If the system could be integrated with other business applications such as payroll or time and attendance systems, Directory could serve as a complete tool for maintaining employee information. This integration might be able to be done via LDAP queries, as the Directory information appears to reside mostly in Open Directory.
With the variety of commercial and homegrown tools for employee management, however, it would be impossible for Apple alone to develop this type of integration. Third parties may be able to do so independently or working with Apple.
The downside is that there is no comparable Windows setup, which will limit Directory's ultimate application for many larger organizations that are dealing with a variety of client systems and software.
New managed preferences
Apple has updated its managed preferences architecture to include new built-in preferences and expand several existing options. New preferences include Parental Controls, which mirror the Parental Controls found in Leopard client, and Time Machine, which allows an administrator to define a share point to be used for backing up workstations with Leopard's Time Machine. Options in Time Machine can also be set to define which volumes get backed up, whether system files are backed up and to limit the total storage space for backups.
Managed preferences that have received major updates include Applications, Login and Mobility. With the new Applications setup, administrators can restrict not only which applications may be launched but also restrict the launching of applications in specific folders. Additionally, administrators can define which Dashboard widgets may be run and whether access to Front Row, Apple's media center, is allowed.
|
In this story... |
||
For its part, Login can now automatically set the computer name displayed in the log-in window to that of a Mac's computer record. This is helpful for NetBoot and NetInstall clients, which might otherwise all display the same name, and for ensuring naming consistency across a network.
Also new in Login is an option for external accounts whose home directory resides on an external hard drive that users can carry with them, and the option for a Guest account. A new Access tab allows administrators to restrict which users and groups can log into a computer or all computers in a computer group. The ability to limit access was previously available for computer lists rather than for individual computers.
Also on the Access tab are choices for how multiple managed group settings are applied.
Out of this group of managed preferences, Mobility -- the preference that allows mobile accounts for computers that leave a network -- has gotten the most updates. Administrators can now choose more advanced options for how a user's local home folder on the mobile computer syncs with the user's network home folder. Home folders on mobile computers now support file-vault encryption, a tool for securing business data on mobile computers.
Administrators can also now define the location of the home folders on mobile computers or allow users to decide where their home folders will be stored -- including external drives, allowing the aforementioned external accounts. Finally, mobile accounts can now be set for automatic deletion after a period of inactivity -- again, a nice security touch.
 |
Open Directory, the native directory service in Mac OS X, has gotten several major updates in Leopard Server as well as some significant under-the-hood changes for Leopard clients. The first of these server updates is two-tiered replication. This replaces the hub-and-spoke system of replication used in previous releases -- that's where a single Open Directory master issued updates to one or more replicas.
Note: The major under-the-hood change in Leopard is that Apple has retired the use of the outdated NetInfo technology as a mechanism for storing local user accounts and related information, and has replaced the NetInfo database with a series of property list (.plist files). We'll have more coverage of this in upcoming stories.
Two-tiered or cascading replication now allows for a single Open Directory master server to have up to 32 replicas that can each have up to 32 replicas of their own. This allows for richer replication topologies and increases performance of the Open Directory master, and as a result, the entire infrastructure in networks with large numbers of replicas. It also means that existing networks with more than 32 replicas will need to be redesigned.
Another important point is that all Open Directory servers within a network will need to be upgraded at the same time because replication between Leopard Server and Tiger Server is not supported.
Open Directory now supports cross-domain authorization. This allows an Open Directory master to be bound to another LDAP-based directory server, including Active Directory. The Open Directory master can then authorize access to services for users whose accounts reside in the directory system to which it is connected via Kerberos.
This feature allows for enhanced integration with other directory systems within a network, and allows Mac OS X Server to function as a middleman for directory services. This should permit simpler support for Mac OS X in a dual-platform network with Windows Server and Active Directory.
In fact, Active Directory support has been improved on both the client and server side of Leopard. Active Directory authentication now fully supports digital signing and all Windows 2003 Server security options. The process by which Mac OS X discovers Active Directory domain controllers has also been updated so that it behaves more like a Windows client when working with Active Directory site topologies.
|
In this story... |
||
The new Directory Utility provides the major client access features for directory services, replacing Directory Access in previous Mac OS X versions. (This is not to be confused with the Directory application mentioned earlier.) It also provides for better automatic configuration when binding computers to either Open Directory or Active Directory.
Directory Utility makes establishing more secure binding with Mac OS X Server simpler as well. When servers are configured in standard or workgroup mode, Directory Utility can automatically discover them and configure access for both Mac OS X and the appropriate applications -- such as Mail and iCal -- that are being provided by the server.
 |
Answering a long-standing request, Apple has bundled RADIUS support into Leopard Server. The RADIUS server integrates with Open Directory and allows administrators to configure access to wireless networks based on Open Directory usernames and passwords.