Skip the navigation

Hands on: Setting up Mac OS X Open Directory

By Ryan Faas
May 22, 2007 12:00 PM ET

Computerworld - Open Directory, Mac OS X's native directory service, allows users to both manage local accounts and to create shared directory domains hosted by Mac OS X Server. With shared directory domains, administrators can create network accounts that can be used to log into computers and to access server-based resources throughout an organization's network.

Open Directory leverages several powerful technologies, including OpenLDAP and Kerberos, to provide a secure and scalable environment. It provides single-sign on to services within a network, supplies powerful home directory options and sports an extremely comprehensive client management architecture. (For more details about the technologies that constitute Open Directory, see my earlier article: "Understanding Mac OS X Open Directory -- An Introduction to Directory Services in the Mac Environment.")

Despite the complex technologies that make up Open Directory, Apple has made an incredible effort to make the platform easy to set up and manage. While this article isn't a comprehensive manual for designing an Open Directory infrastructure, it is a guide to the basic configuration process.

Creating an Open Directory Master

An Open Directory Master is an organization's primary Open Directory server. It hosts the shared LDAP domain that stores network account information, a Kerberos realm and Open Directory password server for securely authenticating users. Any Mac OS X Server installation can serve as an Open Directory Master, though you will want to use a machine that is sufficiently powered to handle directory service requests. Ideally, for optimum performance and security, an Open Directory Master should not be used to provide other network services. You will also need to ensure that your DNS infrastructure is configured properly and successfully supports forward and reverse lookups.

To create an Open Directory domain and to configure domainwide settings, you will use Mac OS X Server's Server Admin utility. Launch Server Admin, connect to the appropriate server and select "Open Directory" in the "Computers and Services" list (see Figure 1).

Then click the "Settings" button at the lower right of the window to display the "Settings" pane. Choose "Open Directory Master" from the "Roles" dropdown menu. You will be asked to specify a domain administrator account -- this is the first account in the domain that will be given full administrative access to manage the domain and to create additional user accounts. This will be a separate account from the server administrator account, which is a local nonshared account for managing other aspects of the server.

You will also be asked to specify a search base for the domain and a Kerberos realm name.

Figure 1 – Selecting the Open Directory Settings in Server Admin (Click image for larger view)
The search base defines how clients will locate information in Open Directory's LDAP database. The Kerberos realm stores information that will be used to securely authenticate users. Provided your DNS infrastructure is configured properly, both these fields will be prepopulated based on the server's domain name. In most situations, you can accept these values. If your network has a pre-existing Kerberos infrastructure or you plan to customize your server's OpenLDAP configuration, you would need to enter the appropriate information rather than accepting the defaults.

Our Commenting Policies