the Utilities folder inside Mac OS X ‘s Applications booklet. Directory Access includes circuit board modules that can be configured for each of Open Directory ‘s features. For example, the LDAP v3 circuit board manages Open Directory knowledge domain shape and oblige. Search paths are set by using the Authentication yellow journalism in Directory Access. You can choose to use an automatic pistol search that includes DHCP-supplied domains and the local knowledge domain ; local-only, in which only the local sphere is used ; and custom, which allows you to manually configure and set the search path of available domains. You can besides use the Contacts tab to set up LDAP search paths of domains for Mac OS X ‘s Address Book application. Managing shared domains Mac OS X Server supports four Open Directory roles : stand-alone, Open Directory Master, Open Directory Replica and Connected to a Directory System. A stand-alone server relies entirely on its local NetInfo domain and is typically not used as a file or print server. An open Directory Master is a server that is hosting a shared domain. An open Directory Replica is a server that hosts a read-only copy of the sphere. Replicas allow for load reconciliation and hold remote locations where a slowly network associate makes direct access to the Open Directory Master airy. Replicas besides allow for fail-over in the event of a bankruptcy of the master. “ Connected to a directory system ” refers to a server that ‘s adhere to a shared domain but that is not providing directory services. Users can access servers connected to a directory system using accounts stored in the shared knowledge domain. typically file, print and electronic mail servers will use this function. In smaller environments, however, a server might offer these services in summation to being an open Directory master or replica. outdoors Directory domains trust on the Domain Name System ( DNS ) to affair. For this rationality, ensuring that you have a in full serve DNS infrastructure is critical to setting up Open Directory in a network. frequently, Open Directory failures can be traced back to problems with DNS. One of the pitfalls of plainly walking through Mac OS X Server ‘s “ Server Assistant ” tool, which runs automatically after a basic installation, is that the Assistant offers you the choice of setting up a modern Open Directory sphere. This can cause problems if the server you are setting up will serve as an open Directory Master and DNS server. american samoa complex as outdoors Directory is, both as a solid and in the structure of individual domains, Apple has made the frame-up march extremely simple, provided you have DNS and other network services set up properly advance. You can easily change an existing waiter into an open Directory Master by just selecting that character from a pop-up book menu in Mac OS X Server ‘s “ Server Admin ” utility. then you enter basic information about the domain, including an explanation that will have administrative authority over the domain, the LDAP search base for the domain and the Kerberos kingdom that the world will use.
You can elect to set extra features at this time ( or belated ) arsenic well, including nonpayment knowledge domain password policies, whether computers must communicate with the domain over impregnable connections, and whether computers accessing the domain must be bound to it. All of these options can well increase security system. Setting up replica servers and binding early servers to the domain are equally elementary. There are, of course, more advance tools for some administrative tasks, many of them being command-line tools that are beyond the telescope of this article. however, for most environments, the graphic tools in Server Admin are all you need to get an open directory infrastructure up and running. Kerberos and the Open Directory password server open Directory provides multiple mechanisms for securing passwords. The original mechanism used by Mac OS X Server was to store passwords as an property of the drug user report object. This feature of speech is referred to as “ basic passwords ” and is however supported for backwards compatibility with older versions of Mac OS X and Mac OS X Server, though it must be chosen as a particular option for each exploiter report. basic passwords are stored and transmitted in code form. however, because they are stored in Open Directory domains, basic passwords are susceptible to offline security attacks using either Workgroup Manager or command-line open Directory tools. open Directory besides offers the default Open Directory password type. This technique stores user passwords outside of the knowledge domain itself in two places. The first gear is in a Kerberos kingdom. The second is in the Open Directory Password Server database. Both offer enhance security because the password is only set and verified and is never actually read by Open Directory. When these password types are used, merely hashed information identifying the location of a exploiter ‘s password in either the Kerberos kingdom or open Directory Password Server is physically stored in the drug user record. By default option, when a waiter is set up as an exposed Directory Master, it is besides set up as a Kerberos Key Distribution Center ( KDC ). This makes Mac OS X Server one of the easiest platforms to set up as a KDC because the process is about wholly automated. It is besides possible to use an interchange KDC — including an active directory domain restrainer, which is helpful in a multiplatform environment. In addition to securing password storage, Kerberos offers significant password security for exploiter connections because it relies on tickets to authorize access to any “ Kerberized ” services within a network. therefore, a exploiter ‘s password is transmitted entirely when he first logs in. Kerberos besides provides a seamless, unmarried sign-on environment where users will not be repeatedly asked to authenticate as they connect to servers and browse for Kerberized services. Under Mac OS X Server, these Kerberized services include the Mac OS X log in windowpane, e-mail, Apple Filing Protocol and Server Message Block protocols for Mac and Windows file/printer sharing, virtual private networks, file transfer protocol services, Apache and Secure Shell entree. Because Mac OS X Server uses a standard Kerberos initiation, you can offer extra Kerberized services within your net using servers and clients of other platforms, including Unix. Telnet and Rlogon are two examples of Unix services that can now be used with Kerberos. The Open Directory Password Server is beneficial for those situations when Kerberos is n’t an option. This can be useful for applications and services that do n’t support Kerberos a well as for times when there is a Kerberos failure. The receptive Directory Password Server supports a across-the-board scope of standard encoding types for interaction with a image of platforms and services. Although it does n’t offer the guarantee and single sign-on advantages of Kerberos, the Open Directory Password Server provides solid security that is a lot better than basic passwords. By default, when a drug user ‘s password type is set to Open Directory, Open Directory will attempt to authenticate the drug user using Kerberos inaugural and only use the password server in those instances where Kerberos is n’t available. Managed client environment Open Directory offers a rich managed customer environment that can be used to secure and define the drug user environment for all users and computers. virtually every aspect of the Mac OS X exploiter know can be preset for newly users or can be permanently defined so that it ca n’t be modified.
When using Mac OS X Server 10.4 ( Tiger ) with computers running the like Mac OS X acquittance, it is besides possible to create preference manifests. These are XML files that can be used to define the preferences settings of virtually any Mac OS X application. Managed preferences under Mac OS X can be set for individual users, groups or lists of computers. Integrating with other directory service platforms active Directory consolidation is frequently the easiest, and there are several easy methods of consolidation for both Mac OS X computers and Mac OS X Server. Beyond Active Directory, Open Directory can be integrated with about any platform that is LDAP-based or supports LDAP queries. In fact, true integration between Open Directory and Active Directory is frequently done using LDAP .